Exploit Avast! - Heap Overflow Unpacking MoleBox Archives

Exploiter

Хакер
34,644
0
18 Дек 2022
EDB-ID
38933
Проверка EDB
  1. Пройдено
Автор
GOOGLE SECURITY RESEARCH
Тип уязвимости
DOS
Платформа
MULTIPLE
CVE
null
Дата публикации
2015-12-10
Avast! - Heap Overflow Unpacking MoleBox Archives
Код:
Source: https://code.google.com/p/google-security-research/issues/detail?id=552

Trivial fuzzing of molebox archives revealed a heap overflow decrypting the packed image in moleboxMaybeUnpack. This vulnerability is obviously exploitable for remote arbitrary code execution as NT AUTHORITY\SYSTEM.

The attached testcase should cause heap corruption in AvastSvc.exe, please enable page heap if you have trouble reproducing. 

HEAP[AvastSvc.exe]: ZwAllocateVirtualMemory failed c0000018 for heap 00310000 (base 0E560000, size 0006B000)
(474.9f8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0e5cb478 ebx=0dd70000 ecx=0000d87f edx=0e55f080 esi=00310000 edi=00003bf8
eip=7731836b esp=0be6d338 ebp=0be6d364 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
ntdll!RtlpDeCommitFreeBlock+0x146:
7731836b 80780703        cmp     byte ptr [eax+7],3         ds:002b:0e5cb47f=??

#0  0xf702d588 in asw::root::NewDesCryptBlock(unsigned char*, unsigned int, unsigned char const*, bool, int) ()
#1  0xf702b009 in Mole_DecryptBuffer () from /proc/self/cwd/defs/15092301/engine.so
#2  0xf6f6a124 in moleboxMaybeUnpack(CFMap&, _PEEXE_INFO*, asw::root::CGenericFile*, _EXE_UNPACK_INFO*) () 
#3  0xf6f7630d in CPackWinExec::packGetNext(void*, ARCHIVED_FILE_INFO*) ()
#4  0xf6e8cdf3 in CAllPackers::GetNext(unsigned int, void*, ARCHIVED_FILE_INFO*) ()
#5  0xf6e76fc9 in CScanInfo::ProcessPackingReal(CObjectName&, CFMap&, _VIRUSDATAARRAY*, int&, unsigned int) ()
#6  0xf6e78bdd in CScanInfo::ProcessPacking(CObjectName&, unsigned int, unsigned int) ()
#7  0xf6e74fbd in CScanInfo::ProcessArea(CObjectName&, unsigned int, unsigned int) ()
#8  0xf6e752af in CScanInfo::ProcessTopArea(CObjectName&, unsigned int) ()
#9  0xf6e7d6db in avfilesScanRealMulti ()
#10 0xf6e81915 in avfilesScanReal ()
#11 0x0805d2a5 in avfilesScanReal ()
#12 0x0805498c in engine_scan ()

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38933.zip
 
Источник
www.exploit-db.com

Похожие темы