#!/usr/bin/perl # # # TECO TP3-PCLINK 2.1 TPC File Handling Buffer Overflow Vulnerability # # # Vendor: TECO Electric and Machinery Co., Ltd. # Product web page: http://www.teco-group.eu # Affected version: 2.1 # # Summary: TP3-PCLINK Software is the supportive software for TP03, providing # three edit modes as LADDER, IL ,FBDand SFC, by which programs can be input # rapidly and correctly. # # Desc: The vulnerability is caused due to a boundary error in the processing # of a project file, which can be exploited to cause a buffer overflow when a # user opens e.g. a specially crafted .TPC file. Successful exploitation could # allow execution of arbitrary code on the affected machine. # # --------------------------------------------------------------------------------- # (794.193c): C++ EH exception - code e06d7363 (first chance) # Critical error detected c0000374 # (794.193c): Break instruction exception - code 80000003 (first chance) # eax=00000000 ebx=00000000 ecx=778f0b42 edx=0018db71 esi=02730000 edi=41414141 # eip=7794e725 esp=0018ddc4 ebp=0018de3c iopl=0 nv up ei pl nz na po nc # cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00200202 # ntdll!RtlpNtEnumerateSubKey+0x1af8: # 7794e725 cc int 3 # --------------------------------------------------------------------------------- # # Tested on: Microsoft Windows 7 Professional SP1 (EN) 64bit # Microsoft Windows 7 Ultimate SP1 (EN) 64bit # # # Vulnerability discovered by Gjoko 'LiquidWorm' Krstic # @zeroscience # # # Advisory ID: ZSL-2015-5277 # Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5277.php # # # 09.10.2015 # PoC: - http://zeroscience.mk/codes/tp3tpc-5277.zip