Found 16.08.2017. Maybe you will find it useful.
Below you will find ReadAVonIP bug found during quick fuzzing session.
TL;DR
Below crash in Cmovmem() again:
------------------------------------------------
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.
CommandLine: "C:\Program Files\IBM\Notes\notes.exe" C:\sf_879c13ad4eba231d656b7fa10f2487b5-4328.ntf
(...)
Executable search path is:
ModLoad: 00370000 00553000 notes.exe
(...)
(441c.4210): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=07ba1046 ebx=06e51028 ecx=0000000a edx=06e74056 esi=06e51000 edi=07ba105e
eip=610b1b73 esp=00182e80 ebp=00182e8c iopl=0 nv up ei ng nz na pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010287
nnotes!Cmovmem+0x153:
610b1b73 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
1:001>
(441c.4210): Access violation - code c0000005 (!!! second chance !!!)
eax=07ba1046 ebx=06e51028 ecx=0000000a edx=06e74056 esi=06e51000 edi=07ba105e
eip=610b1b73 esp=00182e80 ebp=00182e8c iopl=0 nv up ei ng nz na pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010287
nnotes!Cmovmem+0x153:
610b1b73 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x6e51000
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation
Faulting Instruction:610b1b73 rep movs dword ptr es:[edi],dword ptr [esi]
Exception Hash (Major/Minor): 0x3ada1574.0x96d0e788
Hash Usage : Stack Trace:
Major+Minor : nnotes!Cmovmem+0x153
Major+Minor : nnotes!ODSReadMemory+0x74
Major+Minor : nnotes!DbDumpSuperBlocks+0x15b1
Major+Minor : nnotes!DbSuperBlockRead+0x37a
Major+Minor : nnotes!NSFDumpSuperBlock+0x29df
Minor : nnotes!DbSuperBlockRead+0x6d
Minor : nnotes!NSFNoteIsSignedOrSealed+0x29ac
Minor : nnotes!NSFDbOpenExtended6+0x6d84
Minor : nnotes!NSFDbOpenExtended3+0x47
Minor : nnotes!NSFDbOpenExtended2+0x36
Minor : nnotesws!NEMPostStatus+0x14b90
Minor : nnotesws!DocumentModalEdit+0x44e32
Minor : nnotesws!DocumentModalEdit+0x9a54
Minor : nnotesws!NEMGetWindowLong+0x775
Minor : nnotesws+0x513d
Minor : USER32!IsThreadDesktopComposited+0x11f
Minor : USER32!IsThreadDesktopComposited+0x2a6
Minor : USER32!IsThreadDesktopComposited+0x3e5
Minor : USER32!DispatchMessageW+0xf
Minor : nnotesws!NEMMainLoop+0x4a4
Minor : nlnotes+0x1f90
Minor : nlnotes+0x2fa4
Minor : kernel32!BaseThreadInitThunk+0x12
Excluded : ntdll!RtlInitializeExceptionChain+0x63
Excluded : ntdll!RtlInitializeExceptionChain+0x36
Instruction Address: 0x00000000610b1b73
Description: Read Access Violation on Block Data Move
Short Description: ReadAVonBlockMove
Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - Read Access Violation on Block Data Move starting at nnotes!Cmovmem+0x0000000000000153 (Hash=0x3ada1574.0x96d0e788)
This is a read access violation in a block data move, and is therefore classified as probably exploitable.
> u eip-2
nnotes!Cmovmem+0x151:
610b1b71 0000 add byte ptr [eax],al
610b1b73 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
610b1b75 8d4b40 lea ecx,[ebx+40h]
610b1b78 83c040 add eax,40h
610b1b7b 894d08 mov dword ptr [ebp+8],ecx
610b1b7e 3bca cmp ecx,edx
610b1b80 76e5 jbe nnotes!Cmovmem+0x147 (610b1b67)
610b1b82 8d4b24 lea ecx,[ebx+24h]
> u eip-1
nnotes!Cmovmem+0x152:
610b1b72 00f3 add bl,dh
610b1b74 a5 movs dword ptr es:[edi],dword ptr [esi]
610b1b75 8d4b40 lea ecx,[ebx+40h]
610b1b78 83c040 add eax,40h
610b1b7b 894d08 mov dword ptr [ebp+8],ecx
610b1b7e 3bca cmp ecx,edx
610b1b80 76e5 jbe nnotes!Cmovmem+0x147 (610b1b67)
610b1b82 8d4b24 lea ecx,[ebx+24h]
> u eip
nnotes!Cmovmem+0x153:
610b1b73 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
610b1b75 8d4b40 lea ecx,[ebx+40h]
610b1b78 83c040 add eax,40h
610b1b7b 894d08 mov dword ptr [ebp+8],ecx
610b1b7e 3bca cmp ecx,edx
610b1b80 76e5 jbe nnotes!Cmovmem+0x147 (610b1b67)
610b1b82 8d4b24 lea ecx,[ebx+24h]
610b1b85 3bca cmp ecx,edx
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
(...)
