Next Page >>
DWORD
..
10A05C30 55 push ebp
10A05C31 8BEC mov ebp, esp
10A05C33 83EC 10 sub esp, 10
10A05C36 8B45 08 mov eax, dword ptr ss:[ebp+8]
10A05C39 0345 0C add eax, dword ptr ss:[ebp+C]
10A05C3C 8945 F8 mov dword ptr ss:[ebp-8], eax
10A05C3F 8B4D 0C mov ecx, dword ptr ss:[ebp+C]
10A05C42 894D F4 mov dword ptr ss:[ebp-C], ecx
10A05C45 8B55 F4 mov edx, dword ptr ss:[ebp-C]
0x2c000000 (yes, it's 0x2c in network endian).
I have "tried" to resume the code flow here:
01013E72 . 6A 2C PUSH 2C ; /Arg3 = 0000002C
01013E74 . 8D45 B8 LEA EAX,DWORD PTR SS:[EBP-48] ; |
01013E77 . 50 PUSH EAX ; |Arg2
01013E78 . FF76 30 PUSH DWORD PTR DS:[ESI+30] ; |Arg1
> 01013E7B . E8 0A0A0000 CALL 0101488A ; \wins.0101488A (send packet)
01013E80 . 834D FC FF OR DWORD PTR SS:[EBP-4],FFFFFFFF
01013E84 . EB 0E JMP SHORT 01013E94
From rvrender.dll (base address 63AE0000):
63AF5C70 /$ 55 PUSH EBP
63AF5C71 |. 8BEC MOV EBP,ESP
63AF5C73 |. 83EC 20 SUB ESP,20
63AF5C76 |. 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
63AF5C79 |. 56 PUSH ESI
63AF5C7A |. 57 PUSH EDI
63AF5C7B |. 8B7A 04 MOV EDI,DWORD PTR DS:[EDX+4]
; byte at offset 0x7800 of the PoC
63AF5C7E |. 8A07 MOV AL,BYTE PTR DS:[EDI]
(STSD) stores information that allows QuickTime to decode samples in
the media.
It has the following structure:
0 DWORD Size
4 DWORD Type
8 BYTE Version
9 BYTE[3] FLAGS
12 DWORD Number of entries
16 DWORD Sample description table
> 07662922 |. 80E1 0F AND CL,0F
> 07662925 |. 884D FF MOV BYTE PTR SS:[EBP-1],CL
> 07662928 |. 3C B0 CMP AL,0B0
> 0766292A |. 0F85 B1000000 JNZ in_midi.076629E1
> 07662930 |. 33D2 XOR EDX,EDX
> 07662932 |. 3915 98896707 CMP DWORD PTR DS:[7678998],EDX
> 07662938 |. 74 1B JE SHORT in_midi.07662955
> 0766293A |. 80F9 09 CMP CL,9
> 0766293D |. 75 16 JNZ SHORT in_midi.07662955
> 0766293F |. 3856 01 CMP BYTE PTR DS:[ESI+1],DL
> 07662942 |. 75 11 JNZ SHORT in_midi.07662955
07662922 |. 80E1 0F AND CL,0F
07662925 |. 884D FF MOV BYTE PTR SS:[EBP-1],CL
07662928 |. 3C B0 CMP AL,0B0
0766292A |. 0F85 B1000000 JNZ in_midi.076629E1
07662930 |. 33D2 XOR EDX,EDX
07662932 |. 3915 98896707 CMP DWORD PTR DS:[7678998],EDX
07662938 |. 74 1B JE SHORT in_midi.07662955
0766293A |. 80F9 09 CMP CL,9
0766293D |. 75 16 JNZ SHORT in_midi.07662955
0766293F |. 3856 01 CMP BYTE PTR DS:[ESI+1],DL
07662942 |. 75 11 JNZ SHORT in_midi.07662955
More precisely in this location:
/-----
6D6812A1 8B10 MOV EDX,DWORD PTR DS:[EAX]
6D6812A3 894C24 04 MOV DWORD PTR SS:[ESP+4],ECX
6D6812A7 890424 MOV DWORD PTR SS:[ESP],EAX
6D6812AA FF92 80000000 CALL DWORD PTR DS:[EDX+80]
offset
#include <stdio.h>
#include <stdlib.h>
int main(int argc, char** argv)
{
DWORD dwStatus;
MIB_IPFORWARD_ROW2 route;
if (argc != 3)
{
printf("Usage: %s <ifNum> <numOfBits>\n\n", argv[0]);
00040735 lea eax, [ebp+CurrentTime]
00040738 push eax
00040739 call ds:__imp__KeQuerySystemTime@4
0004073F mov eax, _EncryptionKeyCount
00040744 add dword ptr [ebp+CurrentTime], eax
Increments _EncryptionKeyCount by 0x100 and makes some 'calculations'
with the (current time.lowpart + _EncryptionKeyCount) resulting in a
DWORD value with the
following is an excerpt of the vulnerable code, and the value of the
registers when the vulnerability is triggered (the values of EAX and ECX
are controlled by the attacker).
