thatsBroken

When analyzing software for vulnerabilities we need to map its attack surface. For obvious reasons, remote unauthenticated communication is of special interest because it can potentially yeild the holy grail in vulnerability research – remote, unauthenticated arbitrary code execution.

The process of picking a target is up to you. If you want to make some money from the folks at ZDI then I’d suggest looking at the vendors listed in the last few months of disclosures… that’s obviously what they are paying for these days.

If you want to start with something simple but still fun, I’d suggest grabbing a demo SCADA app. NOTE: Please be responsible.

For this blog post I’m going to use: “IRC5 OPC Server_5.12.01.exe” but Before we run the installer, lets fire up TCPView and check out our current open ports…

Ok, let’s get this installed…

We will look for new open ports in TCPView…

Based on what TCPView is telling us, it looks like this application listens on UDP ports 1308, 5512 and 5513.

Lets fire up wireshark to see if the application is chatty

So it sends packets out from TCP 5513 to a UDP subnet broadcast IP of 10.7.0.255 at port 5512. After observing the application idle for 5 minutes I identified two slightly different packets:

4e65747363616e3b30643b353b
4e65747363616e3b30643b373b

As you can see in the wireshark screenshot, this is an ascii, plain text representation of those two packets:

Netscan;0d;5;
Netscan;0d;7;

It starts with the string Netscan, followed by a separator, followed by what looks to be an ascii representation of a hex number, followed by a separator, followed by a decimal number and ending in a separator. This is going to be fun to fuzz later but what other attack surfaces can we find? Lets take a closer look at the application itself.

I tried changing poll rate, language, and users/password settings but the broadcast packet stayed the same. I’m going to go fuzz this with Sulley, would you like to come along? Don’t have Sully installed? We have an page for that too!