|
Exploit for DATAC RealWin 2.0 SCADA Software |
|
Written by Rubén
|
|
Friday, 26 September 2008 |
|
Hi,
I have just uploaded an exploit for DATAC RealWin 2.0, a SCADA software used in small/medium installations. The version available for download is likely an old one so newer versions may, or may not, be vulnerable. Note that the server is affected by other flaws, but this one is pretty clear and 100% reliable.
The bug is a classic stack overflow while processing a specially crafted FC_INFOTAG/SET_CONTROL packet. RealWin server accepts connections from FlewWin clients which use a propietary protocol. We can exploit this flaw from remote without having valid credentials .
.text:0042BFFE call sub_419690 ; Get Packet.PayloadLen
.text:0042C003 movzx ecx, ax
.text:0042C006 mov edx, ecx
.text:0042C008 shr ecx, 2
.text:0042C00B mov esi, ebx
.text:0042C00D lea edi, [esp+638h+var_2E0]
.text:0042C014 rep movsd
.text:0042C016 mov ecx, edx
.text:0042C018 and ecx, 3
.text:0042C01B rep movsb
That's all, just for fun.
Download exploit code.
|
|
Last Updated ( Friday, 26 September 2008 )
|
|
|
Microsoft Windows WRITE_ANDX SMB Command Handling Kernel DoS |
|
Written by Rubén
|
|
Monday, 15 September 2008 |
|
Hi,
Some days ago Javier Vicente Vallejo came up with a kernel level DoS, that was crashing a Windows Vista SP1 machine, requesting a second opinion. As a result of the research, the following advisory...
Microsoft Windows WRITE_ANDX SMB command handling Kernel DoS
Vulnerability and Exploit: Javier Vicente Vallejo, http://www.vallejo.cc
Vulnerability Analysis: Ruben Santamarta, http://www.reversemode.com
Abstract
Microsoft Windows is prone to a remote Kernel Denial of Service due to the way srv.sys handles malformed WRITE_ANDX SMB packets.
Remote attackers could exploit this issue without having valid credentials on the target machine. In order to achieve a successful exploitation, the attacker needs enough privileges to remotely send WRITE_ANDX packets to an interface that uses a Named Pipe as endpoint. Those interfaces that allow NULL Sessions vary between Windows versions, in Vista the reliability of a preauth attack through the “\LSARPC” has been successfully demonstrated.
Affected versions
Theorically verified on: Windows 2000, XP, Server 2003, Vista, Server 2008.
Successfully exploited on: Microsoft Windows Vista SP1 with latest security updates.
Analysis
A condition exists with srv.sys and npfs.sys wherein a specially crafted WRITE_ANDX SMB packet may cause a kernel Denial Of Service.
|
|
Last Updated ( Friday, 26 September 2008 )
|
|
Read more...
|
|
|
Written by Rubén
|
|
Tuesday, 12 August 2008 |
|
Wow, I wrote the last entry in June, that's not good. I promess that in the upcoming months I'll try to do better...
First off, we are going to talk about bugs. Today Microsoft has released the security bulletin for August where addresses, among others, a couple of flaws in PowerPoint I discovered about a year ago. Nothing really exciting, one of them is a classical integer overflow, let's see:
|
|
Last Updated ( Monday, 15 September 2008 )
|
|
Read more...
|
|
|
|
<< Start < Prev 1 2 3 4 5 6 7 8 9 10 Next > End >>
|
| Results 25 - 28 of 64 |
