- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 37526
- Проверка EDB
-
- Пройдено
- Автор
- ARSYNTEX
- Тип уязвимости
- DOS
- Платформа
- WINDOWS
- CVE
- N/A
- Дата публикации
- 2015-07-08
Immunity Debugger 1.85 - Crash (PoC)
Код:
# Title: Immunity Debugger - Crash
# Date: 08/07/2015
# Author: Arsyntex
# Vendor Homepage: http://www.immunityinc.com/products/debugger/
# Version: v1.85
# Tested on: Windows 8.1 Pro
Incorrect path/file EXtEnsion parsing.
-Create folder with the name: .exe.exe and put any program inside and try debug it.
-Try to debug an executable with the name: test.exe.exe or lib.exe.dll
The "OpenEXEfile" function does not check if the return value of strchr() is zero.
----------------------------------------------------------------------------------
loc_4B8182:
mov [esp+10h+var_10], edi
add edi, 4
mov [esp+10h+var_C], 20h
mov [esp+10h+arg_24], eax
call strchr ; return EAX= 0
mov [esp+10h+var_10], eax
mov [esp+10h+arg_28], eax ; (!)
call strlen ; ntdll.strlen(s)
---------------------------------------------------------------------
ntdll.strlen(s) - NULL parameter
---------------------------------------------------------------------
ntdll_strlen:
mov ecx, [esp+4] ; [esp+4] = 0 NULL pointer
test ecx, 3 ; ...
jz short loc_77C77510 ; jump
...
loc_77C77510:
mov eax, [ecx] ; Access Violation
---------------------------------------------------------------------
- Источник
- www.exploit-db.com