Found during fuzinng @10.07.2016. Details below:
TL;DR
0:001> g
ModLoad: 30000000 30f2a000 outlook.exe
(...)
(185c.12fc): Break instruction exception - code 80000003 (first chance)
eax=01376fec ebx=7ffdf000 ecx=00000005 edx=00000020 esi=0137afb0 edi=01376fec
eip=7c90120e esp=0013fb20 ebp=0013fc94 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
SYMSRV: c:\symbols&http://msdn.microsoft.com/download/symbols needs a downstream store
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll -
ntdll!DbgBreakPoint:
7c90120e cc int 3
1:001> g
ModLoad: 5cb70000 5cb96000 C:\WINDOWS\system32\ShimEng.dll
(185c.12fc): Unknown exception - code c0000142 (first chance)
(185c.12fc): Unknown exception - code c0000142 (!!! second chance !!!)
eax=0013fc54 ebx=00000000 ecx=0013fc80 edx=7c90e4f4 esi=7ffdf000 edi=c0000142
eip=7c96478e esp=0013fc54 ebp=0013fca4 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!RtlRaiseStatus+0x26:
7c96478e c9 leave
1:001> kv
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0013fca4 7c93f14e c0000142 0013fd30 01d1df45 ntdll!RtlRaiseStatus+0x26
0013fd1c 7c90e437 0013fd30 7c900000 00000000 ntdll!RtlDeleteAce+0x702d
00000000 00000000 00000000 00000000 00000000 ntdll!KiUserApcDispatcher+0x7
1:001> g
WARNING: Continuing a non-continuable exception
ModLoad: 39000000 3a1e0000 C:\Program Files\Common Files\Microsoft Shared\office14\mso.dll
(185c.12fc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=3a05d754 ecx=00000000 edx=00000000 esi=00000000 edi=00140000
eip=77f159be esp=0013f468 ebp=0013f468 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\GDI32.dll -
GDI32!GdiFlush+0x31:
77f159be 80790a01 cmp byte ptr [ecx+0Ah],1 ds:0023:0000000a=??
1:001> kv
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0013f468 77f1eab6 00000000 00140000 00000000 GDI32!GdiFlush+0x31
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Common Files\Microsoft Shared\office14\mso.dll -
0013f480 39002bb3 00000000 00000058 3900276c GDI32!CreateICA+0x2d
0013f498 39002b64 00000000 0013f4b8 39002b33 mso!Ordinal4171+0x7a
0013f4a4 39002b33 00000005 78542201 00000002 mso!Ordinal4171+0x2b
0013f4b8 3900272b 3900275c 39002804 00000000 mso!Ordinal10682+0x2b33
0013f4dc 3900261a 39000000 00000000 00000000 mso!Ordinal10682+0x272b
0013f520 390024f9 39000000 0013f544 39600d68 mso!Ordinal10682+0x261a
0013f52c 39600d68 39000000 00000001 00000000 mso!Ordinal10682+0x24f9
0013f544 7c90118a 39000000 00000001 00000000 mso!Ordinal999+0x39
0013f564 7c91c4da 39600d3c 39000000 00000001 ntdll!LdrInitializeThunk+0x24
0013f66c 7c916351 00000000 c0150008 00000000 ntdll!LdrFindResourceDirectory_U+0x28d
0013f918 7c9164b3 00000000 01208e68 0013fc0c ntdll!RtlValidateUnicodeString+0x507
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\kernel32.dll -
0013fbc0 7c801bbd 01208e68 0013fc0c 0013fbec ntdll!LdrLoadDll+0x110
0013fc28 7c80aeec 0013fc58 00000000 00000000 kernel32!LoadLibraryExW+0xc8
*** ERROR: Symbol file could not be found. Defaulted to export symbols for outlook.exe -
0013fc3c 30003201 0013fc58 301a4180 00000000 kernel32!LoadLibraryW+0x11
0013fe68 3000312b 0013fe84 300030bc 300030c8 outlook+0x3201
0013fe70 300030bc 300030c8 00000001 00000001 outlook+0x312b
0013fe84 3000304b 00000001 0013fecc 30ce46f0 outlook+0x30bc
0013fe98 30002fe0 00000001 0013feac 00000000 outlook+0x304b
0013feb0 30003083 00000001 0013fecc 30d37808 outlook+0x2fe0
0013ff10 30002e9a 000002e0 30cee4dc 785bbad0 outlook+0x3083
0013ff38 30002073 300020cc 30002b2c 2bdd39b2 outlook+0x2e9a
0013ffc0 7c817067 578eee50 01d1df45 7ffdf000 outlook+0x2073
0013fff0 00000000 30001f08 00000000 78746341 kernel32!RegisterWaitForInputIdle+0x49
1:001> r
eax=00000000 ebx=3a05d754 ecx=00000000 edx=00000000 esi=00000000 edi=00140000
eip=77f159be esp=0013f468 ebp=0013f468 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
GDI32!GdiFlush+0x31:
77f159be 80790a01 cmp byte ptr [ecx+0Ah],1 ds:0023:0000000a=??
