Home / os / winmobile

TECO SG2 FBD Client 3.51 SEH Overwrite Buffer Overflow

Posted on 17 November 2015

#!/usr/bin/perl # # # TECO SG2 FBD Client 3.51 SEH Overwrite Buffer Overflow Vulnerability # # # Vendor: TECO Electric and Machinery Co., Ltd. # Product web page: http://www.teco-group.eu # Download: http://globalsa.teco.com.tw/support_download.aspx?KindID=9 # Affected version: 3.51 and 3.40 # # Summary: SG2 Client is a program that enables to create and edit applications. # The program is providing two edit modes, LADDER and FBD to rapidly and directly # input the required app. The Simulation Mode allows users to virtually run and test # the program before it is loaded to the controller. # # Desc: The vulnerability is caused due to a boundary error in the processing # of a Genie FBD, which can be exploited to cause a buffer overflow when a # user opens e.g. a specially crafted .GFB file. Successful exploitation could # allow execution of arbitrary code on the affected machine. # # --------------------------------------------------------------------------------- # (fb0.fd0): Access violation - code c0000005 (!!! second chance !!!) # *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:windowsSysWOW64 tdll.dll - # *** WARNING: Unable to verify checksum for C:Program Files (x86)TECOSG2 ClientFBD.EXE # *** ERROR: Module load completed but symbols could not be loaded for C:Program Files (x86)TECOSG2 ClientFBD.EXE # eax=4141413f ebx=00000004 ecx=41414141 edx=41414141 esi=0018f578 edi=00a642e8 # eip=00440b57 esp=0018ef9c ebp=0000003f iopl=0 nv up ei pl nz na po nc # cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202 # FBD+0x40b57: # 00440b57 8995a0000000 mov dword ptr [ebp+0A0h],edx ss:002b:000000df=???????? # --------------------------------------------------------------------------------- # # Tested on: Microsoft Windows 7 Professional SP1 (EN) 64bit # Microsoft Windows 7 Ultimate SP1 (EN) 64bit # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2015-5276 # Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5276.php # # # 09.10.2015 # PoC: - http://zeroscience.mk/codes/sg2fbd-5276.zip

 

TOP