Next Page >>
exceptions
This prologue is simple and lacks any safeguards against exploitation
of the VMware emulation flaws, and in fact, executing the three
AT&T-syntax assembly instructions provided to demonstrate the first
flaw will reboot the system. Exploitability then solely depends on
how GS: is used throughout the rest of the exception handling code.
The "INTRFASTEXIT" macro, also defined in "frameasm.h", similarly
exhibits the simplest possible GS-swapping logic, with no safety
checks:
#define INTRFASTEXIT \
This prologue is simple and lacks any safeguards that prevent
exploitation of the VMware emulation flaw, and in fact, executing the
three AT&T-syntax assembly instructions provided to demonstrate the
first flaw will reboot the system. Exploitability then solely depends
on how GS: is used throughout the rest of the exception handling code.
The "INTRFASTEXIT" macro, also defined in "frameasm.h", similarly
exhibits the simplest possible GS-swapping logic, with no safety
checks:
#define INTRFASTEXIT \
crash dump, eip and seh overwritten, unicode expanded,
I suppose one should be able to deal with it :
(208.152c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0000008b ebx=00000000 ecx=0e752eb8 edx=0f490000 esi=0e6b3d60 edi=0012a338
eip=00410043 esp=0012a2d8 ebp=0012a2ec iopl=0 nv up ei ng nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010286
brioqry+0x10043:
#Titan FTP SERVER REMOTE HEAP OVERFLOW(USER/PASS)
#Impact : Critical
#
# Windbg Output:
#(bec.528): Access violation - code c0000005 (first chance)
#First chance exceptions are reported before any exception handling.
#This exception may be expected and handled.
#eax=41414141 ebx=00000000 ecx=07e415f4 edx=00000000 esi=41414141 edi=07e415f4
#eip=004bbafa esp=06e4fb38 ebp=06e4fb5c iopl=0 nv up ei pl nz na po nc
#cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
#srxTitan+0xbbafa:
lack of range checking. The code assumes that the string returned by the listbox control will be
less than 4097 characters. It uses a fixed size buffer of 4096 bytes and any text longer than this
will overflow and overwrite the memory beyond it. The TComboBox control also suffers a similar flaw.
Vulnerable Module(s):
[+] List Index & Exception Handling [TListBox]
Picture(s):
../1.png
../2.png
../3.png
win2000 sp4
0:000> g
(54c.284): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=02a7e740 ebx=024eecb8 ecx=00000000 edx=01414930 esi=ffffff00
edi=ffffff00
eip=0053b084 esp=0022e5e0 ebp=0000b6d0 iopl=0 nv up ei ng nz na
po nc
Authentication is required to exploit this vulnerability.
Debugger Results:
(ea8.aec): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=41414141 ebx=734c4d90 ecx=035efe24 edx=00000193 esi=035efe24 edi=035efe24
eip=62408f23 esp=035efd20 ebp=035efd6c iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Novell\NDS\httpstk.dlm -
* Fixed handling of Errno::ECONNRESET in SSL certificate plugin.
* Upgraded net-dns to latest version from git repository.
* Fixed traceback on Mac OSX due to net-dns bug.
* Added check to enumerate host names with DNS TLD expansion.
* Added --print-maltego to get output in Maltego XML format.
* Fixed the exception handling architecture, now unknown exceptions
that can be raised on not supported system are handled.
* Fixed traceback on FreeBSD due to raising of different exceptions.
* Added Metasploit auxiliary module in extra folder.
* Added validation of -t option, if it isn't an IP address hostmap
is stopped.
0xfffffff, which is a value that we can control.
0:008> g
Thu Mar 10 16:00:41.199 2011 (GMT+2): (8244.7dc0): Access violation -
code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=ffffffff edx=7785894d esi=00000000
edi=00000000
eip=ffffffff esp=0469ec8c ebp=0469ecac iopl=0 nv up ei pl zr na
pe nc
Dominic Chell of NGS Secure has discovered a high risk vulnerability in LibAVCodec. Opening a malformed AMV file can result in an out of array write and potentially arbitrary code execution when using this library. Whilst the vulnerability may affect multiple applications that use this library, it was only tested on VLC media player.
=================
Technical Details
=================
(b80.d80): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=ffffff60 ebx=11186110 ecx=0e420ec0 edx=fffffe20 esi=00000100
edi=a2a6c008
eip=0ad3e272 esp=0ef8fa08 ebp=0e607070 iopl=0 nv up ei pl nz na pe
nc
If the workstation is allready loggued in:
novell ==> login Novell ==> 254's A ==> click login ==> forgotten password ==> Result:
Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=41414141 ebx=00000111 ecx=00000001 edx=00000000 esi=00997980 edi=00997980
eip=73d22054 esp=00dff278 ebp=00dff200 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
# Version:6.1.0.0 ( last one,others might be vuln too )
#
# Bug: Remote Buffer Overflow ( CD)
#
# (8e8.a78): Access violation - code c0000005 (first chance)
# First chance exceptions are reported before any exception handling.
# This exception may be expected and handled.
# eax=00000000 ebx=00000000 ecx=00410041 edx=7c9137d8 esi=00000000 edi=00000000
# eip=00410041 esp=04b8c830 ebp=04b8c850 iopl=0 nv up ei pl zr na po nc
# cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
# 00410041 ?? ???
0:000> !load ./winext/msec.dll
...
