WriteAV crash found during fuzzin at 14.01.2016. Details below.
TL;DR
Found 14.01.2016
------------------------------------------------------------------------------------
Details below:
0:000> g
(...)
(69c.680): Unknown exception - code c004f012 (first chance)
(...)
ModLoad: 341f0000 3440a000 C:\Program Files\Common Files\Microsoft Shared\OFFICE14\ACECORE.DLL
(...)
(69c.784): C++ EH exception - code e06d7363 (first chance)
(69c.784): Unknown exception - code e0000002 (first chance)
(69c.784): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=27ca0e9c ebx=00000000 ecx=00000000 edx=00000000 esi=27ca0014 edi=000000fc
eip=342c6f5c esp=0013aae0 ebp=0013ab6c iopl=0 nv up ei ng nz ac po cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010293
*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\Common Files\Microsoft Shared\OFFICE14\ACECORE.DLL
ACECORE+0xd6f5c:
342c6f5c 890a mov dword ptr [edx],ecx ds:0023:00000000=????????
0:000> ub eip
ACECORE+0xd6f41:
342c6f41 e87478f8ff call ACECORE+0x5e7ba (3424e7ba)
342c6f46 8b4640 mov eax,dword ptr [esi+40h]
342c6f49 eb16 jmp ACECORE+0xd6f61 (342c6f61)
342c6f4b 8b08 mov ecx,dword ptr [eax]
342c6f4d 83f908 cmp ecx,8
342c6f50 740c je ACECORE+0xd6f5e (342c6f5e)
342c6f52 8b5004 mov edx,dword ptr [eax+4]
342c6f55 8b0c8d04712c34 mov ecx,dword ptr ACECORE+0xd7104 (342c7104)[ecx*4]
0:000> u eip
ACECORE+0xd6f5c:
342c6f5c 890a mov dword ptr [edx],ecx
342c6f5e 8b4008 mov eax,dword ptr [eax+8]
342c6f61 3bc3 cmp eax,ebx
342c6f63 75e6 jne ACECORE+0xd6f4b (342c6f4b)
342c6f65 53 push ebx
342c6f66 ff753c push dword ptr [ebp+3Ch]
342c6f69 e826be0800 call ACECORE+0x162d94 (34352d94)
342c6f6e 8bf8 mov edi,eax
0:000> r ecx,edx
ecx=00000000 edx=00000000
0:000> !load winext\msec.dll;!exploitable -v
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x0
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation
Faulting Instruction:342c6f5c mov dword ptr [edx],ecx
Basic Block:
342c6f5c mov dword ptr [edx],ecx
Tainted Input operands: 'ecx','edx'
342c6f5e mov eax,dword ptr [eax+8]
342c6f61 cmp eax,ebx
342c6f63 jne acecore+0xd6f4b (342c6f4b)
Exception Hash (Major/Minor): 0x13fc3498.0x7cd2e0cd
Hash Usage : Stack Trace:
Major+Minor : ACECORE+0xd6f5c
Instruction Address: 0x00000000342c6f5c
Description: User Mode Write AV near NULL
Short Description: WriteAVNearNull
Exploitability Classification: UNKNOWN
Recommended Bug Title: User Mode Write AV near NULL starting at ACECORE+0x00000000000d6f5c (Hash=0x13fc3498.0x7cd2e0cd)
User mode write access violations that are near NULL are unknown.
0:000> q
+---------------------------------------------------------------------------+
More: code610.blogspot.com
Or twitter @CodySixteen.
+---------------------------------------------------------------------------+
Cheers,
Cody
Brak komentarzy:
Prześlij komentarz