Overview
Vulnerability details
1. Vulnerability Trigger Location
The vulnerability was triggered by a segment fault at the 0x00415ca8 of the buffer_copy_off_t
function.

2. Vulnerability Analysis
- The vulnerability must contain a link to /dws/api in the URL and the source of the vulnerability must be in the set_ws_action function called in the http_request_parse function

- Before calling the set_ws_action function, the param_1 value is the 0x43c008 address in the 0x412d10 location, which is stored in the S7 register


- set_ws_action function, the value of pcVar14 is stored, because the if condition is met, and all the values in the param_1 are copied to the ws_action


- The length of the ws_action is 4 bytes, causing the buffer to overflow

- The last overflowing byte overwrites the 0x43c008, resulting in a segment fault

POC