TECO SG2 FBD Client 3.51 – ‘.gfb’ Overwrite Buffer Overflow (SEH) (PoC)

• Exploit Database
• 17 阅读

• 作者： LiquidWorm
  日期： 2015-11-16
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/38701/

• # TECO SG2 FBD Client 3.51 SEH Overwrite Buffer Overflow Vulnerability
  #
  #
  # Vendor: TECO Electric and Machinery Co., Ltd.
  # Product web page: http://www.teco-group.eu
  # Download: http://globalsa.teco.com.tw/support_download.aspx?KindID=9
  # Affected version: 3.51 and 3.40
  #
  # Summary: SG2 Client is a program that enables to create and edit applications.
  # The program is providing two edit modes, LADDER and FBD to rapidly and directly
  # input the required app. The Simulation Mode allows users to virtually run and test
  # the program before it is loaded to the controller.
  #
  # Desc: The vulnerability is caused due to a boundary error in the processing
  # of a Genie FBD, which can be exploited to cause a buffer overflow when a
  # user opens e.g. a specially crafted .GFB file. Successful exploitation could
  # allow execution of arbitrary code on the affected machine.
  #
  # ---------------------------------------------------------------------------------
  # (fb0.fd0): Access violation - code c0000005 (!!! second chance !!!)
  # *** ERROR: Symbol file could not be found.Defaulted to export symbols for C:\windows\SysWOW64\ntdll.dll - 
  # *** WARNING: Unable to verify checksum for C:\Program Files (x86)\TECO\SG2 Client\FBD.EXE
  # *** ERROR: Module load completed but symbols could not be loaded for C:\Program Files (x86)\TECO\SG2 Client\FBD.EXE
  # eax=4141413f ebx=00000004 ecx=41414141 edx=41414141 esi=0018f578 edi=00a642e8
  # eip=00440b57 esp=0018ef9c ebp=0000003f iopl=0 nv up ei pl nz na po nc
  # cs=0023ss=002bds=002bes=002bfs=0053gs=002b efl=00010202
  # FBD+0x40b57:
  # 00440b57 8995a0000000mov dword ptr [ebp+0A0h],edx ss:002b:000000df=????????
  # ---------------------------------------------------------------------------------
  #
  # Tested on: Microsoft Windows 7 Professional SP1 (EN) 64bit
  #Microsoft Windows 7 Ultimate SP1 (EN) 64bit
  #
  #
  # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  # @zeroscience
  #
  #
  # Advisory ID: ZSL-2015-5276
  # Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5276.php
  #
  #
  # 09.10.2015
  #
  
  
  PoC:
  
  - http://zeroscience.mk/codes/sg2fbd-5276.zip
  - https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38701.zip