Automated Solutions Modbus/TCP OPC Server Remote Heap Corruption PoC
A specially crafted length field in a MODBUS packet header can trigger heap corruption. So basically memset(edi,eax,ecx). We control ecx, so we have control over the number of dwords it writes in the heap buffer. But, as you can see, the dwords themselves are not controllable, they are NULL. However, we can still write past the bounds of the allocated chunk of memory. Although it seems unlikely code execution could result, it is still possible to write data past the memory allocated on a heap (0x350000) available in the server process. This code works by setting up a fake channel and accepting a connection. To trigger this vulnerability, the server simply needs to initiate communication (monitor mode would be ideal) with this fake channel and the results depend on the response you choose.