/-----
77FCC453 . 8901 MOV DWORD PTR DS:[ECX],EAX
77FCC455 . 8948 04 MOV DWORD PTR DS:[EAX+4],ECX
77FCC458 . 3BC1 CMP EAX,ECX
77FCC45A . 75 25 JNZ SHORT ntdll.77FCC481
0:008> r
eax=0487d294 ebx=04830028 ecx=362607f0 edx=04930014 esi=0488dbf0 edi=0488d9e0
eip=69081264 esp=0162be10 ebp=00000210 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
IML32!Ordinal2064+0x7254:
69081264 894c31fc mov dword ptr [ecx+esi-4],ecx ds:0023:3aaee3dc=????????
0:008> !exploitable
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at IML32!Ordinal2064+0x0000000000007254 (Hash=0x3e3c3a38.0x484c154e)
User mode write access violations that are not near NULL are exploitable.
Signed comparison in packet 8 of AngelServer that leads to a stack
overflow:
004022E1 > B9 19000000 MOV ECX,19
004022E6 . 33C0 XOR EAX,EAX
004022E8 . 8D7C24 24 LEA EDI,DWORD PTR SS:[ESP+24]
004022EC . 83FE 64 CMP ESI,64 ; our value
004022EF . F3:AB REP STOS DWORD PTR ES:[EDI]
004022F1 . 0F8D E7000000 JGE AngelSer.004023DE ; signed
004022F7 . 8BCE MOV ECX,ESI
004022F9 . 8D75 0C LEA ESI,DWORD PTR SS:[EBP+C]
/-----
005FED51 MOVZX EDX,BYTE PTR SS:[ESP+2] #FCFF
005FED56 MOVSX ECX,WORD PTR SS:[ESP+3]
005FED5B CMP ECX,-1
005FED5E MOVSX EAX,WORD PTR SS:[ESP+5] #FCFF
005FED63 MOV DWORD PTR DS:[ESI+10],EDX
005FED66 MOV EDX,DWORD PTR SS:[ESP+7]
005FED6A MOV DWORD PTR DS:[ESI+14],ECX
005FED6D MOV DWORD PTR DS:[ESI+18],EAX
005FED70 MOV DWORD PTR DS:[ESI+C],EDX
005FED73 JGE SHORT ovdbrun.005FED7E
.text:0040CC01 ;
IoPerfCompleteRequest(x,x)+B8p ...