FAULTING_IP:
nnotes!Cmovmem+153
610b1b73 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
.exr 0xffffffffffffffff
ExceptionAddress: 610b1b73 (nnotes!Cmovmem+0x00000153)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 06e51000
Attempt to read from address 06e51000
FAULTING_THREAD: 00004210
PROCESS_NAME: nlnotes.exe
MODULE_NAME: nnotes
FAULTING_MODULE: 773b0000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP: 525ce30c
ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod 0x%08lx odwo
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod 0x%08lx odwo
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 06e51000
READ_ADDRESS: 06e51000
FOLLOWUP_IP:
nnotes!Cmovmem+153
610b1b73 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
BUGCHECK_STR: APPLICATION_FAULT_STRING_DEREFERENCE_INVALID_POINTER_READ_WRONG_SYMBOLS
PRIMARY_PROBLEM_CLASS: STRING_DEREFERENCE
DEFAULT_BUCKET_ID: STRING_DEREFERENCE
LAST_CONTROL_TRANSFER: from 610b4b34 to 610b1b73
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
00182e8c 610b4b34 06e51028 07b301c6 00093eee nnotes!Cmovmem+0x153
00182ea8 61aa7061 00183710 00000251 07b301c6 nnotes!ODSReadMemory+0x74
00182edc 6119198a 00186b58 067b21a8 00000000 nnotes!DbDumpSuperBlocks+0x15b1
00183074 61aacebf 00186b58 0018371c 001833d8 nnotes!DbSuperBlockRead+0x37a
00183890 6119167d 00186b58 00000000 00000000 nnotes!NSFDumpSuperBlock+0x29df
001838b0 6119749c 00186b58 00000000 00000000 nnotes!DbSuperBlockRead+0x6d
00183a94 61bf2c64 00186b58 0694d238 00186e74 nnotes!NSFNoteIsSignedOrSealed+0x29ac
00186bf0 610edb77 0694d238 00006002 00000000 nnotes!NSFDbOpenExtended6+0x6d84
00186cdc 61164366 0694d238 00006002 00000000 nnotes!NSFDbOpenExtended3+0x47
00186d14 672487d0 0694d238 00006002 00000000 nnotes!NSFDbOpenExtended2+0x36
00186e6c 677de7b2 00000000 00187474 00000000 nnotesws!NEMPostStatus+0x14b90
00187334 677a33d4 0694006a 0000006e 00187474 nnotesws!DocumentModalEdit+0x44e32
00187478 671e5be5 00b68618 0e450aa0 00188ecc nnotesws!DocumentModalEdit+0x9a54
00188a6c 671e513d 00b68618 00000113 000003ef nnotesws!NEMGetWindowLong+0x775
00188ed0 76be86ef 0e450aa0 00000113 000003ef nnotesws+0x513d
00188efc 76be8876 671e2f50 0e450aa0 00000113 USER32!IsThreadDesktopComposited+0x11f
00188f74 76be89b5 00000000 671e2f50 0e450aa0 USER32!IsThreadDesktopComposited+0x2a6
00188fd4 76be8e9c 671e2f50 00000000 00189020 USER32!IsThreadDesktopComposited+0x3e5
00188fe4 67280574 00188ffc 671e0000 76be7756 USER32!DispatchMessageW+0xf
00189020 010d1f90 010d13b0 010d7c50 002f21bd nnotesws!NEMMainLoop+0x4a4
0018f794 010d2fa4 010d0000 00000000 00000001 nlnotes+0x1f90
0018f828 76d21174 7ffd5000 0018f874 7740b3f5 nlnotes+0x2fa4
0018f834 7740b3f5 7ffd5000 75f5cafe 00000000 kernel32!BaseThreadInitThunk+0x12
0018f874 7740b3c8 010d30e7 7ffd5000 00000000 ntdll!RtlInitializeExceptionChain+0x63
0018f88c 00000000 010d30e7 7ffd5000 00000000 ntdll!RtlInitializeExceptionChain+0x36
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: nnotes!Cmovmem+153
FOLLOWUP_NAME: MachineOwner
IMAGE_NAME: nnotes.dll
STACK_COMMAND: ~1s ; kb
BUCKET_ID: WRONG_SYMBOLS
FAILURE_BUCKET_ID: STRING_DEREFERENCE_c0000005_nnotes.dll!Cmovmem
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/nlnotes_exe/9_0_10_13287/525ce2dd/nnotes_dll/9_0_10_13287/525ce30c/c0000005/00001b73.htm?Retriage=1
Followup: MachineOwner
---------
More:
>> https://code610.blogspot.com
>> https://twitter.com/CodySixteen
Cheers
Brak komentarzy:
Prześlij komentarz