niedziela, 17 lipca 2016

MS Access 2010 - WriteAV Crash

WriteAV crash found during fuzzin at 14.01.2016. Details below.


Found 14.01.2016
Details below:

0:000> g
(69c.680): Unknown exception - code c004f012 (first chance)
ModLoad: 341f0000 3440a000   C:\Program Files\Common Files\Microsoft Shared\OFFICE14\ACECORE.DLL
(69c.784): C++ EH exception - code e06d7363 (first chance)
(69c.784): Unknown exception - code e0000002 (first chance)
(69c.784): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=27ca0e9c ebx=00000000 ecx=00000000 edx=00000000 esi=27ca0014 edi=000000fc
eip=342c6f5c esp=0013aae0 ebp=0013ab6c iopl=0         nv up ei ng nz ac po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010293
*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\Common Files\Microsoft Shared\OFFICE14\ACECORE.DLL
342c6f5c 890a            mov     dword ptr [edx],ecx  ds:0023:00000000=????????

0:000> ub eip
342c6f41 e87478f8ff      call    ACECORE+0x5e7ba (3424e7ba)
342c6f46 8b4640          mov     eax,dword ptr [esi+40h]
342c6f49 eb16            jmp     ACECORE+0xd6f61 (342c6f61)
342c6f4b 8b08            mov     ecx,dword ptr [eax]
342c6f4d 83f908          cmp     ecx,8
342c6f50 740c            je      ACECORE+0xd6f5e (342c6f5e)
342c6f52 8b5004          mov     edx,dword ptr [eax+4]
342c6f55 8b0c8d04712c34  mov     ecx,dword ptr ACECORE+0xd7104 (342c7104)[ecx*4]

0:000> u eip
342c6f5c 890a            mov     dword ptr [edx],ecx
342c6f5e 8b4008          mov     eax,dword ptr [eax+8]
342c6f61 3bc3            cmp     eax,ebx
342c6f63 75e6            jne     ACECORE+0xd6f4b (342c6f4b)
342c6f65 53              push    ebx
342c6f66 ff753c          push    dword ptr [ebp+3Ch]
342c6f69 e826be0800      call    ACECORE+0x162d94 (34352d94)
342c6f6e 8bf8            mov     edi,eax

0:000> r ecx,edx
ecx=00000000 edx=00000000

0:000> !load winext\msec.dll;!exploitable -v

Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x0
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation

Faulting Instruction:342c6f5c mov dword ptr [edx],ecx

Basic Block:
    342c6f5c mov dword ptr [edx],ecx
       Tainted Input operands: 'ecx','edx'
    342c6f5e mov eax,dword ptr [eax+8]
    342c6f61 cmp eax,ebx
    342c6f63 jne acecore+0xd6f4b (342c6f4b)

Exception Hash (Major/Minor): 0x13fc3498.0x7cd2e0cd

 Hash Usage : Stack Trace:
Major+Minor : ACECORE+0xd6f5c
Instruction Address: 0x00000000342c6f5c

Description: User Mode Write AV near NULL
Short Description: WriteAVNearNull
Exploitability Classification: UNKNOWN
Recommended Bug Title: User Mode Write AV near NULL starting at ACECORE+0x00000000000d6f5c (Hash=0x13fc3498.0x7cd2e0cd)

User mode write access violations that are near NULL are unknown.

0:000> q

Or twitter @CodySixteen.


Brak komentarzy:

Prześlij komentarz