Vulnerable Systems:
* Sielco Sistemi Winlog 2.07.16
This software can act as a TCP/IP server by enabling the specific "Run TCP/IP server" option available in the Configuration->Options->TCP/IP" section of the project we want to run and Runtime.exe will listen on the TCP port 46824.
The part of the server running on this port uses a static buffer of 0x119 bytes to handle the incoming data so all the vulnerabilities explained below can be exploited using these fixed addresses.
Then the exception handler used by the server allows to perform many attempts without altering the normal work of the program.
E] Directory traversal
Through opcode 0x78 is possible to open any file on the disk where it's running the server and with 0x96/0x97/0x98 is possible to read its content.
F] write4
The opcodes used for the file operations specify a 32bit number that is the element of the array returned by the server while opening the file and so it can be used to load a file pointer outside the array (stream lock table PUSH DWORD PTR DS:[EBX*4+5B0024]) and maybe reaching EnterCriticalSection with an arbitrary value:
Anyway exploiting a similar bug is very theoretical because it's hard
to bypass all the obstacles for using the own 32bit value with
EnterCriticalSection.
G] write1
The lack of checks on the return value of the realloc function used by
the software allows to put a 0x00 byte outside the existent buffer if
the specified size to reallocate is negative or unallocable:
F]
udpsz -b 0x40 -T SERVER 46824 0xfffff
udpsz -T -C 7b 0x14 -b 0x7f -C "c1c13800" 0x15 SERVER 46824 0x119
note that the above PoC does NOTHING, it's just a note
