module
DATAC RealWin SCADA Server 2 On_FC_CONNECT_FCS_a_FILE Buffer Overflow
| Disclosed | Created |
|---|---|
| Mar 21, 2011 | May 30, 2018 |
Disclosed
Mar 21, 2011
Created
May 30, 2018
Description
This module exploits a vulnerability found in DATAC Control International RealWin
SCADA Server 2.1 and below. By supplying a specially crafted On_FC_BINFILE_FCS_*FILE
packet via port 910, RealWin will try to create a file (which would be saved to
C:\Program Files\DATAC\Real Win\RW-version\filename) by first copying the user-
supplied filename with an inline memcpy routine without proper bounds checking, which
results a stack-based buffer overflow, allowing arbitrary remote code execution.
Tested version: 2.0 (Build 6.1.8.10)
SCADA Server 2.1 and below. By supplying a specially crafted On_FC_BINFILE_FCS_*FILE
packet via port 910, RealWin will try to create a file (which would be saved to
C:\Program Files\DATAC\Real Win\RW-version\filename) by first copying the user-
supplied filename with an inline memcpy routine without proper bounds checking, which
results a stack-based buffer overflow, allowing arbitrary remote code execution.
Tested version: 2.0 (Build 6.1.8.10)
Authors
Luigi Auriemma
MC mc@metasploit.com
MC mc@metasploit.com
Platform
Windows
References
Module Options
To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':
NEW
Explore Exposure Command
Confidently identify and prioritize exposures from endpoint to cloud with full attack surface visibility and threat-aware risk context.