.text:0040CC01
.text:0040CC01 var_C = dword ptr -0Ch
.text:0040CC01 var_8 = dword ptr -8
.text:0040CC01 var_1 = byte ptr -1
.text:1000E330
.text:1000E330 sub_1000E330 proc near ; DATA XREF:
.rdata:1002E0ECo
.text:1000E330 ; .rdata:1002E86Co
.text:1000E330
.text:1000E330 arg_0 = dword ptr 4
.text:1000E330 arg_4 = dword ptr 8
.text:1000E330 arg_8 = dword ptr 0Ch
.text:1000E330
.text:1000E330 push esi
.text:1000E331 mov esi, [esp+4+arg_0]
call WriteKVM
mov eax,Gdt_Addr
mov word ptr[CallGateData],ax
shr eax,16
mov word ptr[CallGateData+6],ax
mov dword ptr[CallGateData+2],0x0ec0003e8
mov dword ptr[CallGateData+8],0x0000ffff
mov dword ptr[CallGateData+12],0x00cf9a00
xor eax,eax
LoopWrite:
mov edi,dword ptr CallGateData[eax]
mov edi,edi
push ebp
mov ebp,esp
push edi
mov edi,dword ptr [ebp+8]
lea eax,[ebp+8]
push eax
push dword ptr [edi+4]
push 18h
call NOMNOM!RtlULongAdd (85a1675d)
if (pbcode[0] != 0xC7U) continue;
if ( pbcode[1] <= 0x03 || // [EAX/ECX/EDX/EBX]
pbcode[1] == 0x06 || // [ESI]
pbcode[1] == 0x07 ) // [EDI]
{
ptr = *(DWORD *)(pbcode + 2);
}
// C7/45/00/vtableptr -- MOV [EBP+0], vtableptr
else if (pbcode[1] == 0x45 && pbcode[2] == 0x00)
ptr = *(DWORD *)(pbcode + 3);
else continue;
mov edi,edi
push ebp
mov ebp,esp
push edi
mov edi,dword ptr [ebp+8]
lea eax,[ebp+8]
push eax
push dword ptr [edi+4]
push 18h
call NOMNOM!RtlULongAdd (85a1675d)
-----------------------------
Array overflow during the handling of the GWB (GenStat book) files with
possibility of placing a NULL word in an arbitrary memory location:
00630399 |> 8B46 24 MOV EAX,DWORD PTR DS:[ESI+24] ; EAX controlled
0063039C |. 8B4E 08 MOV ECX,DWORD PTR DS:[ESI+8]
0063039F |. 8D0481 LEA EAX,DWORD PTR DS:[ECX+EAX*4]
006303A2 |. 3938 CMP DWORD PTR DS:[EAX],EDI
006303A4 |. 74 12 JE SHORT GenStat.006303B8
006303A6 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
0:008> r
eax=05215678 ebx=03a82dc8 ecx=0007ef40 edx=00000001 esi=0000001a edi=05301610
eip=044b2498 esp=0162ba14 ebp=0000007c iopl=0 nv up ei ng nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010292
DIRAPI!Ordinal21+0x6f8:
044b2498 6681600c1f7f and word ptr [eax+0Ch],offset <Unloaded_dui.DLL>+0x7f0e (00007f1f) ds:0023:05215684=????
0:008> !exploitable
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at DIRAPI!Ordinal21+0x00000000000006f8 (Hash=0x53080807.0x53080814)
User mode write access violations that are not near NULL are exploitable.
structures are filled with incorrect data.
This facts cause different errors in
the execution. For example, this code:
004A6E04 C74424 04 000000>MOV DWORD PTR SS:[ESP+4],0
004A6E0C 0F84 9A000000 JE foxit_re.004A6EAC
004A6E12 8B41 08 MOV EAX,DWORD PTR DS:[ECX+8]
004A6E15 48 DEC EAX
004A6E16 83F8 08 CMP EAX,8
004A6E19 0F87 8D000000 JA foxit_re.004A6EAC
Since exploitability hinges entirely on user control of GS during the
execution of GS-dependent kernel code, GS-relative memory accesses in
the code path starting with the interrupt handler are of the most
interest. NT!KiGeneralProtectionFault and NT!KiDebugTrapOrFault both
include the "LDMXCSR DWORD PTR GS:[0x180]" instruction, which will
raise an undesirable #GP fault if that DWORD contains invalid set
flags, so GS:[0x180] (here referring to user GS, which will be treated
like kernel GS during exploitation) should be assigned a value of
zero.
structures are filled with incorrect data.
