Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
zdtLiquidWorm1337DAY-ID-25856
HistoryMar 01, 2016 - 12:00 a.m.

Crouzet em4 soft 1.1.04 - '.pm4' Integer Division By Zero

2016-03-0100:00:00
LiquidWorm
0day.today
38
JSON

Exploit for windows platform in category dos / poc

Crouzet em4 soft 1.1.04 Integer Division By Zero
 
 
Vendor: Crouzet Automatismes SAS
Product web page: http://www.crouzet-automation.com
Affected version: 1.1.04 and 1.1.03.01
 
Summary: em4 is more than just a nano-PLC. It is a leading
edge device supported by best-in-class tools that enables
you to create and implement the smartest automation applications.
 
Desc: em4 soft suffers from a division by zero attack when handling
Crouzet Logic Software Document '.pm4' files, resulting in denial
of service vulnerability and possibly loss of data.
 
---------------------------------------------------------------------
(187c.1534): Integer divide-by-zero - code c0000094 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for image013b0000
*** ERROR: Module load completed but symbols could not be loaded for image013b0000
eax=00000000 ebx=00000000 ecx=55c37c10 edx=00000000 esi=0105b13c edi=0110bb18
eip=013ea575 esp=0064d8b8 ebp=0064d8f4 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210206
image013b0000+0x3a575:
013ea575 f7bf18010000    idiv    eax,dword ptr [edi+118h] ds:002b:0110bc30=00000000
0:000> u
image013b0000+0x3a575:
013ea575 f7bf18010000    idiv    eax,dword ptr [edi+118h]
013ea57b 8d4de0          lea     ecx,[ebp-20h]
013ea57e c745fc00000000  mov     dword ptr [ebp-4],0
013ea585 50              push    eax
013ea586 6808505b01      push    offset image013b0000+0x205008 (015b5008)
013ea58b 51              push    ecx
013ea58c ff15b0575a01    call    dword ptr [image013b0000+0x1f57b0 (015a57b0)]
013ea592 8b870c010000    mov     eax,dword ptr [edi+10Ch]
---------------------------------------------------------------------
 
Tested on: Microsoft Windows 7 Professional SP1 (EN)
           Microsoft Windows 7 Ultimate SP1 (EN)
 
 
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience
 
 
Advisory ID: ZSL-2016-5309
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5309.php
 
 
25.01.2016
 
--
 
 
PoC: 
 
http://zeroscience.mk/codes/poc5309.pm4.zip
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39509.zip

#  0day.today [2018-01-08]  #
JSON