Crouzet em4 soft 1.1.04 – ‘.pm4’ Integer Division By Zero

• Exploit Database
• 17 阅读

• 作者： LiquidWorm
  日期： 2016-03-01
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/39509/

• 
  Crouzet em4 soft 1.1.04 Integer Division By Zero
  
  
  Vendor: Crouzet Automatismes SAS
  Product web page: http://www.crouzet-automation.com
  Affected version: 1.1.04 and 1.1.03.01
  
  Summary: em4 is more than just a nano-PLC. It is a leading
  edge device supported by best-in-class tools that enables
  you to create and implement the smartest automation applications.
  
  Desc: em4 soft suffers from a division by zero attack when handling
  Crouzet Logic Software Document '.pm4' files, resulting in denial
  of service vulnerability and possibly loss of data.
  
  ---------------------------------------------------------------------
  (187c.1534): Integer divide-by-zero - code c0000094 (first chance)
  First chance exceptions are reported before any exception handling.
  This exception may be expected and handled.
  *** WARNING: Unable to verify checksum for image013b0000
  *** ERROR: Module load completed but symbols could not be loaded for image013b0000
  eax=00000000 ebx=00000000 ecx=55c37c10 edx=00000000 esi=0105b13c edi=0110bb18
  eip=013ea575 esp=0064d8b8 ebp=0064d8f4 iopl=0 nv up ei pl nz na pe nc
  cs=0023ss=002bds=002bes=002bfs=0053gs=002b efl=00210206
  image013b0000+0x3a575:
  013ea575 f7bf18010000idiveax,dword ptr [edi+118h] ds:002b:0110bc30=00000000
  0:000> u
  image013b0000+0x3a575:
  013ea575 f7bf18010000idiveax,dword ptr [edi+118h]
  013ea57b 8d4de0lea ecx,[ebp-20h]
  013ea57e c745fc00000000mov dword ptr [ebp-4],0
  013ea585 50pusheax
  013ea586 6808505b01pushoffset image013b0000+0x205008 (015b5008)
  013ea58b 51pushecx
  013ea58c ff15b0575a01calldword ptr [image013b0000+0x1f57b0 (015a57b0)]
  013ea592 8b870c010000mov eax,dword ptr [edi+10Ch]
  ---------------------------------------------------------------------
  
  Tested on: Microsoft Windows 7 Professional SP1 (EN)
   Microsoft Windows 7 Ultimate SP1 (EN)
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Advisory ID: ZSL-2016-5309
  Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5309.php
  
  
  25.01.2016
  
  --
  
  
  PoC: 
  
  http://zeroscience.mk/codes/poc5309.pm4.zip
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39509.zip