niedziela, 5 czerwca 2016

NULL Pointer Dereference in MS Publisher 2010

MS Publisher 2010 - NULL_CLASS_PTR_DEREFERENCE

-----------------------------------------------------------------------
 Found : 04.06.2016
-----------------------------------------------------------------------
Open your Windbg and run MSPUB.exe. Attach debuger to Publisher.
Ctrl+S to check the symbols, and here we go:
dbg> srv*c:\symbols*http://msdn.microsoft.com/download/symbols


TL;DR

Let's also take care about child process ('if any'):
dbg> .childdbg 1
dbg> g


Ok, there should be a crash in Windbg:
(...)
ModLoad: 75f70000 75f7a000   C:\WINDOWS\System32\davclnt.dll
(128.778): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=02000143 ecx=00000000 edx=02700016 esi=00000054 edi=00000000
eip=394134f9 esp=0012c2a4 ebp=0012c2b4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210246
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Common Files\Microsoft Shared\office14\mso.dll -
mso!Ordinal6038+0x925:
394134f9 f6405808        test    byte ptr [eax+58h],8       ds:0023:00000058=??
(...) 

Restart and again, run the poc in MSPUB.exe: (...)

And again we're here:

(190.b8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=02000143 ecx=00000000 edx=02700016 esi=00000054 edi=00000000
eip=394134f9 esp=0012c2a4 ebp=0012c2b4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210246
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Common Files\Microsoft Shared\office14\mso.dll -
mso!Ordinal6038+0x925:
394134f9 f6405808        test    byte ptr [eax+58h],8       ds:0023:00000058=??

Let's check what's happened:
0:000> u eip
*** ERROR: Module load completed but symbols could not be loaded for C:\PROGRA~1\MICROS~2\Office14\MSPUB.EXE
mso!Ordinal6038+0x925:
394134f9 f6405808        test    byte ptr [eax+58h],8  ; our crash during TEST
394134fd 0f854b4f0000    jne     mso!Ordinal7184+0xf5 (3941844e)
39413503 c3              ret
39413504 55              push    ebp
39413505 8bec            mov     ebp,esp
39413507 8b4d08          mov     ecx,dword ptr [ebp+8]
3941350a ff09            dec     dword ptr [ecx]
3941350c 56              push    esi

Ok, how to understand TEST (after "Assembly Language for Intel-based Computers"
by Kip Irvine):

"6.2.6 TEST Instruction
The TEST instruction performs an implied AND operation between each pair of matching bits
in two operands and sets the flags accordingly. The only difference between TEST and AND is
that TEST does not modify the destination operand. The TEST instruction permits the same
operand combinations as the AND instruction. TEST is particularly valuable for finding out if
individual bits in an operand are set."

So let's find out what's before that instruction:

0:000> u eip-1
mso!Ordinal6038+0x924:
394134f8 c1f640          sal     esi,40h
394134fb 58              pop     eax
394134fc 080f            or      byte ptr [edi],cl
394134fe 854b4f          test    dword ptr [ebx+4Fh],ecx
39413501 0000            add     byte ptr [eax],al
39413503 c3              ret
39413504 55              push    ebp
39413505 8bec            mov     ebp,esp
0:000> u eip-2
mso!Ordinal6038+0x923:
394134f7 8bc1            mov     eax,ecx
394134f9 f6405808        test    byte ptr [eax+58h],8
394134fd 0f854b4f0000    jne     mso!Ordinal7184+0xf5 (3941844e)
39413503 c3              ret
39413504 55              push    ebp
39413505 8bec            mov     ebp,esp
39413507 8b4d08          mov     ecx,dword ptr [ebp+8]
3941350a ff09            dec     dword ptr [ecx]
0:000> r ecx
ecx=00000000
0:000> .echo "394134f7 8bc1            mov     eax,ecx"
394134f7 8bc1            mov     eax,ecx
0:000> 


(After restart, we will set bp @394134f7)



0:007> .childdbg 1
Processes created by the current process will be debugged
0:007> bp 3941845B
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Common Files\Microsoft Shared\office14\mso.dll -
 

Breakpoint already set:
0:007> bl
 0 e 3941845b     0001 (0001)  0:**** mso!Ordinal7184+0x102
 

0:007> g
(...)

Breakpoint 0 hit
eax=092c874c ebx=0200012e ecx=09acb8c0 edx=02700016 esi=09acb914 edi=09acb8c0
eip=3941845b esp=0012c2a4 ebp=0012c2b4 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200202
mso!Ordinal7184+0x102:
3941845b 83c094          add     eax,0FFFFFF94h
 

Dump EAX:
0:000> dd eax
*** ERROR: Module load completed but symbols could not be loaded for C:\PROGRA~1\MICROS~2\Office14\MSPUB.EXE
092c874c  09acb9f4 00000002 065e5d98 06734b68
092c875c  06c43848 06af8367 00000000 00000000
092c876c  00000000 00000000 eaf02eaf 39339a34
092c877c  392b15f0 3910f148 092c45a0 092c8820
092c878c  092c8b40 092c83c0 0400000d 0883e4d0
092c879c  ffffffff ffffffff ffffffff 092c07c0
092c87ac  02956838 00820025 00000000 00000000
092c87bc  092c57d0 000000cf 00000000 00000048
 

Unasamble EAX:
0:000> u eax
092c874c f4              hlt
092c874d b9ac090200      mov     ecx,209ACh
092c8752 0000            add     byte ptr [eax],al
092c8754 98              cwde
092c8755 5d              pop     ebp
092c8756 5e              pop     esi
092c8757 06              push    es
092c8758 684b730648      push    4806734Bh


Unasamble EIP:
0:000> u eip
mso!Ordinal7184+0x102:
3941845b 83c094          add     eax,0FFFFFF94h
3941845e e996b0ffff      jmp     mso!Ordinal6038+0x925 (394134f9)
39418463 55              push    ebp
39418464 8bec            mov     ebp,esp
39418466 53              push    ebx
39418467 33db            xor     ebx,ebx
39418469 56              push    esi
3941846a 8bf1            mov     esi,ecx
 

And this JMP is:
0:000> u 394134f9
mso!Ordinal6038+0x925:
394134f9 f6405808        test    byte ptr [eax+58h],8
394134fd 0f854b4f0000    jne     mso!Ordinal7184+0xf5 (3941844e)
39413503 c3              ret
39413504 55              push    ebp
39413505 8bec            mov     ebp,esp
39413507 8b4d08          mov     ecx,dword ptr [ebp+8]
3941350a ff09            dec     dword ptr [ecx]
3941350c 56              push    esi


Ok, so after add FFFFFF94 to EAX we will jump to 394134f9
 (to place where we saw the crash before (TEST instruction)).

Let's see that EAX before and after one step: (restart)
0:000> r eax
eax=092c874c
 

0:000> p
eax=092c86e0 ebx=0200012e ecx=09acb8c0 edx=02700016 esi=09acb914 edi=09acb8c0
eip=3941845e esp=0012c2a4 ebp=0012c2b4 iopl=0         nv up ei pl nz ac po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200213
mso!Ordinal7184+0x105:
3941845e e996b0ffff      jmp     mso!Ordinal6038+0x925 (394134f9)
 

0:000> r eax
eax=092c86e0
 

0:000> u eax
092c86e0 c8a92939        enter   29A9h,39h
092c86e4 07              pop     es
092c86e5 0400            add     al,0
092c86e7 0000            add     byte ptr [eax],al
092c86e9 0000            add     byte ptr [eax],al
092c86eb 002a            add     byte ptr [edx],ch
092c86ed 0100            add     dword ptr [eax],eax
092c86ef 0200            add     al,byte ptr [eax]

Ok, another p:
0:000> p

eax=092c86e0 ebx=0200012e ecx=09acb8c0 edx=02700016 esi=09acb914 edi=09acb8c0
eip=394134f9 esp=0012c2a4 ebp=0012c2b4 iopl=0         nv up ei pl nz ac po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200213
mso!Ordinal6038+0x925:
394134f9 f6405808        test    byte ptr [eax+58h],8       ds:0023:092c8738=04





0:000> p
eax=092c86e0 ebx=0200012e ecx=09acb8c0 edx=02700016 esi=09acb914 edi=09acb8c0
eip=394134fd esp=0012c2a4 ebp=0012c2b4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200246
mso!Ordinal6038+0x929:
394134fd 0f854b4f0000    jne     mso!Ordinal7184+0xf5 (3941844e)         [br=0]
0:000> u 3941844e
mso!Ordinal7184+0xf5:
3941844e 8b4054          mov     eax,dword ptr [eax+54h]
39418451 f6400402        test    byte ptr [eax+4],2
39418455 7504            jne     mso!Ordinal7184+0x102 (3941845b)
39418457 8b00            mov     eax,dword ptr [eax]
39418459 ebf6            jmp     mso!Ordinal7184+0xf8 (39418451)
3941845b 83c094          add     eax,0FFFFFF94h
3941845e e996b0ffff      jmp     mso!Ordinal6038+0x925 (394134f9)
39418463 55              push    ebp

0:000> p
eax=092c86e0 ebx=0200012e ecx=09acb8c0 edx=02700016 esi=09acb914 edi=09acb8c0
eip=39413503 esp=0012c2a4 ebp=0012c2b4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200246
mso!Ordinal6038+0x92f:
39413503 c3              ret

So it looks like a loop. Is EAX is not 0xFFFFFF94 it will repeat.
Now we will try it with modified 'p' command (keep goin until next crash):
p;.if (@eax != 0) { .echo eax ; r eax ; u eip ; dd eax ;r } .else { .echo eax ; r eax ; u eip ; dd eax;r } ;
 

(...)
USER32!DefWindowProcW+0x1d4: ... -> goes to...
USER32!DefWindowProcW+0x1d7:
... -> goes to...
USER32!DefWindowProcW+0x1d7: ... -> goes to...
USER32!GetWindowLongA+0x47:  ... -> goes to...
 0:000>
ModLoad: 763b0000 763f9000   C:\WINDOWS\system32\COMDLG32.DLL
ModLoad: 769c0000 76a74000   C:\WINDOWS\system32\USERENV.dll
(7a0.68c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax
eax=00000000
mso!Ordinal6038+0x925:
394134f9 f6405808        test    byte ptr [eax+58h],8
394134fd 0f854b4f0000    jne     mso!Ordinal7184+0xf5 (3941844e)
39413503 c3              ret
39413504 55              push    ebp
39413505 8bec            mov     ebp,esp
39413507 8b4d08          mov     ecx,dword ptr [ebp+8]
3941350a ff09            dec     dword ptr [ecx]
3941350c 56              push    esi
00000000  ???????? ???????? ???????? ????????
00000010  ???????? ???????? ???????? ????????
00000020  ???????? ???????? ???????? ????????
00000030  ???????? ???????? ???????? ????????
00000040  ???????? ???????? ???????? ????????
00000050  ???????? ???????? ???????? ????????
00000060  ???????? ???????? ???????? ????????
00000070  ???????? ???????? ???????? ????????
eax=00000000 ebx=02000143 ecx=00000000 edx=02700016 esi=00000054 edi=00000000
eip=394134f9 esp=0012c2a4 ebp=0012c2b4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210246
mso!Ordinal6038+0x925:
394134f9 f6405808        test    byte ptr [eax+58h],8       ds:0023:00000058=??

Next 'p' command will result here:

0:000>
eax
eax=00000000
ntdll!KiUserExceptionDispatcher+0x4:
7c90e460 8b1c24          mov     ebx,dword ptr [esp]
7c90e463 51              push    ecx
7c90e464 53              push    ebx
7c90e465 e8e6c40100      call    ntdll!towlower+0x12a (7c92a950)
7c90e46a 0ac0            or      al,al
7c90e46c 740c            je      ntdll!KiUserExceptionDispatcher+0x1e (7c90e47a)
7c90e46e 5b              pop     ebx
7c90e46f 59              pop     ecx
00000000  ???????? ???????? ???????? ????????
00000010  ???????? ???????? ???????? ????????
00000020  ???????? ???????? ???????? ????????
00000030  ???????? ???????? ???????? ????????
00000040  ???????? ???????? ???????? ????????
00000050  ???????? ???????? ???????? ????????
00000060  ???????? ???????? ???????? ????????
00000070  ???????? ???????? ???????? ????????
eax=00000000 ebx=02000143 ecx=0012bfd8 edx=02700016 esi=00000054 edi=00000000
eip=7c90e460 esp=0012bfb4 ebp=0012c2b4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200246
ntdll!KiUserExceptionDispatcher+0x4:
7c90e460 8b1c24          mov     ebx,dword ptr [esp]  ss:0023:0012bfb4=0012bfbc
0:000>
 

Ok.

0:000> !exploitable -v

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
*** ERROR: Module load completed but symbols could not be loaded for C:\PROGRA~1\MICROS~2\Office14\MSPUB.EXE
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\USER32.dll -
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\kernel32.dll -
Exception Faulting Address: 0x58
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:394134f9 test byte ptr [eax+58h],8

Basic Block:
    394134f9 test byte ptr [eax+58h],8
       Tainted Input operands: 'eax'
    394134fd jne mso!ordinal7184+0xf5 (3941844e)
       Tainted Input operands: 'ZeroFlag'

Exception Hash (Major/Minor): 0x5f2aaa21.0x6659f47c

 Hash Usage : Stack Trace:
Major+Minor : mso!Ordinal6038+0x925
Major+Minor : MSPUB+0xf11e7
Major+Minor : MSPUB+0xf1196
Major+Minor : MSPUB+0xf0f8d
Major+Minor : mso!Ordinal3895+0x106
Minor       : mso!Ordinal3895+0xe9
Minor       : mso!Ordinal1774+0x594
Minor       : mso!Ordinal1774+0x57a
Minor       : MSPUB+0x7d277
Minor       : MSPUB+0x1d7b7
Minor       : USER32!GetDC+0x6d
Minor       : USER32!GetDC+0x14f
Minor       : USER32!GetWindowLongW+0x127
Minor       : USER32!DispatchMessageW+0xf
Minor       : mso!Ordinal9774+0x23
Minor       : MSPUB+0x347ec
Minor       : MSPUB+0x212d
Minor       : MSPUB+0x20d0
Minor       : MSPUB+0x2083
Minor       : kernel32!RegisterWaitForInputIdle+0x49
Instruction Address: 0x00000000394134f9

Description: Read Access Violation near NULL
Short Description: ReadAVNearNull
Exploitability Classification: PROBABLY_NOT_EXPLOITABLE
Recommended Bug Title: Read Access Violation near NULL starting at mso!Ordinal6038+0x0000000000000925 (Hash=0x5f2aaa21.0x6659f47c)

This is a user mode read access violation near null, and is probably not exploitable.


--------

Comments/questions/feedback - mail me.

Cheers,
Cody

 

 






Brak komentarzy:

Prześlij komentarz