1:001> !exploitable -v
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0xa
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation
Faulting Instruction:77f159be cmp byte ptr [ecx+0ah],1
Basic Block:
77f159be cmp byte ptr [ecx+0ah],1
Tainted Input operands: 'ecx'
77f159c2 jne gdi32!gdiflush+0x57 (77f159e4)
Tainted Input operands: 'ZeroFlag'
Exception Hash (Major/Minor): 0x383920fd.0xa3900244
Hash Usage : Stack Trace:
Major+Minor : GDI32!GdiFlush+0x31
Major+Minor : GDI32!CreateICA+0x2d
Major+Minor : mso!Ordinal4171+0x7a
Major+Minor : mso!Ordinal4171+0x2b
Major+Minor : mso!Ordinal10682+0x2b33
Minor : mso!Ordinal10682+0x272b
Minor : mso!Ordinal10682+0x261a
Minor : mso!Ordinal10682+0x24f9
Minor : mso!Ordinal999+0x39
Minor : ntdll!LdrInitializeThunk+0x24
Minor : ntdll!LdrFindResourceDirectory_U+0x28d
Minor : ntdll!RtlValidateUnicodeString+0x507
Minor : ntdll!LdrLoadDll+0x110
Minor : kernel32!LoadLibraryExW+0xc8
Minor : kernel32!LoadLibraryW+0x11
Minor : outlook+0x3201
Minor : outlook+0x312b
Minor : outlook+0x30bc
Minor : outlook+0x304b
Minor : outlook+0x2fe0
Minor : outlook+0x3083
Minor : outlook+0x2e9a
Minor : outlook+0x2073
Minor : kernel32!RegisterWaitForInputIdle+0x49
Instruction Address: 0x0000000077f159be
Description: Read Access Violation near NULL
Short Description: ReadAVNearNull
Exploitability Classification: PROBABLY_NOT_EXPLOITABLE
Recommended Bug Title: Read Access Violation near NULL starting at GDI32!GdiFlush+0x0000000000000031 (Hash=0x383920fd.0xa3900244)
This is a user mode read access violation near null, and is probably not exploitable.
1:001> g
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0013fea8 302e8774 c06d007e 00000000 00000001 kernel32!RaiseException+0x52
0013ff10 30002e9a 000002e0 0013fecc 785bbad0 outlook!HrProcessConvActionForSentItem+0x222e
0013ff38 30002073 300020cc 30002b2c 2bdd39b2 outlook+0x2e9a
0013ffc0 7c817067 578eee50 01d1df45 7ffdf000 outlook+0x2073
0013fff0 00000000 30001f08 00000000 78746341 kernel32!RegisterWaitForInputIdle+0x49
1:001> g
(185c.12fc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=30123fe9 edx=785bbad0 esi=300020d8 edi=30d37808
eip=00000000 esp=0013ff28 ebp=0013ff38 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
00000000 ?? ???
1:001> q
+---------------------------------------------------------------------------+
More: code610.blogspot.com
Or twitter @CodySixteen.
+---------------------------------------------------------------------------+
Cheers,
Cody
Brak komentarzy:
Prześlij komentarz