exploit-db-mirror/exploits/windows/dos/18165.txt
Offensive Security ed0e1e4d44 DB: 2018-09-25
1979 changes to exploits/shellcodes

Couchdb 1.5.0 - 'uuids' Denial of Service
Apache CouchDB 1.5.0 - 'uuids' Denial of Service

Beyond Remote 2.2.5.3 - Denial of Service (PoC)
udisks2 2.8.0 - Denial of Service (PoC)
Termite 3.4 - Denial of Service (PoC)
SoftX FTP Client 3.3 - Denial of Service (PoC)

Silverstripe 2.3.5 - Cross-Site Request Forgery / Open redirection
SilverStripe CMS 2.3.5 - Cross-Site Request Forgery / Open Redirection

Silverstripe CMS 3.0.2 - Multiple Vulnerabilities
SilverStripe CMS 3.0.2 - Multiple Vulnerabilities

Silverstripe CMS 2.4 - File Renaming Security Bypass
SilverStripe CMS 2.4 - File Renaming Security Bypass

Silverstripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities
SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities

Silverstripe CMS 2.4.7 - 'install.php' PHP Code Injection
SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection

Silverstripe Pixlr Image Editor - 'upload.php' Arbitrary File Upload
SilverStripe CMS Pixlr Image Editor - 'upload.php' Arbitrary File Upload

Silverstripe CMS 2.4.x - 'BackURL' Open Redirection
SilverStripe CMS 2.4.x - 'BackURL' Open Redirection

Silverstripe CMS - 'MemberLoginForm.php' Information Disclosure
SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure

Silverstripe CMS - Multiple HTML Injection Vulnerabilities
SilverStripe CMS - Multiple HTML Injection Vulnerabilities

Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation
Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation

Monstra CMS before 3.0.4 - Cross-Site Scripting
Monstra CMS < 3.0.4 - Cross-Site Scripting (2)

Monstra CMS < 3.0.4 - Cross-Site Scripting
Monstra CMS < 3.0.4 - Cross-Site Scripting (1)
Navigate CMS 2.8 - Cross-Site Scripting
Collectric CMU 1.0 - 'lang' SQL injection
Joomla! Component CW Article Attachments 1.0.6 - 'id' SQL Injection
LG SuperSign EZ CMS 2.5 - Remote Code Execution
MyBB Visual Editor 1.8.18 - Cross-Site Scripting
Joomla! Component AMGallery 1.2.3 - 'filter_category_id' SQL Injection
Joomla! Component Micro Deal Factory 2.4.0 - 'id' SQL Injection
RICOH Aficio MP 301 Printer - Cross-Site Scripting
Joomla! Component Auction Factory 4.5.5 - 'filter_order' SQL Injection
RICOH MP C6003 Printer - Cross-Site Scripting

Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes)
Linux/ARM - sigaction() Based Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (52 Bytes)
2018-09-25 05:01:51 +00:00

144 lines
No EOL
4 KiB
Text

#######################################################################
Luigi Auriemma
Application: Siemens Automation License Manager
http://support.automation.siemens.com/WW/llisapi.dll?func=cslib.csinfo&lang=en&siteid=cseus&aktprim=0&extranet=standard&viewreg=WW&objid=10805384&treeLang=en
Versions: <= 500.0.122.1
Platforms: Windows
Bugs: A] Service *_licensekey serialid code execution
B] Service exceptions
C] Service NULL pointer
D] almaxcx.dll files overwriting
Exploitation: remote
Date: 28 Nov 2011
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
Siemens Automation License Manager is the system used by Siemens for
handling the remote and local licenses of its HMI, SCADA and
industrial products.
This service is available in most of the products and it's necessary to
their usage.
#######################################################################
=======
2) Bugs
=======
--------------------------------------------
Service *_licensekey serialid code execution
--------------------------------------------
Buffer overflow in the handling of the serialid field used in the
various *_licensekey commands that share the same function for parsing
the parameters.
The vulnerability leads to code execution:
011C7D96 8B01 MOV EAX,DWORD PTR DS:[ECX]
011C7D98 8B10 MOV EDX,DWORD PTR DS:[EAX] ; controlled
011C7D9A 6A 01 PUSH 1
011C7D9C FFD2 CALL EDX
---------------------
B] Service exceptions
---------------------
Some long fields can be used to raise an exception:
The exception unknown software exception (0xc0000417) occurred in
the application at location 0x????????.
The exception is caused by the usage of wcscpy_s in some functions
that copy the values passed by the client into stack buffers.
This is what happens with open_session->workstation->NAME (function
00412060) or grant->VERSION and so on.
Note that in some systems the exception doesn't lead to a direct Denial
of Service (except the resources for the thread left active).
-----------------------
C] Service NULL pointer
-----------------------
NULL pointer dereference in the handling of the get_target_ocx_param
and send_target_ocx_param commands.
Note that in some systems the exception doesn't lead to a direct Denial
of Service (except the resources for the thread left active).
--------------------------------
D] almaxcx.dll files overwriting
--------------------------------
The almaxcx.dll ActiveX component (ALMListView.ALMListCtrl
E57AF4A2-EF57-41D0-8512-FECDA78F1FE7) has a Save method that allows to
specify an arbitrary filename to save.
The effect is the overwriting of any file with this empty one (just 2
bytes "\r\n").
Note that I can't exclude the possibility of controlling the content of
the saved file allowing code execution, indeed I didn't test the
component deeper to check this hypothesis so it remains open and who
has more experience than me with this component can confirm it or not.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/almsrvx_1.zip
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/18165.zip
A]
almsrvx_1 almsrvx_1a.dat SERVER
B]
almsrvx_1 almsrvx_1b1.dat SERVER
almsrvx_1 almsrvx_1b2.dat SERVER
C]
almsrvx_1 almsrvx_1c.dat SERVER
D]
almsrvx_1d.htm
#######################################################################
======
4) Fix
======
No fix.
#######################################################################