[<prev] [next>] [day] [month] [year] [list]
Message-ID: <48DCC5B8.7060501@reversemode.com>
Date: Fri, 26 Sep 2008 13:21:28 +0200
From: Reversemode <advisories@...ersemode.com>
To: bugtraq@...urityfocus.com
Subject: DATAC RealWin 2.0 SCADA Software - Remote PreaAuth Exploit
Hi
---------------------------------
http://www.dataconline.com/software/realwin.php
"RealWin is a SCADA server product which includes a FlexView HMI and
runs on current Microsoft Windows platforms (2000 and XP). It can
operate on a single PC or multiple PCs connected through a TCP/IP
network. It reads and maintains data returned from field devices using
drivers, stores data for historical access, runs Command Sequence
Language (CSL) scripts and generates alarms as defined in the system."
---------------------------------
The version available for download
(http://www.realflex.com/download/form.php) is likely an old one so
newer versions may, or may not, be vulnerable. Note that the server is
affected by other flaws, but this one is pretty clear and 100% reliable.
The bug is a classic stack overflow while processing a specially crafted
FC_INFOTAG/SET_CONTROL packet. RealWin server accepts connections from
FlewWin clients which use a propietary protocol. We can exploit this
flaw from remote without having valid credentials .
-----------
.text:0042BFFE call sub_419690 ; Get Packet.PayloadLen
.text:0042C003 movzx ecx, ax
.text:0042C006 mov edx, ecx
.text:0042C008 shr ecx, 2
.text:0042C00B mov esi, ebx
.text:0042C00D lea edi, [esp+638h+var_2E0]
.text:0042C014 rep movsd
.text:0042C016 mov ecx, edx
.text:0042C018 and ecx, 3
.text:0042C01B rep movsb
-----------
That's all, just for fun.
Regards,
Rubén.
View attachment "exploit_realwin.c" of type "text/plain" (6312 bytes)
Powered by blists - more mailing lists