Permalink
Find file Copy path
Fetching contributors…
Cannot retrieve contributors at this time
55 lines (49 sloc) 3.31 KB

WellinTech KingSCADA stack-based buffer overflow

WellinTech KingSCADA before 3.7.0.0.1 contains a stack-based buffer overflow, the vulnerability is triggered when sending a specially crafted packet to the 'AlarmServer' (AEserver.exe) service listening on port 12401.The 3rd dword is used as number of characters to copy for a memcpy_s() function. the MaxSize of the destination buffer been set as 0x800. So When the 3rd dword is greater than 0x800 the service crashed.

Disassemble

the crash occurs at 0x00EC6F75, where the function memcpy_s is called.
00EC6F69 68 00080000 push 0x800
00EC6F6E 8D8D 8CF7FFFF lea ecx,dword ptr ss:[ebp-0x874]
00EC6F74 51 push ecx
00EC6F75 FF15 2C01ED00 call dword ptr ds:[<&MSVCR90.memcpy_s>] ; msvcr90.memcpy_s

the registers are:

EAX 0C8B80AC
ECX 021FF694
EDX 00000000
EBX 01A7C418
ESP 021FF594
EBP 021FFF08
ESI 00000000
EDI 00000000
EIP 00EC6F75 kxNetDis.00EC6F75

ESP:

021FF594 021FF694
021FF598 00000800
021FF59C 0C8B80AC
021FF5A0 00000900
021FF5A4 F21A1A48
021FF5A8 00000000
which means the function si called as memcpy_s(0x021FF694, 0x800, 0x0C8B80AC, 0x00000900), the fourth parameter comes form romote crafted packet.the second parameter points to the buffer which also comes from the packet.

0C8B806C FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
0C8B807C FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
0C8B808C FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
0C8B809C FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
0C8B80AC FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
0C8B80BC FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
0C8B80CC FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
0C8B80DC FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
0C8B80EC FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
0C8B80FC FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
0C8B810C FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
0C8B811C FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
0C8B812C FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
0C8B813C FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
0C8B814C FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
0C8B815C FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
0C8B816C FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
0C8B817C FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF 
0C8B818C FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF