MS Publisher 2010 - NULL_CLASS_PTR_DEREFERENCE
-----------------------------------------------------------------------
Found : 04.06.2016
-----------------------------------------------------------------------
Open your Windbg and run MSPUB.exe. Attach debuger to Publisher.
Ctrl+S to check the symbols, and here we go:
dbg> srv*c:\symbols*http://msdn.microsoft.com/download/symbols
TL;DR
Let's also take care about child process ('if any'):
dbg> .childdbg 1
dbg> g
Ok, there should be a crash in Windbg:
(...)
ModLoad: 75f70000 75f7a000 C:\WINDOWS\System32\davclnt.dll
(128.778): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=02000143 ecx=00000000 edx=02700016 esi=00000054 edi=00000000
eip=394134f9 esp=0012c2a4 ebp=0012c2b4 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Common Files\Microsoft Shared\office14\mso.dll -
mso!Ordinal6038+0x925:
394134f9 f6405808 test byte ptr [eax+58h],8 ds:0023:00000058=??(...)
Restart and again, run the poc in MSPUB.exe: (...)
And again we're here:
(190.b8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=02000143 ecx=00000000 edx=02700016 esi=00000054 edi=00000000
eip=394134f9 esp=0012c2a4 ebp=0012c2b4 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Common Files\Microsoft Shared\office14\mso.dll -
mso!Ordinal6038+0x925:
394134f9 f6405808 test byte ptr [eax+58h],8 ds:0023:00000058=??
Let's check what's happened:
0:000> u eip
*** ERROR: Module load completed but symbols could not be loaded for C:\PROGRA~1\MICROS~2\Office14\MSPUB.EXE
mso!Ordinal6038+0x925:
394134f9 f6405808 test byte ptr [eax+58h],8 ; our crash during TEST
394134fd 0f854b4f0000 jne mso!Ordinal7184+0xf5 (3941844e)
39413503 c3 ret
39413504 55 push ebp
39413505 8bec mov ebp,esp
39413507 8b4d08 mov ecx,dword ptr [ebp+8]
3941350a ff09 dec dword ptr [ecx]
3941350c 56 push esi
Ok, how to understand TEST (after "Assembly Language for Intel-based Computers"
by Kip Irvine):
"6.2.6 TEST Instruction
The TEST instruction performs an implied AND operation between each pair of matching bits
in two operands and sets the flags accordingly. The only difference between TEST and AND is
that TEST does not modify the destination operand. The TEST instruction permits the same
operand combinations as the AND instruction. TEST is particularly valuable for finding out if
individual bits in an operand are set."
So let's find out what's before that instruction:
0:000> u eip-1
mso!Ordinal6038+0x924:
394134f8 c1f640 sal esi,40h
394134fb 58 pop eax
394134fc 080f or byte ptr [edi],cl
394134fe 854b4f test dword ptr [ebx+4Fh],ecx
39413501 0000 add byte ptr [eax],al
39413503 c3 ret
39413504 55 push ebp
39413505 8bec mov ebp,esp
0:000> u eip-2
mso!Ordinal6038+0x923:
394134f7 8bc1 mov eax,ecx
394134f9 f6405808 test byte ptr [eax+58h],8
394134fd 0f854b4f0000 jne mso!Ordinal7184+0xf5 (3941844e)
39413503 c3 ret
39413504 55 push ebp
39413505 8bec mov ebp,esp
39413507 8b4d08 mov ecx,dword ptr [ebp+8]
3941350a ff09 dec dword ptr [ecx]
0:000> r ecx
ecx=00000000
0:000> .echo "394134f7 8bc1 mov eax,ecx"
394134f7 8bc1 mov eax,ecx
0:000>
(After restart, we will set bp @394134f7)
0:007> .childdbg 1
Processes created by the current process will be debugged
0:007> bp 3941845B
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Common Files\Microsoft Shared\office14\mso.dll -
Breakpoint already set:
0:007> bl
0 e 3941845b 0001 (0001) 0:**** mso!Ordinal7184+0x102
0:007> g
(...)
