I found a crash in IrfanView. The most interesting for me this time was unpacking original i_view32.exe to new exec (1,5MB). Details of the crash you will find below.
TL;DR
+-----------------------------------------------------------------------------------------------+
| Title ................. | Irfan View - Crash @MSCTF!TF_CheckThreadInputIdle
| Found .............. | 07.07.2016
| Version ............ | 4.42 - 32bit
| Tested against . | Windows XP SP3
+------------------------------------------------------------------------------------------------+
| Details : .................................................................................................................. |
0:000> r
eax=0015c060 ebx=00000001 ecx=00000000 edx=0000000e esi=00000000 edi=00000000
eip=747502b8 esp=0012c390 ebp=0012c39c iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
MSCTF!TF_CheckThreadInputIdle+0x10943:
747502b8 39bee0040000 cmp dword ptr [esi+4E0h],edi ds:0023:000004e0=????????
0:000> kv
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0012c39c 747381aa 00000001 00000000 04090409 MSCTF!TF_CheckThreadInputIdle+0x10943
0012c3b4 74730cc2 00155d78 04090409 00000001 MSCTF!TF_CreateCicLoadMutex+0x11bf
0012c3d4 74730d39 04090409 00000008 000a0008 MSCTF!TF_UninitSystem+0x2e1
0012c3ec 74731303 00000008 004c012a 04090409 MSCTF!TF_UninitSystem+0x358
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\USER32.dll -
0012c42c 7e431923 00000008 004c012a 04090409 MSCTF!TF_UninitSystem+0x922
0012c460 7e42b317 000a0008 004c012a 04090409 USER32!UnhookWinEvent+0x77
0012c49c 7e430238 0012c4d0 04090409 0012c4e0 USER32!MoveWindow+0x79
0012c4c0 7c90e453 0012c4d0 00000018 000a0008 USER32!ScrollWindowEx+0xb1
0012c518 7e46b90e 004c012a 0d560119 00000001 ntdll!KiUserCallbackDispatcher+0x13
0012c534 7e46bdf2 004c012a 00000001 007beda8 USER32!IMPSetIMEA+0x40a
0012c788 7e46c8cf 00155f88 00000287 00000017 USER32!IMPSetIMEA+0x8ee
0012c7ac 7e46c97d 001e00f6 00000287 00000017 USER32!IMPSetIMEA+0x13cb
0012c7c8 7e418734 001e00f6 00000287 00000017 USER32!IMPSetIMEA+0x1479
0012c7f4 7e418816 7e46c95b 001e00f6 00000287 USER32!GetDC+0x6d
0012c85c 7e428ea0 00000000 7e46c95b 001e00f6 USER32!GetDC+0x14f
0012c8b0 7e428eec 007beda8 00000287 00000017 USER32!DefWindowProcW+0x180
0012c8d8 7c90e453 0012c8e8 00000018 007beda8 USER32!DefWindowProcW+0x1cc
*** WARNING: Unable to verify checksum for image00400000
*** ERROR: Module load completed but symbols could not be loaded for image00400000
0012c910 00481fd3 004c012a 00b7009c 7c927553 ntdll!KiUserCallbackDispatcher+0x13
0012c91c 7c927553 00150000 40000061 7c91003d image00400000+0x81fd3
0012c928 7c91003d 7c8850e0 00b70098 00179b50 ntdll!RtlOemStringToUnicodeString+0xee
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\uxtheme.dll -
0012c960 5ad8c2b1 5ad8c37b 00000000 00000000 ntdll!RtlFreeHeap+0x130
0012c988 7e42c23c 7e42c1e9 0012fb80 00483fe0 uxtheme!GetThemeAppProperties+0x50
0012c98c 7e42c1e9 0012fb80 00483fe0 00000084 USER32!DefWindowProcA+0xbe
0012c9c0 7e42c1e9 00486f61 0001012a 7c8850e0 USER32!DefWindowProcA+0x6b
0012c9c4 00486f61 0001012a 7c8850e0 00150000 USER32!DefWindowProcA+0x6b
0012c9d8 7c913273 7c91328f 00150608 00b70098 image00400000+0x86f61
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\kernel32.dll -
0012c9f4 7c80fd57 7c80fd5f 7ca77cb1 00b7009c ntdll!RtlUnlockHeap+0x20
0012ca34 00562e74 00000000 0012fbe4 00483fe0 kernel32!GlobalFree+0x98
0012ca38 00000000 0012fbe4 00483fe0 0012fba8 image00400000+0x162e74
0:000> u eip
MSCTF!TF_CheckThreadInputIdle+0x10943:
747502b8 39bee0040000 cmp dword ptr [esi+4E0h],edi
747502be c745fc01000000 mov dword ptr [ebp-4],1
747502c5 7564 jne MSCTF!TF_CheckThreadInputIdle+0x109b6 (7475032b)
747502c7 53 push ebx
747502c8 57 push edi
747502c9 e8d3fdffff call MSCTF!TF_CheckThreadInputIdle+0x1072c (747500a1)
747502ce 39bec0040000 cmp dword ptr [esi+4C0h],edi
747502d4 8b9ecc040000 mov ebx,dword ptr [esi+4CCh]
0:000> r edi,esi
edi=00000000 esi=00000000
0:000> dd esi+4e0
000004e0 ???????? ???????? ???????? ????????
