- 34,644
- 0
- 18 Дек 2022
- EDB-ID
- 38282
- Проверка EDB
-
- Пройдено
- Автор
- GOOGLE SECURITY RESEARCH
- Тип уязвимости
- DOS
- Платформа
- WINDOWS
- CVE
- N/A
- Дата публикации
- 2015-09-22
Kaspersky AntiVirus - ExeCryptor Parsing Memory Corruption
Код:
Source: https://code.google.com/p/google-security-research/issues/detail?id=525
Fuzzing packed executables found the attached crash, it might be usable as an information leak as part of another bug, so filing as a low-risk bug. If I had to guess, I would say this is the ExeCryptor unpacker.
(83c.fc0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0b61f00c ebx=00030ff4 ecx=00000000 edx=00000000 esi=0409005c edi=00000000
eip=15cc7e73 esp=0441ecf8 ebp=0441ef18 iopl=0 nv up ei pl nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010217
15cc7e73 803c03e9 cmp byte ptr [ebx+eax],0E9h ds:002b:0b650000=??
What is that code doing?
0:021> u
15cc7e73 803c03e9 cmp byte ptr [ebx+eax],0E9h
15cc7e77 0f8596000000 jne 15cc7f13
15cc7e7d 8b540301 mov edx,dword ptr [ebx+eax+1]
15cc7e81 8d441a05 lea eax,[edx+ebx+5]
15cc7e85 33c9 xor ecx,ecx
15cc7e87 3d00100000 cmp eax,1000h
15cc7e8c 0f9cc1 setl cl
15cc7e8f 33d2 xor edx,edx
That edx+ebx+5 gives it away, it's searching for a jmp opcode and trying to pull out the branch target.
Why did it get lost? I'll put a breakpoint there and see where it goes wrong:
0:021> bp @eip
0:021> .restart
Breakpoint 0 hit
eax=0584f00c ebx=00000000 ecx=0497eb4c edx=00000000 esi=05a1005c edi=00000000
eip=15cc7e73 esp=0497ebc4 ebp=0497ede4 iopl=0 nv up ei ng nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000282
15cc7e73 803c03e9 cmp byte ptr [ebx+eax],0E9h ds:002b:0584f00c=00
That looks fine, eax is the start of the buffer to search, and ebx is the index to look for a jmp opcode.
0:024> t
eax=0584f00c ebx=00000000 ecx=0497eb4c edx=00000000 esi=05a1005c edi=00000000
eip=15cc7e77 esp=0497ebc4 ebp=0497ede4 iopl=0 nv up ei pl nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000217
15cc7e77 0f8596000000 jne 15cc7f13 [br=1]
0:024> t
eax=0584f00c ebx=00000000 ecx=0497eb4c edx=00000000 esi=05a1005c edi=00000000
eip=15cc7f13 esp=0497ebc4 ebp=0497ede4 iopl=0 nv up ei pl nz ac pe cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000217
15cc7f13 43 inc ebx
0:024> t
eax=0584f00c ebx=00000001 ecx=0497eb4c edx=00000000 esi=05a1005c edi=00000000
eip=15cc7f14 esp=0497ebc4 ebp=0497ede4 iopl=0 nv up ei pl nz na po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000203
15cc7f14 8d47fb lea eax,[edi-5]
0:024> t
eax=fffffffb ebx=00000001 ecx=0497eb4c edx=00000000 esi=05a1005c edi=00000000
eip=15cc7f17 esp=0497ebc4 ebp=0497ede4 iopl=0 nv up ei pl nz na po cy
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000203
15cc7f17 3bd8 cmp ebx,eax
Ah, that's the bug, it's wrapping past zero and never exiting. The code is probably doing:
do {
if (ptr[index] != JMP_OPCODE)
index -= SIZEOF_JMP;
} while (index != 0);
That's a bug, because if index < SIZEOF_JMP, it will wrap and never exit. I would think it should decrement by 1 not sizeof(jmp) anyway, because jmps do not have to be aligned, but I don't know anything about ExeCryptor - maybe it makes sense.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38282.zip
- Источник
- www.exploit-db.com