Breakpoint 0 hit
eax=092c874c ebx=0200012e ecx=09acb8c0 edx=02700016 esi=09acb914 edi=09acb8c0
eip=3941845b esp=0012c2a4 ebp=0012c2b4 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200202
mso!Ordinal7184+0x102:
3941845b 83c094 add eax,0FFFFFF94h
Dump EAX:
0:000> dd eax
*** ERROR: Module load completed but symbols could not be loaded for C:\PROGRA~1\MICROS~2\Office14\MSPUB.EXE
092c874c 09acb9f4 00000002 065e5d98 06734b68
092c875c 06c43848 06af8367 00000000 00000000
092c876c 00000000 00000000 eaf02eaf 39339a34
092c877c 392b15f0 3910f148 092c45a0 092c8820
092c878c 092c8b40 092c83c0 0400000d 0883e4d0
092c879c ffffffff ffffffff ffffffff 092c07c0
092c87ac 02956838 00820025 00000000 00000000
092c87bc 092c57d0 000000cf 00000000 00000048
Unasamble EAX:
0:000> u eax
092c874c f4 hlt
092c874d b9ac090200 mov ecx,209ACh
092c8752 0000 add byte ptr [eax],al
092c8754 98 cwde
092c8755 5d pop ebp
092c8756 5e pop esi
092c8757 06 push es
092c8758 684b730648 push 4806734Bh
Unasamble EIP:
0:000> u eip
mso!Ordinal7184+0x102:
3941845b 83c094 add eax,0FFFFFF94h
3941845e e996b0ffff jmp mso!Ordinal6038+0x925 (394134f9)
39418463 55 push ebp
39418464 8bec mov ebp,esp
39418466 53 push ebx
39418467 33db xor ebx,ebx
39418469 56 push esi
3941846a 8bf1 mov esi,ecx
And this JMP is:
0:000> u 394134f9
mso!Ordinal6038+0x925:
394134f9 f6405808 test byte ptr [eax+58h],8
394134fd 0f854b4f0000 jne mso!Ordinal7184+0xf5 (3941844e)
39413503 c3 ret
39413504 55 push ebp
39413505 8bec mov ebp,esp
39413507 8b4d08 mov ecx,dword ptr [ebp+8]
3941350a ff09 dec dword ptr [ecx]
3941350c 56 push esi
Ok, so after add FFFFFF94 to EAX we will jump to 394134f9
(to place where we saw the crash before (TEST instruction)).
Let's see that EAX before and after one step: (restart)
0:000> r eax
eax=092c874c
0:000> p
eax=092c86e0 ebx=0200012e ecx=09acb8c0 edx=02700016 esi=09acb914 edi=09acb8c0
eip=3941845e esp=0012c2a4 ebp=0012c2b4 iopl=0 nv up ei pl nz ac po cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200213
mso!Ordinal7184+0x105:
3941845e e996b0ffff jmp mso!Ordinal6038+0x925 (394134f9)
0:000> r eax
eax=092c86e0
0:000> u eax
092c86e0 c8a92939 enter 29A9h,39h
092c86e4 07 pop es
092c86e5 0400 add al,0
092c86e7 0000 add byte ptr [eax],al
092c86e9 0000 add byte ptr [eax],al
092c86eb 002a add byte ptr [edx],ch
092c86ed 0100 add dword ptr [eax],eax
092c86ef 0200 add al,byte ptr [eax]
Ok, another p:
0:000> p
eax=092c86e0 ebx=0200012e ecx=09acb8c0 edx=02700016 esi=09acb914 edi=09acb8c0
eip=394134f9 esp=0012c2a4 ebp=0012c2b4 iopl=0 nv up ei pl nz ac po cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200213
mso!Ordinal6038+0x925:
394134f9 f6405808 test byte ptr [eax+58h],8 ds:0023:092c8738=04
0:000> p
eax=092c86e0 ebx=0200012e ecx=09acb8c0 edx=02700016 esi=09acb914 edi=09acb8c0
eip=394134fd esp=0012c2a4 ebp=0012c2b4 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246
mso!Ordinal6038+0x929:
394134fd 0f854b4f0000 jne mso!Ordinal7184+0xf5 (3941844e) [br=0]
0:000> u 3941844e
mso!Ordinal7184+0xf5:
3941844e 8b4054 mov eax,dword ptr [eax+54h]
39418451 f6400402 test byte ptr [eax+4],2
39418455 7504 jne mso!Ordinal7184+0x102 (3941845b)
39418457 8b00 mov eax,dword ptr [eax]
39418459 ebf6 jmp mso!Ordinal7184+0xf8 (39418451)
3941845b 83c094 add eax,0FFFFFF94h
3941845e e996b0ffff jmp mso!Ordinal6038+0x925 (394134f9)
39418463 55 push ebp
0:000> p
eax=092c86e0 ebx=0200012e ecx=09acb8c0 edx=02700016 esi=09acb914 edi=09acb8c0
eip=39413503 esp=0012c2a4 ebp=0012c2b4 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246
mso!Ordinal6038+0x92f:
39413503 c3 ret
So it looks like a loop. Is EAX is not 0xFFFFFF94 it will repeat.
Now we will try it with modified 'p' command (keep goin until next crash):
p;.if (@eax != 0) { .echo eax ; r eax ; u eip ; dd eax ;r } .else { .echo eax ; r eax ; u eip ; dd eax;r } ;
(...)
USER32!DefWindowProcW+0x1d4: ... -> goes to...
USER32!DefWindowProcW+0x1d7: ... -> goes to...
USER32!DefWindowProcW+0x1d7: ... -> goes to...
USER32!GetWindowLongA+0x47: ... -> goes to...
0:000>
ModLoad: 763b0000 763f9000 C:\WINDOWS\system32\COMDLG32.DLL
ModLoad: 769c0000 76a74000 C:\WINDOWS\system32\USERENV.dll
(7a0.68c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax
eax=00000000
mso!Ordinal6038+0x925:
394134f9 f6405808 test byte ptr [eax+58h],8
394134fd 0f854b4f0000 jne mso!Ordinal7184+0xf5 (3941844e)
39413503 c3 ret
39413504 55 push ebp
39413505 8bec mov ebp,esp
39413507 8b4d08 mov ecx,dword ptr [ebp+8]
3941350a ff09 dec dword ptr [ecx]
3941350c 56 push esi
00000000 ???????? ???????? ???????? ????????
00000010 ???????? ???????? ???????? ????????
00000020 ???????? ???????? ???????? ????????
00000030 ???????? ???????? ???????? ????????
00000040 ???????? ???????? ???????? ????????
00000050 ???????? ???????? ???????? ????????
00000060 ???????? ???????? ???????? ????????
00000070 ???????? ???????? ???????? ????????
eax=00000000 ebx=02000143 ecx=00000000 edx=02700016 esi=00000054 edi=00000000
eip=394134f9 esp=0012c2a4 ebp=0012c2b4 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246
mso!Ordinal6038+0x925:
394134f9 f6405808 test byte ptr [eax+58h],8 ds:0023:00000058=??
Next 'p' command will result here:
0:000>
eax
eax=00000000
ntdll!KiUserExceptionDispatcher+0x4:
7c90e460 8b1c24 mov ebx,dword ptr [esp]
7c90e463 51 push ecx
7c90e464 53 push ebx
7c90e465 e8e6c40100 call ntdll!towlower+0x12a (7c92a950)
7c90e46a 0ac0 or al,al
7c90e46c 740c je ntdll!KiUserExceptionDispatcher+0x1e (7c90e47a)
7c90e46e 5b pop ebx
7c90e46f 59 pop ecx
00000000 ???????? ???????? ???????? ????????
00000010 ???????? ???????? ???????? ????????
00000020 ???????? ???????? ???????? ????????
00000030 ???????? ???????? ???????? ????????
00000040 ???????? ???????? ???????? ????????
00000050 ???????? ???????? ???????? ????????
00000060 ???????? ???????? ???????? ????????
00000070 ???????? ???????? ???????? ????????
eax=00000000 ebx=02000143 ecx=0012bfd8 edx=02700016 esi=00000054 edi=00000000
eip=7c90e460 esp=0012bfb4 ebp=0012c2b4 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00200246
ntdll!KiUserExceptionDispatcher+0x4:
7c90e460 8b1c24 mov ebx,dword ptr [esp] ss:0023:0012bfb4=0012bfbc
0:000>
Ok.
0:000> !exploitable -v
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
*** ERROR: Module load completed but symbols could not be loaded for C:\PROGRA~1\MICROS~2\Office14\MSPUB.EXE
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\USER32.dll -
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\kernel32.dll -
Exception Faulting Address: 0x58
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation
Faulting Instruction:394134f9 test byte ptr [eax+58h],8
Basic Block:
394134f9 test byte ptr [eax+58h],8
Tainted Input operands: 'eax'
394134fd jne mso!ordinal7184+0xf5 (3941844e)
Tainted Input operands: 'ZeroFlag'
Exception Hash (Major/Minor): 0x5f2aaa21.0x6659f47c
Hash Usage : Stack Trace:
Major+Minor : mso!Ordinal6038+0x925
Major+Minor : MSPUB+0xf11e7
Major+Minor : MSPUB+0xf1196
Major+Minor : MSPUB+0xf0f8d
Major+Minor : mso!Ordinal3895+0x106
Minor : mso!Ordinal3895+0xe9
Minor : mso!Ordinal1774+0x594
Minor : mso!Ordinal1774+0x57a
Minor : MSPUB+0x7d277
Minor : MSPUB+0x1d7b7
Minor : USER32!GetDC+0x6d
Minor : USER32!GetDC+0x14f
Minor : USER32!GetWindowLongW+0x127
Minor : USER32!DispatchMessageW+0xf
Minor : mso!Ordinal9774+0x23
Minor : MSPUB+0x347ec
Minor : MSPUB+0x212d
Minor : MSPUB+0x20d0
Minor : MSPUB+0x2083
Minor : kernel32!RegisterWaitForInputIdle+0x49
Instruction Address: 0x00000000394134f9
Description: Read Access Violation near NULL
Short Description: ReadAVNearNull
Exploitability Classification: PROBABLY_NOT_EXPLOITABLE
Recommended Bug Title: Read Access Violation near NULL starting at mso!Ordinal6038+0x0000000000000925 (Hash=0x5f2aaa21.0x6659f47c)
This is a user mode read access violation near null, and is probably not exploitable.
--------
Comments/questions/feedback - mail me.
Cheers,
Cody
Brak komentarzy:
Prześlij komentarz