DaqFactory 5.85 build 1853 - Stack Overflow

EDB-ID:

17841

CVE:

2011-3492

EDB Verified:

Author:

Luigi Auriemma

Type:

dos

Exploit:   /  

Platform:

Windows

Date:

2011-09-14

Vulnerable App: 
#######################################################################

                             Luigi Auriemma

Application:  DAQFactory
              http://www.azeotech.com/daqfactory.php
Versions:     <= 5.85 build 1853
Platforms:    Windows
Bug:          stack overflow
Exploitation: remote
Date:         13 Sep 2011
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


DAQFactory is an HMI/SCADA software.


#######################################################################

======
2) Bug
======


When DAQFactory is running it listens on the UDP port 20034 for NETB
packets of max 0x400 bytes.

The software is affected by a stack overflow in the code that logs the
informations of the incoming packet allowing an attacker to execute
malicious code:

  005C3FB0  /$ 6A FF             PUSH -1
  005C3FB2  |. 68 E6777D00       PUSH DAQFacto.007D77E6
  005C3FB7  |. 64:A1 00000000    MOV EAX,DWORD PTR FS:[0]
  005C3FBD  |. 50                PUSH EAX
  005C3FBE  |. 64:8925 00000000  MOV DWORD PTR FS:[0],ESP
  005C3FC5  |. 81EC 2C020000     SUB ESP,22C
  ...skip...
  005C41B2  |. 8D8C24 7C010000   LEA ECX,DWORD PTR SS:[ESP+17C]
  005C41B9  |. 68 B02C9000       PUSH DAQFacto.00902CB0     ; "MAC:[%02x-%02X-%02X-%02X-%02X-%02X] IP:%d.%d.%d.%d DHCP:%d.%d.%d.%d %s%s"
  005C41BE  |. 51                PUSH ECX
  005C41BF  |. FF15 6CC07F00     CALL DWORD PTR DS:[<&MSVCRT.sprintf>]
  ..and..
  005C423A  |. 8D8C24 6C010000   LEA ECX,DWORD PTR SS:[ESP+16C]
  005C4241  |. 68 682C9000       PUSH DAQFacto.00902C68     ; "MAC: [%02x-%02X-%02X-%02X-%02X-%02X]    IP:%d.%d.%d.%d %s%s"
  005C4246  |. 51                PUSH ECX
  005C4247  |. FF15 6CC07F00     CALL DWORD PTR DS:[<&MSVCRT.sprintf>]


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/daqfactory_1.dat
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17841.dat

  nc SERVER 20034 -u < daqfactory_1.dat


#######################################################################

======
4) Fix
======


No fix.


#######################################################################
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services