TECO SG2 LAD Client 3.51 SEH Overwrite Buffer Overflow Exploit

Title: TECO SG2 LAD Client 3.51 SEH Overwrite Buffer Overflow Exploit
Advisory ID: ZSL-2015-5275
Type: Local/Remote
Impact: System Access, DoS
Risk: (4/5)
Release Date: 15.11.2015
Summary
SG2 Client is a program that enables to create and edit applications. The program is providing two edit modes, LADDER and FBD to rapidly and directly input the required app. The Simulation Mode allows users to virtually run and test the program before it is loaded to the controller.
Description
The vulnerability is caused due to a boundary error in the processing of a Genie LAD file, which can be exploited to cause a buffer overflow when a user opens e.g. a specially crafted .GEN file. Successful exploitation could allow execution of arbitrary code on the affected machine.

--------------------------------------------------------------------------------

(10bc.1358): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=43434343 edx=7794b4ad esi=00000000 edi=00000000
eip=43434343 esp=0018dc24 ebp=0018dc44 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00210246
43434343 ?? ???
0:000> !exchain
0018dc38: ntdll!LdrRemoveLoadAsDataTable+d64 (7794b4ad)
0018e1d4: ntdll!LdrRemoveLoadAsDataTable+d64 (7794b4ad)
0018e800: MFC42!Ordinal1580+373 (708df2fc)
0018f098: 43434343
Invalid exception stack at 42424242

--------------------------------------------------------------------------------

Vendor
TECO Electric and Machinery Co., Ltd. - http://www.teco-group.eu
Affected Version
3.51 and 3.40
Tested On
Microsoft Windows 7 Professional SP1 (EN) 64bit
Microsoft Windows 7 Ultimate SP1 (EN) 64bit
Vendor Status
[09.10.2015] Vulnerability discovered.
[15.10.2015] Contact with the vendor.
[14.11.2015] No response from the vendor.
[15.11.2015] Public security advisory released.
PoC
sg2lad.pl
Credits
Vulnerability discovered by Gjoko Krstic - <gjoko@zeroscience.mk>
References
[1] https://www.exploit-db.com/exploits/38700/
[2] https://cxsecurity.com/issue/WLB-2015110110
[3] https://packetstormsecurity.com/files/134380
[4] https://exchange.xforce.ibmcloud.com/vulnerabilities/108205
Changelog
[15.11.2015] - Initial release
[17.11.2015] - Added reference [1], [2] and [3]
[29.11.2015] - Added reference [4]
Contact
Zero Science Lab

Web: http://www.zeroscience.mk
e-mail: lab@zeroscience.mk