(20d4.2728): C++ EH exception - code e06d7363 (first chance)
(20d4.2728): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00c6f118 ebx=00c6f118 ecx=41414141 edx=00c90d08 esi=00c6f110 edi=00270000
eip=7c83e790 esp=0006f084 ebp=0006f148 iopl=0 nv up ei ng nz na po cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010283
ntdll!RtlAbsoluteToSelfRelativeSD+0x5cd:
DETAILS
(f28.c24): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=02a70000 ebx=04402c68 ecx=98b1cc15 edx=00000004 esi=00000000
edi=088a5000
eip=6682ead8 esp=0012bfa8 ebp=00000001 iopl=0 nv up ei pl nz
ac pe nc
4 Crash info:
===============
(308.9d0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=07dd1ff4 ebx=7ffffffb ecx=00007f1f edx=000b8e5c esi=07ed3d48
edi=000093eb
eip=07052920 esp=0227dc9c ebp=00000000 iopl=0 nv up ei ng nz ac
po nc
Platforms: Windows
Bugs: A] server termination through "vector<T> too long" exception
B] NULL pointer crash
C] termination through memory allocation
D] informations disclosure
E] other exceptions
Exploitation: remote
Date: 22 Feb 2008
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
When we call the function "new Report()"(other functions maybe
useful too) in the function "Callback", it will corrupt the memory.
Debug informations from Windbg as follows:
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0946fb98 ebx=00000040 ecx=10101010 edx=0946fb90 esi=0946eaea edi=01c1dfbc
eip=10101010 esp=0012f6cc ebp=0012f77c iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
exlang32+0x101010:
#include <safe_open.h>
/* safe_open_exist - open existing file */
***************
*** 138,150 ****
* for symlinks owned by root. NEVER, NEVER, make exceptions for symlinks
* owned by a non-root user. This would open a security hole when
* delivering mail to a world-writable mailbox directory.
*/
else if (lstat(path, &lstat_st) < 0) {
vstring_sprintf(why, "file status changed unexpectedly: %m");
0:000> g
(d2c.f84): Unknown exception - code 0eedfade (first chance)
(d2c.f84): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=41414141 edx=7c9232bc esi=00000000 edi=00000000
eip=41414141 esp=0013d8c8 ebp=0013d8e8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
<Unloaded_na.dll>+0x41414140:
1.1
1024 bytes String via add custom name to reproduce the vulnerability.
--- Exception Logs (ECX Overwrite) ---
(109c.6a4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=001cb628 ebx=001cc340 ecx=00000041 edx=02dedfdc esi=fd3e3024 edi=00a522e0
eip=013b8f53 esp=001cb2e8 ebp=001cb2ec iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
*** ERROR: Module load completed but symbols could not be loaded for C://Program Files
2) Technical details
============================
Eureka Mail 2.2q
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=0054007a ecx=7c92005d edx=00230000 esi=00475bf8 edi=00473678
eip=41414141 esp=0012cd6c ebp=00475bfc iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00010202
4 Crash info:
===============
(3cc.1e0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0319f7c0 ebx=7ffffff8 ecx=026101fc edx=0319f7b0 esi=032b2fd4
edi=0310c34b
eip=68109402 esp=0012d684 ebp=0319f81c iopl=0 nv up ei pl nz na
pe nc
5 Crash info:
===============
(d10.ff4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=01fff21d ebx=00000000 ecx=0367ffb0 edx=00000076 esi=019c5ff8
edi=03610e68
eip=675b347e esp=02314de0 ebp=02314e24 iopl=0 nv up ei pl nz na
pe cy
Invalid parameter passed to C runtime function.
Invalid parameter passed to C runtime function.
(13f8.1620): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000041 ebx=035f8392 ecx=02ed0000 edx=035f799c esi=02ecf564 edi=02ecf128
eip=7701bcac esp=02ecf070 ebp=02ecf08c iopl=0 nv up ei pl nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010217
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C://Windows/syswow64/msvcrt.dll -
Tested against JetAudio pack v.7.5.2
---------------------------------------------------------------------------------
Passing an overlong string as id3 tag we have:
(370.7a8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=41414141 ebx=00000394 ecx=41414141 edx=00160608 esi=010c1a00 edi=0302fbc8
eip=00486db7 esp=0302fb14 ebp=0302fe7c iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010212
jetCast+0x86db7:
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
0:000> g
(26c8.1818): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=019dc690 ecx=00000000 edx=00000000 esi=0199ffb0 edi=0199fe20
eip=0036a9ba esp=0012d864 ebp=0037b3e0 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
avformat!yuv4mpeg_init+0x6e06:
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010286
YRWXls!DllRegisterServer+0x2ab62:
02c01db2 8a08 mov cl,byte ptr [eax] ds:0023:886641aa=??
0:008> gn
(a1c.e00): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=6ed9b6fc edx=7c8285f6 esi=00000000 edi=00000000
eip=6ed9b6fc esp=015eb948 ebp=015eb968 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
6ed9b6fc ?? ???
was encountered.
The following Windbg output shows the observed crash of the XML service:
(b68.1020): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=009bfdac ecx=009bfd00 edx=00000000 esi=43434342
edi=00000000
eip=7c82ae6e esp=009bfd60 ebp=009bfd90 iopl=0 nv up ei pl zr na pe
nc
// Crashes are occured at a same location.
//
// --
// ##### almost 99% below crash #####
// (f0c.8b4): Access violation - code c0000005 (first chance)
// First chance exceptions are reported before any exception handling.
// This exception may be expected and handled.
// eax=0012aab8 ebx=00002226 ecx=000042a4 edx=000000ee esi=00003ce8 edi=000000ee
// eip=73f937cd esp=0012a3fc ebp=0012a3fc iopl=0 nv up ei pl zr na pe nc
// cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
// USP10!DoubleWideCharMappedString::operator[]+0x1f:
EDI = 0x089A0020
ESI = 0x61626364
(3e8.e3c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=61626560 ebx=00000000 ecx=0000007f edx=00000000 esi=61626364 edi=06d80020
eip=668e239a esp=0012dfbc ebp=0012dfc4 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
Next Page>>
|
