Crouzet em4 soft 1.1.04 - '.pm4' Integer Division By Zero

2016-03-01T00:00:00
ID 1337DAY-ID-25856
Type zdt
Reporter LiquidWorm
Modified 2016-03-01T00:00:00

Description

Exploit for windows platform in category dos / poc

                                        
                                            Crouzet em4 soft 1.1.04 Integer Division By Zero
 
 
Vendor: Crouzet Automatismes SAS
Product web page: http://www.crouzet-automation.com
Affected version: 1.1.04 and 1.1.03.01
 
Summary: em4 is more than just a nano-PLC. It is a leading
edge device supported by best-in-class tools that enables
you to create and implement the smartest automation applications.
 
Desc: em4 soft suffers from a division by zero attack when handling
Crouzet Logic Software Document '.pm4' files, resulting in denial
of service vulnerability and possibly loss of data.
 
---------------------------------------------------------------------
(187c.1534): Integer divide-by-zero - code c0000094 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for image013b0000
*** ERROR: Module load completed but symbols could not be loaded for image013b0000
eax=00000000 ebx=00000000 ecx=55c37c10 edx=00000000 esi=0105b13c edi=0110bb18
eip=013ea575 esp=0064d8b8 ebp=0064d8f4 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00210206
image013b0000+0x3a575:
013ea575 f7bf18010000    idiv    eax,dword ptr [edi+118h] ds:002b:0110bc30=00000000
0:000> u
image013b0000+0x3a575:
013ea575 f7bf18010000    idiv    eax,dword ptr [edi+118h]
013ea57b 8d4de0          lea     ecx,[ebp-20h]
013ea57e c745fc00000000  mov     dword ptr [ebp-4],0
013ea585 50              push    eax
013ea586 6808505b01      push    offset image013b0000+0x205008 (015b5008)
013ea58b 51              push    ecx
013ea58c ff15b0575a01    call    dword ptr [image013b0000+0x1f57b0 (015a57b0)]
013ea592 8b870c010000    mov     eax,dword ptr [edi+10Ch]
---------------------------------------------------------------------
 
Tested on: Microsoft Windows 7 Professional SP1 (EN)
           Microsoft Windows 7 Ultimate SP1 (EN)
 
 
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience
 
 
Advisory ID: ZSL-2016-5309
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5309.php
 
 
25.01.2016
 
--
 
 
PoC: 
 
http://zeroscience.mk/codes/poc5309.pm4.zip
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/39509.zip

#  0day.today [2018-01-08]  #