* Sielco Sistemi Winlog 2.07.16
This software can act as a TCP/IP server by enabling the specific "Run TCP/IP server" option available in the Configuration->Options->TCP/IP" section of the project we want to run and Runtime.exe will listen on the TCP port 46824.
The part of the server running on this port uses a static buffer of 0x119 bytes to handle the incoming data so all the vulnerabilities explained below can be exploited using these fixed addresses.
Then the exception handler used by the server allows to perform many attempts without altering the normal work of the program.
E] Directory traversal
Through opcode 0x78 is possible to open any file on the disk where it's running the server and with 0x96/0x97/0x98 is possible to read its content.
The opcodes used for the file operations specify a 32bit number that is the element of the array returned by the server while opening the file and so it can be used to load a file pointer outside the array (stream lock table PUSH DWORD PTR DS:[EBX*4+5B0024]) and maybe reaching EnterCriticalSection with an arbitrary value:
Anyway exploiting a similar bug is very theoretical because it's hard
to bypass all the obstacles for using the own 32bit value with
The lack of checks on the return value of the realloc function used by
the software allows to put a 0x00 byte outside the existent buffer if
the specified size to reallocate is negative or unallocable: