Next Page >>
ptr
.frame 4
04 00000000`00d5ed80 000007fe`fd171512 ntdll! ?? ::FNODOBFM::`string'+0x123b4
-----------------------------------------------------------------------------
Disassembly:
0033:00000000`7701d121 314108 xor dword ptr [rcx+8],eax
0033:00000000`7701d124 e97e56feff jmp ntdll!RtlpFreeHeap+0x1e13 (00000000`770027a7)
0033:00000000`7701d129 488bcf mov rcx,rdi
0033:00000000`7701d12c e8dfdc0400 call ntdll!RtlpNotOwnerCriticalSection (00000000`7706ae10)
0033:00000000`7701d131 90 nop
0033:00000000`7701d132 e9c457feff jmp ntdll!RtlpFreeHeap+0x1ea2 (00000000`770028fb)
..
10A05C30 55 push ebp
10A05C31 8BEC mov ebp, esp
10A05C33 83EC 10 sub esp, 10
10A05C36 8B45 08 mov eax, dword ptr ss:[ebp+8]
10A05C39 0345 0C add eax, dword ptr ss:[ebp+C]
10A05C3C 8945 F8 mov dword ptr ss:[ebp-8], eax
10A05C3F 8B4D 0C mov ecx, dword ptr ss:[ebp+C]
10A05C42 894D F4 mov dword ptr ss:[ebp-C], ecx
10A05C45 8B55 F4 mov edx, dword ptr ss:[ebp-C]
Signed comparison in packet 8 of AngelServer that leads to a stack
overflow:
004022E1 > B9 19000000 MOV ECX,19
004022E6 . 33C0 XOR EAX,EAX
004022E8 . 8D7C24 24 LEA EDI,DWORD PTR SS:[ESP+24]
004022EC . 83FE 64 CMP ESI,64 ; our value
004022EF . F3:AB REP STOS DWORD PTR ES:[EDI]
004022F1 . 0F8D E7000000 JGE AngelSer.004023DE ; signed
004022F7 . 8BCE MOV ECX,ESI
004022F9 . 8D75 0C LEA ESI,DWORD PTR SS:[EBP+C]
From rvrender.dll (base address 63AE0000):
63AF5C70 /$ 55 PUSH EBP
63AF5C71 |. 8BEC MOV EBP,ESP
63AF5C73 |. 83EC 20 SUB ESP,20
63AF5C76 |. 8B55 08 MOV EDX,DWORD PTR SS:[EBP+8]
63AF5C79 |. 56 PUSH ESI
63AF5C7A |. 57 PUSH EDI
63AF5C7B |. 8B7A 04 MOV EDI,DWORD PTR DS:[EDX+4]
; byte at offset 0x7800 of the PoC
63AF5C7E |. 8A07 MOV AL,BYTE PTR DS:[EDI]
ds 0x0 0
es 0x0 0
fs 0x0 0
gs 0x0 0
(gdb) x/i $rip
0x7fffffe00847 <__memcpy+167>: movdqa XMMWORD PTR [rdi+rcx],xmm0
(gdb)
Reducing the tilewidth to 0000FF00 or 65280 we get a different crash:
Program received signal EXC_BAD_ACCESS, Could not access memory.
>
> The result is a heap overflow and its usual effects like arbitrary
> memory freeing, write4 and so on.
> From in_midi.dll:
>
> 07662918 |. 8A4D 08 MOV CL,BYTE PTR SS:[EBP+8]
> ; "Controller message"
> 0766291B |. 56 PUSH ESI
> 0766291C |. 8BF0 MOV ESI,EAX
> 0766291E |. 8AC1 MOV AL,CL
> 07662920 |. 24 F0 AND AL,0F0
The result is a heap overflow and its usual effects like arbitrary
memory freeing, write4 and so on.
From in_midi.dll:
07662918 |. 8A4D 08 MOV CL,BYTE PTR SS:[EBP+8]
; "Controller message"
0766291B |. 56 PUSH ESI
0766291C |. 8BF0 MOV ESI,EAX
0766291E |. 8AC1 MOV AL,CL
07662920 |. 24 F0 AND AL,0F0
0x2c000000 (yes, it's 0x2c in network endian).
I have "tried" to resume the code flow here:
01013E72 . 6A 2C PUSH 2C ; /Arg3 = 0000002C
01013E74 . 8D45 B8 LEA EAX,DWORD PTR SS:[EBP-48] ; |
01013E77 . 50 PUSH EAX ; |Arg2
01013E78 . FF76 30 PUSH DWORD PTR DS:[ESI+30] ; |Arg1
> 01013E7B . E8 0A0A0000 CALL 0101488A ; \wins.0101488A (send packet)
01013E80 . 834D FC FF OR DWORD PTR SS:[EBP-4],FFFFFFFF
01013E84 . EB 0E JMP SHORT 01013E94
following is an excerpt of the vulnerable code, and the value of the
registers when the vulnerability is triggered (the values of EAX and ECX
are controlled by the attacker).
/-----
77FCC453 . 8901 MOV DWORD PTR DS:[ECX],EAX
77FCC455 . 8948 04 MOV DWORD PTR DS:[EAX+4],ECX
77FCC458 . 3BC1 CMP EAX,ECX
77FCC45A . 75 25 JNZ SHORT ntdll.77FCC481
-----------------------------
Array overflow during the handling of the GWB (GenStat book) files with
possibility of placing a NULL word in an arbitrary memory location:
00630399 |> 8B46 24 MOV EAX,DWORD PTR DS:[ESI+24] ; EAX controlled
0063039C |. 8B4E 08 MOV ECX,DWORD PTR DS:[ESI+8]
0063039F |. 8D0481 LEA EAX,DWORD PTR DS:[ECX+EAX*4]
006303A2 |. 3938 CMP DWORD PTR DS:[EAX],EDI
006303A4 |. 74 12 JE SHORT GenStat.006303B8
006303A6 |. 8B00 MOV EAX,DWORD PTR DS:[EAX]
- -----/
By executing this script, the omniinet.exe process crashes in the
following EIP:
/-----
7C8285D3 8B0424 MOV EAX,DWORD PTR SS:[ESP]
7C8285D6 8BE5 MOV ESP,EBP
7C8285D8 5D POP EBP
7C8285D9 C3 RETN
- -----/
Here is the vulnerable code:
--//- snip ----//-----------------------------------------------------
62A70598 8A47 05 MOV AL,BYTE PTR DS:[EDI+5] ; al=controled
by attacker
62A7059B 8A67 04 MOV AH,BYTE PTR DS:[EDI+4] ; ah=controled
by attacker
62A7059E 66:3B86 AE000000 CMP AX,WORD PTR DS:[ESI+AE] ; below 2?
62A705A5 73 11 JNB SHORT 62A705B8 ; not signed
NETIO!PtpCreateTrieNode:
mov edi,edi
push ebp
mov ebp,esp
push edi
mov edi,dword ptr [ebp+8]
lea eax,[ebp+8]
push eax
push dword ptr [edi+4]
push 18h
call NETIO!RtlULongAdd (85a1675d)
0:008> r
eax=0487d294 ebx=04830028 ecx=362607f0 edx=04930014 esi=0488dbf0 edi=0488d9e0
eip=69081264 esp=0162be10 ebp=00000210 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000206
IML32!Ordinal2064+0x7254:
69081264 894c31fc mov dword ptr [ecx+esi-4],ecx ds:0023:3aaee3dc=????????
0:008> !exploitable
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at IML32!Ordinal2064+0x0000000000007254 (Hash=0x3e3c3a38.0x484c154e)
User mode write access violations that are not near NULL are exploitable.
could be exploited for anything other than a remote denial of service.
The following code excerpt explains the problem:
/-----
005FED51 MOVZX EDX,BYTE PTR SS:[ESP+2] #FCFF
005FED56 MOVSX ECX,WORD PTR SS:[ESP+3]
005FED5B CMP ECX,-1
005FED5E MOVSX EAX,WORD PTR SS:[ESP+5] #FCFF
005FED63 MOV DWORD PTR DS:[ESI+10],EDX
005FED66 MOV EDX,DWORD PTR SS:[ESP+7]
More precisely in this location:
/-----
6D6812A1 8B10 MOV EDX,DWORD PTR DS:[EAX]
6D6812A3 894C24 04 MOV DWORD PTR SS:[ESP+4],ECX
6D6812A7 890424 MOV DWORD PTR SS:[ESP],EAX
6D6812AA FF92 80000000 CALL DWORD PTR DS:[EDX+80]
offset
Code execution may be possible if the attacker is able to modify the
memory after the input data (0x400 bytes) using other types of packets
and then sending a big string size for raising an invalid read
access exeption with the corrupted SEH:
0040EFAB |. FF76 18 PUSH DWORD PTR DS:[ESI+18] ; /n
0040EFAE |. 8D46 1C LEA EAX,DWORD PTR DS:[ESI+1C] ; |
0040EFB1 |. 50 PUSH EAX ; |src
0040EFB2 |. 8D85 E8FBFFFF LEA EAX,DWORD PTR SS:[EBP-418] ; |
0040EFB8 |. 50 PUSH EAX ; |dest
0040EFB9 |. E8 2C480000 CALL <JMP.&MSVCR80.memcpy> ; \memcpy
/-----------
00403029 |> 50 PUSH EAX
; /Path
0040302A |. FF15 10278D00 CALL DWORD PTR
DS:[<&SHLWAPI.PathIsRelativeA>] ; \PathIsRelativeA
- -----------/
If the 'PathIsRelativeA' API returns True, then Foxit Reader will
If the size field is larger than the current buffer, a check
prevents the application from overflowing.
-------------------------------------------------------------------
Size Check
022E6063 MOV EAX,DWORD PTR DS:[EDX+4] ;<- Load Size
022E6066 MOV ECX,DWORD PTR SS:[ESP+14] ;<- Load Buffer Size
022E606A SUB ECX,EAX
022E606C JS SHORT sqlservr.022E6076
022E606E CMP EAX,DWORD PTR DS:[EBX+C8] ;<- Compare against 0x2000
022E6074 JBE SHORT sqlservr.022E60DC ;<- Jump to continuation
</body>
</html>
----------------------------------------------------------------------------------------------------------------
<!--
005EC769 |> 8B06 MOV EAX,DWORD PTR DS:[ESI]
005EC76B |. 6A 00 PUSH 0
005EC76D |. 53 PUSH EBX
005EC76E |. 56 PUSH ESI
005EC76F |. FF50 30 CALL DWORD PTR DS:[EAX+30]
005EC772 |> 8B5B 14 MOV EBX,DWORD PTR DS:[EBX+14]
The problem exists when Real*Player* parses a special crafted .mov file.
Here is the vulnerable code:
--//- snip ----//-----------------------------------------------------
62448F24 8B4D E2 MOV ECX,DWORD PTR SS:[EBP-1E] ; (*1)
62448F27 8B45 DE MOV EAX,DWORD PTR SS:[EBP-22]
62448F2A 2BC1 SUB EAX,ECX ; (*2)
62448F2C 8B53 17 MOV EDX,DWORD PTR DS:[EBX+17]
62448F2F 8D3401 LEA ESI,DWORD PTR DS:[ECX+EAX]
62448F32 8975 FC MOV DWORD PTR SS:[EBP-4],ESI
When this program is running (Base.exe or Elite.exe) it listens on the
first available TCP port which changes each time and it's affected by an
integer overflow vulnerability:
004922E3 > 83BF BC001000 10 CMP DWORD PTR DS:[EDI+1000BC],10
004922EA . 0F8C 66010000 JL Elite.00492456
004922F0 . 8D46 0C LEA EAX,DWORD PTR DS:[ESI+C]
004922F3 . 50 PUSH EAX ; &num2
004922F4 . 8D6E 08 LEA EBP,DWORD PTR DS:[ESI+8]
004922F7 . 55 PUSH EBP ; &num1 (size)
For some codecs of the WAVE format foobar2000 uses the following
function that takes our controllable values for a signed
multiplication+division through kernel32.MulDiv(), from
foo_input_std.dll:
00F9F318 |. 8B4E 08 MOV ECX,DWORD PTR DS:[ESI+8]
00F9F31B |. 83C4 0C ADD ESP,0C
00F9F31E |. 66:833E 02 CMP WORD PTR DS:[ESI],2
00F9F322 |. 75 03 JNZ SHORT foo_inpu.00F9F327
00F9F324 |. C1E9 02 SHR ECX,2
00F9F327 |> 0FB776 0C MOVZX ESI,WORD PTR DS:[ESI+C]
structures are filled with incorrect data.
This facts cause different errors in
the execution. For example, this code:
004A6E04 C74424 04 000000>MOV DWORD PTR SS:[ESP+4],0
004A6E0C 0F84 9A000000 JE foxit_re.004A6EAC
004A6E12 8B41 08 MOV EAX,DWORD PTR DS:[ECX+8]
004A6E15 48 DEC EAX
004A6E16 83F8 08 CMP EAX,8
004A6E19 0F87 8D000000 JA foxit_re.004A6EAC
mov edi,edi
push ebp
mov ebp,esp
push edi
mov edi,dword ptr [ebp+8]
lea eax,[ebp+8]
push eax
push dword ptr [edi+4]
push 18h
call NOMNOM!RtlULongAdd (85a1675d)
.text:0040CC01 ;
IoPerfCompleteRequest(x,x)+B8p ...
.text:0040CC01
.text:0040CC01 var_C = dword ptr -0Ch
.text:0040CC01 var_8 = dword ptr -8
.text:0040CC01 var_1 = byte ptr -1
structures are filled with incorrect data.
This facts cause different errors in
the execution. For example, this code:
004A6E04 C74424 04 000000>MOV DWORD PTR SS:[ESP+4],0
004A6E0C 0F84 9A000000 JE foxit_re.004A6EAC
004A6E12 8B41 08 MOV EAX,DWORD PTR DS:[ECX+8]
004A6E15 48 DEC EAX
004A6E16 83F8 08 CMP EAX,8
004A6E19 0F87 8D000000 JA foxit_re.004A6EAC
mov edi,edi
push ebp
mov ebp,esp
push edi
mov edi,dword ptr [ebp+8]
lea eax,[ebp+8]
push eax
push dword ptr [edi+4]
push 18h
call NOMNOM!RtlULongAdd (85a1675d)
file, Queue.dll. This procedure inadvertently processes user supplied
data and then references that data as variables without any form of
sanitation of verification. This is demonstrated below:
<lqserver.exe>
100161B0 MOV EDX,DWORD PTR DS:[ECX+4] ; Move Arbitrary Pointer
#2 into EDX
100161B3 PUSH EDX ; Push Arbitrary
Pointer #2 onto the Stack
100161B4 MOV EAX,DWORD PTR SS:[EBP+8] ; Move (0x0113F8A8 the
address to Arbitrary
<profile name=``[vuln]``>
--- Debug Logs ---
#Disassembly:
7C9132A6 FFD1 CALL ECX
7C9132A8 64:8B25 00000000 MOV ESP,DWORD PTR FS:[0]
7C9132AF 64:8F05 00000000 POP DWORD PTR FS:[0]
7C9132B6 8BE5 MOV ESP,EBP
7C9132B8 5D POP EBP
7C9132B9 C2 1400 RETN 14
7C9132BC 8B4C24 04 MOV ECX,DWORD PTR SS:[ESP+4]
Next Page>>
|
