So, cialis quite a while ago, I was fuzzing the MiniWeb Server available from Google Code – Miniweb after I realized that WinCC/SCADA systems also seem to use this web server. (Does this make Siemens in violation of the GPL?).
I had been using one of Metasploits fuzzers, check and noticed an instant crash it was causing, so I started trying to replicate it.
After enlisting the help of ohdae from BindShell Labs, we were able to figure out the crash was caused by the “Content-Length: -10″ part of the malicious HTTP Header, sovaldi basically, it chokes on that and dies. I had been convinced it was something to do with malicious POST data, but thanks to ohdae, that was quickly changed.
After a lot more debugging and playing about, I learned that someone else had gotten to this bug first, and it was not a 0day after all. I also had just about given up on getting remote code execution from this vulnerability.
The original advisory can be found here: http://aluigi.altervista.org/adv/winccflex_1-adv.txt
Anyways, on to the fun stuff. So, here is what GDB looks like when the exploit is ran…
GNU gdb (GDB) 7.1-ubuntu
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type “show copying”
and “show warranty” for details.
This GDB was configured as “i486-linux-gnu”.
For bug reporting instructions, please see:
(gdb) exec-file SCADA
Starting program: /root/fuzzme/SCADA/SCADA
MiniWeb 0.8.180 (C)2005-09 Stanley Huang (C)2010 Stanley Huang / Felix Wang
Listening port: 80
Web root: webroot
Max clients: 32
URL handlers: 1
Dir listing: on
 connection accepted @ May 31 16:15:34
 IP: 127.0.0.1
Connected clients: 1
Program received signal SIGSEGV, Segmentation fault.
0x0804c76b in ?? ()
(gdb) info registers
eax 0x0 0
ecx 0x1 1
edx 0xfffffff6 -10
ebx 0x8052718 134555416
esp 0xbffff2c0 0xbffff2c0
ebp 0xbffff318 0xbffff318
esi 0x0 0
edi 0x804f3fa 134542330
eip 0x804c76b 0x804c76b
eflags 0x10246 [ PF ZF IF RF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
Finally, to wrap things up, the PoC Exploit: http://pastebin.com/9EW96xGY