77 lines
No EOL
1.7 KiB
Text
77 lines
No EOL
1.7 KiB
Text
#######################################################################
|
|
|
|
Luigi Auriemma
|
|
|
|
Application: Rockwell RSLogix
|
|
http://www.rockwellautomation.com/rockwellsoftware/design/rslogix5000/
|
|
Versions: <= 19 (RsvcHost.exe 2.30.0.23)
|
|
Platforms: Windows
|
|
Bug: Denial of Service
|
|
Exploitation: remote
|
|
Date: 13 Sep 2011
|
|
Author: Luigi Auriemma
|
|
e-mail: aluigi@autistici.org
|
|
web: aluigi.org
|
|
|
|
|
|
#######################################################################
|
|
|
|
|
|
1) Introduction
|
|
2) Bug
|
|
3) The Code
|
|
4) Fix
|
|
|
|
|
|
#######################################################################
|
|
|
|
===============
|
|
1) Introduction
|
|
===============
|
|
|
|
|
|
From vendor's website:
|
|
"With RSLogix 5000 programming software, you need only one software
|
|
package for discrete, process, batch, motion, safety and drive-based
|
|
application."
|
|
|
|
|
|
#######################################################################
|
|
|
|
======
|
|
2) Bug
|
|
======
|
|
|
|
|
|
RsvcHost.exe and RNADiagReceiver.exe listen on ports 4446 and others.
|
|
|
|
These services use RnaUtility.dll which doesn't handle the 32bit size
|
|
field located in the "rna" packets with results like a memset zero
|
|
overflow and invalid read access.
|
|
|
|
|
|
#######################################################################
|
|
|
|
===========
|
|
3) The Code
|
|
===========
|
|
|
|
|
|
http://aluigi.org/poc/rslogix_1.zip
|
|
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17843.zip
|
|
|
|
nc SERVER 4446 < rslogix_1a.dat
|
|
nc SERVER 4446 < rslogix_1b.dat
|
|
|
|
|
|
#######################################################################
|
|
|
|
======
|
|
4) Fix
|
|
======
|
|
|
|
|
|
No fix.
|
|
|
|
|
|
####################################################################### |