Search...

TECO SG2 FBD Client 3.51 - .gfb SEH Overwrite Buffer Overflow Vulnerability

2015-11-16T00:00:00

ID EDB-ID:38701
Type exploitdb
Reporter LiquidWorm
Modified 2015-11-16T00:00:00

Description

TECO SG2 FBD Client 3.51 - .gfb SEH Overwrite Buffer Overflow Vulnerability. Dos exploit for windows platform

                                        
                                            # TECO SG2 FBD Client 3.51 SEH Overwrite Buffer Overflow Vulnerability
#
#
# Vendor: TECO Electric and Machinery Co., Ltd.
# Product web page: http://www.teco-group.eu
# Download: http://globalsa.teco.com.tw/support_download.aspx?KindID=9
# Affected version: 3.51 and 3.40
#
# Summary: SG2 Client is a program that enables to create and edit applications.
# The program is providing two edit modes, LADDER and FBD to rapidly and directly
# input the required app. The Simulation Mode allows users to virtually run and test
# the program before it is loaded to the controller.
#
# Desc: The vulnerability is caused due to a boundary error in the processing
# of a Genie FBD, which can be exploited to cause a buffer overflow when a
# user opens e.g. a specially crafted .GFB file. Successful exploitation could
# allow execution of arbitrary code on the affected machine.
#
# ---------------------------------------------------------------------------------
# (fb0.fd0): Access violation - code c0000005 (!!! second chance !!!)
# *** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\windows\SysWOW64\ntdll.dll - 
# *** WARNING: Unable to verify checksum for C:\Program Files (x86)\TECO\SG2 Client\FBD.EXE
# *** ERROR: Module load completed but symbols could not be loaded for C:\Program Files (x86)\TECO\SG2 Client\FBD.EXE
# eax=4141413f ebx=00000004 ecx=41414141 edx=41414141 esi=0018f578 edi=00a642e8
# eip=00440b57 esp=0018ef9c ebp=0000003f iopl=0         nv up ei pl nz na po nc
# cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010202
# FBD+0x40b57:
# 00440b57 8995a0000000    mov     dword ptr [ebp+0A0h],edx ss:002b:000000df=????????
# ---------------------------------------------------------------------------------
#
# Tested on: Microsoft Windows 7 Professional SP1 (EN) 64bit
#            Microsoft Windows 7 Ultimate SP1 (EN) 64bit
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
#                             @zeroscience
#
#
# Advisory ID: ZSL-2015-5276
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5276.php
#
#
# 09.10.2015
#


PoC:

- http://zeroscience.mk/codes/sg2fbd-5276.zip
- https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38701.zip

JSON Vulners Source

Initial Source

{"id": "EDB-ID:38701", "type": "exploitdb", "bulletinFamily": "exploit", "title": "TECO SG2 FBD Client 3.51 - .gfb SEH Overwrite Buffer Overflow Vulnerability", "description": "TECO SG2 FBD Client 3.51 - .gfb SEH Overwrite Buffer Overflow Vulnerability. Dos exploit for windows platform", "published": "2015-11-16T00:00:00", "modified": "2015-11-16T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://www.exploit-db.com/exploits/38701/", "reporter": "LiquidWorm", "references": [], "cvelist": [], "lastseen": "2016-02-04T08:40:27", "viewCount": 4, "enchantments": {"score": {"value": 0.2, "vector": "NONE", "modified": "2016-02-04T08:40:27", "rev": 2}, "dependencies": {"references": [], "modified": "2016-02-04T08:40:27", "rev": 2}, "vulnersScore": 0.2}, "sourceHref": "https://www.exploit-db.com/download/38701/", "sourceData": "# TECO SG2 FBD Client 3.51 SEH Overwrite Buffer Overflow Vulnerability\r\n#\r\n#\r\n# Vendor: TECO Electric and Machinery Co., Ltd.\r\n# Product web page: http://www.teco-group.eu\r\n# Download: http://globalsa.teco.com.tw/support_download.aspx?KindID=9\r\n# Affected version: 3.51 and 3.40\r\n#\r\n# Summary: SG2 Client is a program that enables to create and edit applications.\r\n# The program is providing two edit modes, LADDER and FBD to rapidly and directly\r\n# input the required app. The Simulation Mode allows users to virtually run and test\r\n# the program before it is loaded to the controller.\r\n#\r\n# Desc: The vulnerability is caused due to a boundary error in the processing\r\n# of a Genie FBD, which can be exploited to cause a buffer overflow when a\r\n# user opens e.g. a specially crafted .GFB file. Successful exploitation could\r\n# allow execution of arbitrary code on the affected machine.\r\n#\r\n# ---------------------------------------------------------------------------------\r\n# (fb0.fd0): Access violation - code c0000005 (!!! second chance !!!)\r\n# *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\\windows\\SysWOW64\\ntdll.dll - \r\n# *** WARNING: Unable to verify checksum for C:\\Program Files (x86)\\TECO\\SG2 Client\\FBD.EXE\r\n# *** ERROR: Module load completed but symbols could not be loaded for C:\\Program Files (x86)\\TECO\\SG2 Client\\FBD.EXE\r\n# eax=4141413f ebx=00000004 ecx=41414141 edx=41414141 esi=0018f578 edi=00a642e8\r\n# eip=00440b57 esp=0018ef9c ebp=0000003f iopl=0 nv up ei pl nz na po nc\r\n# cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202\r\n# FBD+0x40b57:\r\n# 00440b57 8995a0000000 mov dword ptr [ebp+0A0h],edx ss:002b:000000df=????????\r\n# ---------------------------------------------------------------------------------\r\n#\r\n# Tested on: Microsoft Windows 7 Professional SP1 (EN) 64bit\r\n# Microsoft Windows 7 Ultimate SP1 (EN) 64bit\r\n#\r\n#\r\n# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic\r\n# @zeroscience\r\n#\r\n#\r\n# Advisory ID: ZSL-2015-5276\r\n# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5276.php\r\n#\r\n#\r\n# 09.10.2015\r\n#\r\n\r\n\r\nPoC:\r\n\r\n- http://zeroscience.mk/codes/sg2fbd-5276.zip\r\n- https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/38701.zip\r\n\r\n", "osvdbidlist": ["130324"]}