DATAC RealWin SCADA Server 2.0 (Build 6.1.8.10) – Buffer Overflow

• Exploit Database
• 93 阅读

• 作者： Luigi Auriemma
  日期： 2010-10-15
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/15259/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96

  Source: http://aluigi.org/adv/realwin_1-adv.txt   #######################################################################   Luigi Auriemma   Application:DATAC RealWin http://www.dataconline.com/software/realwin.php http://www.realflex.com Versions: <= 2.0 (Build 6.1.8.10) Platforms:Windows Bugs: A] stack overflow in SCPC_INITIALIZE and SCPC_INITIALIZE_RF B] stack overflow in SCPC_TXTEVENT Exploitation: remote, versus server Date: 15 Oct 2010 Author: Luigi Auriemma e-mail: aluigi@autistici.org web:aluigi.org     #######################################################################     1) Introduction 2) Bugs 3) The Code 4) Fix     #######################################################################   =============== 1) Introduction ===============     "RealWin is a SCADA server package for medium / small applications."     #######################################################################   ======= 2) Bugs =======     ----------------------------------------------------------- A] stack overflow in SCPC_INITIALIZE and SCPC_INITIALIZE_RF -----------------------------------------------------------   The service of the server running on port 912 is vulnerable to a stack based buffer-overflow caused by the usage of sprintf() for building a particular string with the data supplied by the attacker:   sprintf( stack_buffer, "C:\\Program Files\\...path_of_RealWin...\\data\\crt\\fwd\\tel\\%s.%d", attacker_string, attacker_16bit_number);     ---------------------------------- B] stack overflow in SCPC_TXTEVENT ----------------------------------   The same server is vulnerable also to another stack based overflow caused by the usage of strcpy() with the data supplied by the attacker.     #######################################################################   =========== 3) The Code ===========     http://aluigi.org/poc/realwin_1.zip https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/15259.zip (realwin_1.zip)   nc SERVER 912 < realwin_1a.dat nc SERVER 912 < realwin_1b.dat nc SERVER 912 < realwin_1c.dat     #######################################################################   ====== 4) Fix ======     No fix.     #######################################################################