000004f0 ???????? ???????? ???????? ????????
00000500 ???????? ???????? ???????? ????????
00000510 ???????? ???????? ???????? ????????
00000520 ???????? ???????? ???????? ????????
00000530 ???????? ???????? ???????? ????????
00000540 ???????? ???????? ???????? ????????
00000550 ???????? ???????? ???????? ????????
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
(...)
FAULTING_IP:
MSCTF!TF_CheckThreadInputIdle+10943
747502b8 39bee0040000 cmp dword ptr [esi+4E0h],edi
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
.exr 0xffffffffffffffff
ExceptionAddress: 747502b8 (MSCTF!TF_CheckThreadInputIdle+0x00010943)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: 000004e0
Attempt to read from address 000004e0
FAULTING_THREAD: 0000076c
PROCESS_NAME: image00400000
ADDITIONAL_DEBUG_TEXT:
Use '!findthebuild' command to search for the target build information.
If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.
MODULE_NAME: MSCTF
FAULTING_MODULE: 7c900000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP: 4802a12c
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: 000004e0
READ_ADDRESS: 000004e0
FOLLOWUP_IP:
MSCTF!TF_CheckThreadInputIdle+10943
747502b8 39bee0040000 cmp dword ptr [esi+4E0h],edi
MOD_LIST: <ANALYSIS/>
BUGCHECK_STR: APPLICATION_FAULT_NULL_CLASS_PTR_DEREFERENCE_INVALID_POINTER_READ_WRONG_SYMBOLS
PRIMARY_PROBLEM_CLASS: NULL_CLASS_PTR_DEREFERENCE
DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE
LAST_CONTROL_TRANSFER: from 747381aa to 747502b8
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
0012c39c 747381aa 00000001 00000000 04090409 MSCTF!TF_CheckThreadInputIdle+0x10943
0012c3b4 74730cc2 00155d78 04090409 00000001 MSCTF!TF_CreateCicLoadMutex+0x11bf
0012c3d4 74730d39 04090409 00000008 000a0008 MSCTF!TF_UninitSystem+0x2e1
0012c3ec 74731303 00000008 004c012a 04090409 MSCTF!TF_UninitSystem+0x358
0012c42c 7e431923 00000008 004c012a 04090409 MSCTF!TF_UninitSystem+0x922
0012c460 7e42b317 000a0008 004c012a 04090409 USER32!UnhookWinEvent+0x77
0012c49c 7e430238 0012c4d0 04090409 0012c4e0 USER32!MoveWindow+0x79
0012c4c0 7c90e453 0012c4d0 00000018 000a0008 USER32!ScrollWindowEx+0xb1
0012c518 7e46b90e 004c012a 0d560119 00000001 ntdll!KiUserCallbackDispatcher+0x13
0012c534 7e46bdf2 004c012a 00000001 007beda8 USER32!IMPSetIMEA+0x40a
0012c788 7e46c8cf 00155f88 00000287 00000017 USER32!IMPSetIMEA+0x8ee
0012c7ac 7e46c97d 001e00f6 00000287 00000017 USER32!IMPSetIMEA+0x13cb
0012c7c8 7e418734 001e00f6 00000287 00000017 USER32!IMPSetIMEA+0x1479
0012c7f4 7e418816 7e46c95b 001e00f6 00000287 USER32!GetDC+0x6d
0012c85c 7e428ea0 00000000 7e46c95b 001e00f6 USER32!GetDC+0x14f
0012c8b0 7e428eec 007beda8 00000287 00000017 USER32!DefWindowProcW+0x180
0012c8d8 7c90e453 0012c8e8 00000018 007beda8 USER32!DefWindowProcW+0x1cc
0012c910 00481fd3 004c012a 00b7009c 7c927553 ntdll!KiUserCallbackDispatcher+0x13
0012c91c 7c927553 00150000 40000061 7c91003d image00400000+0x81fd3
0012c928 7c91003d 7c8850e0 00b70098 00179b50 ntdll!RtlOemStringToUnicodeString+0xee
0012c960 5ad8c2b1 5ad8c37b 00000000 00000000 ntdll!RtlFreeHeap+0x130
0012c988 7e42c23c 7e42c1e9 0012fb80 00483fe0 uxtheme!GetThemeAppProperties+0x50
