76 lines
No EOL
1.7 KiB
Text
76 lines
No EOL
1.7 KiB
Text
#######################################################################
|
|
|
|
Luigi Auriemma
|
|
|
|
Application: Microsys PROMOTIC
|
|
http://www.promotic.eu/en/promotic/scada-pm.htm
|
|
Versions: 8.1.4
|
|
Platforms: Windows
|
|
Bug: ActiveX GetPromoticSite unitialized pointer
|
|
Exploitation: remote
|
|
Date: 30 Oct 2011
|
|
Author: Luigi Auriemma
|
|
e-mail: aluigi@autistici.org
|
|
web: aluigi.org
|
|
|
|
|
|
#######################################################################
|
|
|
|
|
|
1) Introduction
|
|
2) Bug
|
|
3) The Code
|
|
4) Fix
|
|
|
|
|
|
#######################################################################
|
|
|
|
===============
|
|
1) Introduction
|
|
===============
|
|
|
|
|
|
From vendor's website:
|
|
"PROMOTIC is a complex SCADA object software tool for creating
|
|
applications that monitor, control and display technological processes
|
|
in various industrial areas. "
|
|
|
|
|
|
#######################################################################
|
|
|
|
======
|
|
2) Bug
|
|
======
|
|
|
|
|
|
Code execution through an unitialized pointer exploitable via the
|
|
GetPromoticSite method of the PmTable.ocx ActiveX
|
|
(19BA6EE6-4BB4-11D1-8085-0020AFC8C4AF).
|
|
|
|
|
|
Note that the ActiveX object could require the acknoledge of the user
|
|
for being executed.
|
|
|
|
|
|
#######################################################################
|
|
|
|
===========
|
|
3) The Code
|
|
===========
|
|
|
|
|
|
http://aluigi.org/poc/promotic_2.zip
|
|
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/18049.zip
|
|
|
|
|
|
#######################################################################
|
|
|
|
======
|
|
4) Fix
|
|
======
|
|
|
|
|
|
No fix.
|
|
|
|
|
|
####################################################################### |