This facts cause different errors in
the execution. For example, this code:
004A6E04 C74424 04 000000>MOV DWORD PTR SS:[ESP+4],0
004A6E0C 0F84 9A000000 JE foxit_re.004A6EAC
004A6E12 8B41 08 MOV EAX,DWORD PTR DS:[ECX+8]
004A6E15 48 DEC EAX
004A6E16 83F8 08 CMP EAX,8
004A6E19 0F87 8D000000 JA foxit_re.004A6EAC
contents treated as trusted kernel data.
Since exploitability hinges entirely on user control of GS during the
execution of GS-dependent kernel code, GS-relative memory accesses in
the code path starting with the interrupt handler are of the most
interest. NT!KiGeneralProtectionFault includes the "LDMXCSR DWORD PTR
GS:[0x180]" instruction, which will raise an undesirable #GP fault if
that DWORD contains invalid set flags, so GS:[0x180] (here referring
to user GS, which will be treated like kernel GS during exploitation)
should be assigned a value of zero.
2 Vulnerability Details
=====================
When adobe shockwave player parsing a dir type file,
it takes a dword from the dir file,and then take some
Computing this computing will leding to Integer overflow,
allocate a small memory,this Cause a heap overflow.
3 Analysis
62A7059B 8A67 04 MOV AH,BYTE PTR DS:[EDI+4] ; ah=controled
by attacker
62A7059E 66:3B86 AE000000 CMP AX,WORD PTR DS:[ESI+AE] ; below 2?
62A705A5 73 11 JNB SHORT 62A705B8 ; not signed
compare, assume:taken!
62A705A7 8B8E B0000000 MOV ECX,DWORD PTR DS:[ESI+B0]
62A705AD 25 FFFF0000 AND EAX,0FFFF
62A705B2 66:8B0441 MOV AX,WORD PTR DS:[ECX+EAX*2]
62A705B6 EB 05 JMP SHORT 62A705BD
62A705B8 B8 FFFF0000 MOV EAX,0FFFF ; eax=0xFFFF
62A705BD 33D2 XOR EDX,EDX ; edx=0
READ_ADDRESS: 92bc0000 Nonpaged pool
FAULTING_IP:
nt!memcpy+33
81c834b3 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
MM_INTERNAL_CODE: 0
DEFAULT_BUCKET_ID: VISTA_DRIVER_FAULT
typedef BOOL (WINAPI *INIT_REG_ENGINE)();
typedef LONG (WINAPI *BREG_DELETE_KEY)(HKEY hKey, LPCSTR lpSubKey);
typedef LONG (WINAPI *BREG_OPEN_KEY)(HKEY hKey, LPCSTR lpSubKey, PHKEY phkResult);
typedef LONG (WINAPI *BREG_CLOSE_KEY)(HKEY hKey);
typedef LONG (WINAPI *REG_SET_VALUE_EX)(HKEY hKey, LPCSTR lpValueName, DWORD Reserved, DWORD dwType, const BYTE* lpData, DWORD cbData);
BREG_DELETE_KEY BRegDeleteKey = NULL;
BREG_OPEN_KEY BRegOpenKey = NULL;
BREG_CLOSE_KEY BRegCloseKey = NULL;
REG_SET_VALUE_EX BRegSetValueEx = NULL;
structures are filled with incorrect data.
This facts cause different errors in
the execution. For example, this code:
004A6E04 C74424 04 000000>MOV DWORD PTR SS:[ESP+4],0
004A6E0C 0F84 9A000000 JE foxit_re.004A6EAC
004A6E12 8B41 08 MOV EAX,DWORD PTR DS:[ECX+8]
004A6E15 48 DEC EAX
004A6E16 83F8 08 CMP EAX,8
004A6E19 0F87 8D000000 JA foxit_re.004A6EAC
Next Page>>
|
