Vulnerable Systems:
* Pro-face Pro-Server EX WinGP PC
By default Pro-Server EX (ProServr.exe) runs as a stand-alone server but it can be set as a Windows service during the installation, this second mode is suggested by the vendor.
"Find Node" invalid memory access
The server trusts a 32bit "number of elements" value used locate the subsequent string in the received packet. If the packet contains a particular flag then the following function will try to check the presence of the string "\x1c" "Find Node\0" "ASP" at that arbitrary location:
This bug works also if the server is protected by password (max 8 bytes xored with 0xff) and the attacker doesn't know it.
memset integer overflow
Through the opcode 0x07 -> 0x5/0x6/0x7 it's possible to exploit an integer overflow for allocating a buffer of 0 bytes but a memset() after it allows only to exploit this bug for crashing the server due to a buffer-overflow of zeroes (unfortunately memcpy can't be reached):
Unhandled exception
Through the opcode 0x07 -> 0x5/0x6/0x7 it's possible to terminate the server due to an unhandled exception ("Runtime Error") caused by a too big amount of data to allocate.
Invalid memory read access and disclosure
Through the opcode 0x07 -> 0x5/0x6/0x7/0x14 it's possible to crash the server specifying a big size value so that it's impossible to copy the data from the source packet using the osUTmemcpy function. The opcode 0x7 -> 0x14 is a bit more interesting because it returns a desired amount of memory back to the client and so it's possible to see all the memory till the end of the buffer.
E] Possible limited memory corruptions
Often the server reuses the same memory used for the input packet for modifying it and then sending it back to the client. The lack of checks on the size of the received packet allows an attacker to send a small packet and then forcing the server to write its fields at those positions higher than the allocated packet size corrupting the heap.
An example of these memory corruptions happen with the opcode 0x7->0x14:
Anyway in this example ECX is just zero so not much useful but it's only to demonstrate a big chunk of code since there are some other places where are performed no checks on the received packet size. Note that this attack is possible only if no bigger packets have been received previously because the memory buffer is one and fits the
latest biggest packet.
PCRuntime.exe uses also the TCP port 8000 which is fully compatible with the protocol running on the UDP one (type, flags, size, data).
The Code
http://aluigi.org/poc/proservrex_1.zip
http://www.exploit-db.com/sploits/18878.zip
