ID
VAR-E-201110-0271
EDB ID
17964
TITLE
IRAI AUTOMGEN 8.0.0.7 - Use-After-Free - Windows dos Exploit
Trust: 0.6
DESCRIPTION
IRAI AUTOMGEN 8.0.0.7 - Use-After-Free. CVE-76296 . dos exploit for Windows platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | irai | model: | automgen | scope: | eq | version: | 8.0.0.7 | Trust: 1.0 |
EXPLOIT
#######################################################################
Luigi Auriemma
Application: IRAI AUTOMGEN
http://www.irai.com/a8e/
Versions: <= 8.0.0.7 (aka 8.022)
Platforms: Windows
Bug: use after free
Exploitation: file
Date: 10 Oct 2011
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
From vendor's website:
"Universal automation workshop
Fonctionnalities : automation projects creation for PLC and
microprocessors, SCADA, Web SCADA, 3D process simulation, etc."
#######################################################################
======
2) Bug
======
Use after free in the handling of project files containing some
malformed fields like the size of the embedded zip archive or some
counters that may allow code execution.
No additional research performed because it was only a quick test, the
following are various examples of locations for the possible code
execution:
00460ee6 8b01 mov eax,dword ptr [ecx]
00460ee8 6a01 push 1
00460eea ff5004 call dword ptr [eax+4]
005239ca 8b06 mov eax,dword ptr [esi]
005239cc 8bce mov ecx,esi
005239ce ff5010 call dword ptr [eax+10h]
0040d11b 8b16 mov edx,dword ptr [esi]
0040d11d 6a00 push 0
0040d11f 50 push eax
0040d120 8bce mov ecx,esi
0040d122 ff9288000000 call dword ptr [edx+88h]
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/automgen_1.zip
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/17964.zip
#######################################################################
======
4) Fix
======
No fix.
#######################################################################
Trust: 1.0
EXPLOIT LANGUAGE
txt
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
Use-After-Free
Trust: 1.0
CREDITS
Luigi Auriemma
Trust: 0.6
EXTERNAL IDS
| db: | EXPLOIT-DB | id: | 17964 | Trust: 1.6 |
| db: | EDBNET | id: | 40463 | Trust: 0.6 |
REFERENCES
| url: | https://www.exploit-db.com/exploits/17964/ | Trust: 0.6 |
SOURCES
| db: | EXPLOIT-DB | id: | 17964 |
| db: | EDBNET | id: | 40463 |
LAST UPDATE DATE
2022-07-27T09:52:21.578000+00:00
SOURCES RELEASE DATE
| db: | EXPLOIT-DB | id: | 17964 | date: | 2011-10-10T00:00:00 |
| db: | EDBNET | id: | 40463 | date: | 2011-10-10T00:00:00 |