0012c98c 7e42c1e9 0012fb80 00483fe0 00000084 USER32!DefWindowProcA+0xbe
0012c9c0 7e42c1e9 00486f61 0001012a 7c8850e0 USER32!DefWindowProcA+0x6b
0012c9c4 00486f61 0001012a 7c8850e0 00150000 USER32!DefWindowProcA+0x6b
0012c9d8 7c913273 7c91328f 00150608 00b70098 image00400000+0x86f61
0012c9f4 7c80fd57 7c80fd5f 7ca77cb1 00b7009c ntdll!RtlUnlockHeap+0x20
0012ca34 00562e74 00000000 0012fbe4 00483fe0 kernel32!GlobalFree+0x98
0012ca38 00000000 0012fbe4 00483fe0 0012fba8 image00400000+0x162e74
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: msctf!TF_CheckThreadInputIdle+10943
FOLLOWUP_NAME: MachineOwner
IMAGE_NAME: MSCTF.dll
STACK_COMMAND: ~0s ; kb
BUCKET_ID: WRONG_SYMBOLS
FAILURE_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE_c0000005_MSCTF.dll!TF_CheckThreadInputIdle
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/image00400000/4_4_2_0/56e13a3d/MSCTF_dll/5_1_2600_5512/4802a12c/c0000005/000302b8.htm?Retriage=1
Followup: MachineOwner
---------
0:000> !load winext\msec.dll
0:000> !exploitable -v
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x4e0
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation
Faulting Instruction:747502b8 cmp dword ptr [esi+4e0h],edi
Basic Block:
747502b8 cmp dword ptr [esi+4e0h],edi
Tainted Input operands: 'edi','esi'
747502be mov dword ptr [ebp-4],1
747502c5 jne msctf!tf_checkthreadinputidle+0x109b6 (7475032b)
Tainted Input operands: 'ZeroFlag'
Exception Hash (Major/Minor): 0x095d834e.0x20abba2a
Hash Usage : Stack Trace:
Major+Minor : MSCTF!TF_CheckThreadInputIdle+0x10943
Major+Minor : MSCTF!TF_CreateCicLoadMutex+0x11bf
Major+Minor : MSCTF!TF_UninitSystem+0x2e1
Major+Minor : MSCTF!TF_UninitSystem+0x358
Major+Minor : MSCTF!TF_UninitSystem+0x922
Minor : USER32!UnhookWinEvent+0x77
Minor : USER32!MoveWindow+0x79
Minor : USER32!ScrollWindowEx+0xb1
Minor : ntdll!KiUserCallbackDispatcher+0x13
Minor : USER32!IMPSetIMEA+0x40a
Minor : USER32!IMPSetIMEA+0x8ee
Minor : USER32!IMPSetIMEA+0x13cb
Minor : USER32!IMPSetIMEA+0x1479
Minor : USER32!GetDC+0x6d
Minor : USER32!GetDC+0x14f
Minor : USER32!DefWindowProcW+0x180
Minor : USER32!DefWindowProcW+0x1cc
Minor : ntdll!KiUserCallbackDispatcher+0x13
Minor : image00400000+0x81fd3
Minor : ntdll!RtlOemStringToUnicodeString+0xee
Excluded : ntdll!RtlFreeHeap+0x130
Minor : uxtheme!GetThemeAppProperties+0x50
Minor : USER32!DefWindowProcA+0xbe
Minor : USER32!DefWindowProcA+0x6b
Minor : USER32!DefWindowProcA+0x6b
Minor : image00400000+0x86f61
Excluded : ntdll!RtlUnlockHeap+0x20
Minor : kernel32!GlobalFree+0x98
Minor : image00400000+0x162e74
Instruction Address: 0x00000000747502b8
Description: Read Access Violation near NULL
Short Description: ReadAVNearNull
Exploitability Classification: PROBABLY_NOT_EXPLOITABLE
Recommended Bug Title: Read Access Violation near NULL starting at MSCTF!TF_CheckThreadInputIdle+0x0000000000010943 (Hash=0x095d834e.0x20abba2a)
This is a user mode read access violation near null, and is probably not exploitable.
0:000>
+---------------------------------------------------------------------------+
More: code610.blogspot.com
Or twitter @CodySixteen.
+---------------------------------------------------------------------------+
Cheers,
Cody
Brak komentarzy:
Prześlij komentarz