A pre-authenticated RCE exploit for Inductive Automation Ignition

Related tags

Spring Boot randy
Overview

Randy

What

This is a pre-authenticated RCE exploit for Inductive Automation Ignition that impacts versions <= 8.1.16. We failed to exploit the bugs at Pwn2Own Miami 2022 because we had a sloppy exploit and no debug environment, but since then we have found the time and energy to improve it!

Authors

Chris Anastasio and Steven Seeley (mr_me) of Incite Team

Build

  1. Build with mvn clean compile assembly:single -DskipTests

Tested

The exploit was tested against 8.1.16 using the Windows 64-bit Installer which you can download here (SHA1: f135d32228793c73c4cdd88561cdbdb44b19290c) but it has known to work against other older versions as well.

Notes

  • At the time of release, no CVE's were assigned to the bugs

  • This exploit takes advantage of two vulnerabilities that have been patched:

  • The exploit requires an admin user to be logged into the gateway. During testing it was found that sessions live forever unless a user explicitly logs out.

  • The exploit should be ran from a Windows host (due to the SecureRandom seed prediction attack).

  • The exploit targets Ignition deployed under Windows, since SecureRandom is not so secure under that environment.

  • The exploit was tested with Java v11.0.11.

Run

Run the exploit with java -cp target/randy-0.0.1-SNAPSHOT.jar com.srcincite.ia.exploit.Poc

Example

Running Randy

You might also like...

Log4j2Scan - Log4j2 RCE Passive Scanner plugin for BurpSuite

Log4j2Scan - Log4j2 RCE Passive Scanner plugin for BurpSuite

Log4j2Scan This tool is only for learning, research and self-examination. It should not be used for illegal purposes. All risks arising from the use o

Jan 6, 2023

spring-cloud-function SpEL RCE, Vultarget & Poc

spring-cloud-function SpEL RCE, Vultarget & Poc

spring-cloud-function SpEL RCE Vultarget You can build it for youself. here is the source of the Vuln App Or you can use the release which built by cc

Nov 30, 2022

Apache/Alibaba Dubbo = 2.7.3 PoC Code for CVE-2021-25641 RCE via Deserialization of Untrusted Data; Affects Versions = 2.7.6 With Different Gadgets

The 0xDABB of Doom - CVE-2021-25641-Proof-of-Concept Apache/Alibaba Dubbo = 2.7.3 PoC Code for CVE-2021-25641 RCE via Deserialization of Untrusted Da

Apr 24, 2022

Non intrusive log4j2 RCE vulnerability patch.

Log4j Patch Resolve the RCE vulnerability caused by JNDI lookup in log4j 2.0~2.14.1. It is licensed under the WTFPL 2.0 license, you can do anything w

Dec 2, 2022

log4j2 rce、poc

log4j2 rce、poc

Apache Log4j 2 Apache log4j2 开源日志组件远程代码执行 攻击者通过构造恶意请求,触发服务器log4j 2 日志组件的远程代码执行漏洞。漏洞无需特殊配置,经验证,最新版的补丁可以防护此问题 官方最新补丁: log4j-2.15.0-rc2 紧急处置方案 2.10 or 以上

Dec 4, 2022

Deploys an agent to fix CVE-2021-44228 (Log4j RCE vulnerability) in a running JVM process

-- This repository has been archived -- Further development of this tool will continue at corretto/hotpatch-for-apache-log4j2. Thanks for sharing, com

Dec 23, 2021

Log4j-RCE (CVE-2021-44228) Proof of Concept with additional information

Log4j-RCE (CVE-2021-44228) Proof of Concept with additional information

Log4J-RCE-Proof-Of-Concept (CVE-2021-44228) This is a proof of concept of the log4j rce. Here are some links for the CVE-2021-44228: https://www.lunas

Dec 2, 2022

An agent to hotpatch the log4j RCE from CVE-2021-44228.

Log4jHotPatch This is a tool which injects a Java agent into a running JVM process. The agent will attempt to patch the lookup() method of all loaded

Dec 13, 2022

The automation tower defense game

The automation tower defense game

A sandbox tower defense game written in Java. Trello Board Wiki Javadoc Contributing See CONTRIBUTING. Building Bleeding-edge builds are generated aut

Dec 31, 2022
Owner
Source Incite
Source Incite
GitHub
This is a simple realization of custom messages pre/post processing in spring-boot HTTP/Stream requests & responses

spring-boot-custom-message-converting-instances This is a simple realization of custom messages converting in spring-boot HTTP requests and responses.

Innopolis University Java Team 1 Jul 22, 2022
Pre-release of JavaGachi

JavaGachi-PreRelease Pre-release of JavaGachi Despite having Gradle resources, delegate building to IDEA if you are interested in deploying the applic

null 1 Jan 6, 2022
Code4Me provides automatic intelligent code completion based on large pre-trained language models

Code4Me Code4Me provides automatic intelligent code completion based on large pre-trained language models. Code4Me predicts statement (line) completio

Code4Me 38 Dec 5, 2022
Google's ML-Kit-Vision demo (android) for pre encoded video.

Android ML Kit Vision demo with Video Google's ML-Kit-Vision demo (android) for pre encoded video. Demos for camera preview and still image are also i

null 17 Dec 29, 2022
CVE-2021-2109 && Weblogic Server RCE via JNDI

Description Vulnerability in the Oracle WebLogic Server product of Oracle Fusion Middleware (component: Console). Supported versions that are affected

Al1ex 29 Nov 21, 2022
spring boot Fat Jar 应用文件上传漏洞到 RCE 的利用技巧

spring-boot-upload-file-lead-to-rce-tricks 一. 原理文章 Spring Boot Fat Jar 写文件漏洞到稳定 RCE 的探索 二. docker 漏洞环境搭建 docker pull landgrey/spring-boot-fat-jar-writ

LandGrey 540 Jan 8, 2023
A exploit to remotely check if a chunk is loaded.

InteractCordExploit (NoCom) A exploit to remotely check if a chunk is loaded which has been automated to create heatmaps and find chunks with active p

null 26 Aug 18, 2022
Apache Log4j2 CVE-2021-44228 RCE Demo with RMI and LDAP

CVE-2021-44228-Demo 利用 CVE-2021-44228,通过 RMI 和 LDAP 两种方式远程注入代码的示例。 Exploit class from RMI Server loaded Hello, ${jndi:rmi://127.0.0.1:1099/exploit} Ex

Zhuang Ma 2 Dec 14, 2021
A singular file to protect as many Minecraft servers and clients as possible from the Log4j exploit (CVE-2021-44228).

MC-Log4J-Patcher The goal of this project is to provide Minecraft players, and server owners, peace of mind in regards to the recently discovered Log4

Koupa Taylor 4 Jan 4, 2022
CVE-2021-44228 - Apache log4j RCE quick test

Build ./build.sh Start log4j RCE Server ./start-log4j-rce-server.sh Test Run java -cp log4j-rce-1.0-SNAPSHOT-all.jar log4j Check if you get logs in ha

Jeffrey Li 3 Feb 1, 2022