This module exploits a stack based buffer overflow in Yokogawa CENTUM CS 3000 by using its BKBCopyD.exe service. The Yokogawa Centum CS3000 solution uses different services in order to provide all its functionality. The BKBCopyD.exe service, started when running the FCS / Test Function, listens by default on TCP/20111. By sending a specially crafted packet to the port TCP/20111, it it is possible to trigger a stack based buffer overflow which allows execution of arbitrary code with the privileges of the CENTUM user.
This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of software utilizing XBMC. A boundary error within the websHomePageHandler() function can be exploited to cause a stack-based buffer overflow by sending a specially crafted GET HTTP request with an overly long path to the web server.
The internal stack may be overrun while handling either "XMD5", "XSHA1" or "XCRC" commands with an overly long filename. This condition can be exploited by attackers to ultimately execute instructions with the privileges of the WS_FTP process, typically administrator or system. Exploitation requires valid or anonymous FTP server credentials. The WS_FTP server will remain active after a successful exploitation.
Subscribe to Windows