Found 16.08.2017. Maybe you will find it useful.
Below you will find 3 bugs:
- ReadAV - nnotes!Cmovmem+0x1c3
- WriteAVNearNull - nnotes!NSFDbOpenExtended6+0x3d6d
- ReadAV - nnotes!Cmovmem+0x1c3
TL;DR
Below details for Cmovmem():
Hi
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.
CommandLine: "C:\Program Files\IBM\Notes\notes.exe" C:\sf_879c13ad4eba231d656b7fa10f2487b5-1490.ntf
(...)
Executable search path is:
ModLoad: 010e0000 012c3000 notes.exe
(...)
(12c4.1450): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00c01574 ebx=b9a29d14 ecx=b9a29d18 edx=b9a29d28 esi=00000014 edi=001636e8
eip=63b11be3 esp=00162e5c ebp=00162e68 iopl=0 nv up ei ng nz na pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010287
nnotes!Cmovmem+0x1c3:
63b11be3 8b33 mov esi,dword ptr [ebx] ds:0023:b9a29d14=????????
1:001>
eax=00c01574 ebx=b9a29d14 ecx=b9a29d18 edx=b9a29d28 esi=00000014 edi=001636e8
eip=63b11be3 esp=00162e5c ebp=00162e68 iopl=0 nv up ei ng nz na pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010287
nnotes!Cmovmem+0x1c3:
63b11be3 8b33 mov esi,dword ptr [ebx] ds:0023:b9a29d14=????????
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0xffffffffb9a29d14
Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation
Faulting Instruction:63b11be3 mov esi,dword ptr [ebx]
Basic Block:
63b11be3 mov esi,dword ptr [ebx]
Tainted Input operands: 'ebx'
63b11be5 mov ebx,ecx
63b11be7 mov dword ptr [eax],esi
Tainted Input operands: 'esi'
63b11be9 lea ecx,[ebx+4]
63b11bec add eax,4
63b11bef cmp ecx,edx
63b11bf1 jbe nnotes!cmovmem+0x1c3 (63b11be3)
Exception Hash (Major/Minor): 0x3ada1574.0x3c31aa8e
Hash Usage : Stack Trace:
Major+Minor : nnotes!Cmovmem+0x1c3
Major+Minor : nnotes!ODSReadMemory+0x74
Major+Minor : nnotes!DbDumpSuperBlocks+0x21fd
Major+Minor : nnotes!DbSuperBlockRead+0x450
Major+Minor : nnotes!NSFDumpSuperBlock+0x29df
Minor : nnotes!DbSuperBlockRead+0x6d
Minor : nnotes!NSFNoteIsSignedOrSealed+0x29ac
Minor : nnotes!NSFDbOpenExtended6+0x6d84
Minor : nnotes!NSFDbOpenExtended3+0x47
Minor : nnotes!NSFDbOpenExtended2+0x36
Minor : nnotesws!NEMPostStatus+0x14b90
Minor : nnotesws!DocumentModalEdit+0x44e32
Minor : nnotesws!DocumentModalEdit+0x9a54
Minor : nnotesws!NEMGetWindowLong+0x775
Minor : nnotesws+0x513d
Minor : USER32!IsThreadDesktopComposited+0x11f
Minor : USER32!IsThreadDesktopComposited+0x2a6
Minor : USER32!IsThreadDesktopComposited+0x3e5
Minor : USER32!DispatchMessageW+0xf
Minor : nnotesws!NEMMainLoop+0x4a4
Minor : nlnotes+0x1f90
Minor : nlnotes+0x2fa4
Minor : kernel32!BaseThreadInitThunk+0x12
Excluded : ntdll!RtlInitializeExceptionChain+0x63
Excluded : ntdll!RtlInitializeExceptionChain+0x36
Instruction Address: 0x0000000063b11be3
Description: Read Access Violation
Short Description: ReadAV
Exploitability Classification: UNKNOWN
Recommended Bug Title: Read Access Violation starting at nnotes!Cmovmem+0x00000000000001c3 (Hash=0x3ada1574.0x3c31aa8e)
> u eip-2
nnotes!Cmovmem+0x1c1:
63b11be1 7710 ja nnotes!Cmovmem+0x1d3 (63b11bf3)
63b11be3 8b33 mov esi,dword ptr [ebx]
63b11be5 8bd9 mov ebx,ecx
63b11be7 8930 mov dword ptr [eax],esi
63b11be9 8d4b04 lea ecx,[ebx+4]
63b11bec 83c004 add eax,4
63b11bef 3bca cmp ecx,edx
63b11bf1 76f0 jbe nnotes!Cmovmem+0x1c3 (63b11be3)
> u eip-1
nnotes!Cmovmem+0x1c2:
63b11be2 108b338bd989 adc byte ptr [ebx-762674CDh],cl
63b11be8 308d4b0483c0 xor byte ptr [ebp-3F7CFBB5h],cl
63b11bee 043b add al,3Bh
63b11bf0 ca76f0 retf 0F076h
63b11bf3 3bda cmp ebx,edx
63b11bf5 0f8333ffffff jae nnotes!Cmovmem+0x10e (63b11b2e)
63b11bfb 8bf3 mov esi,ebx
63b11bfd 8d4900 lea ecx,[ecx]
> u eip
nnotes!Cmovmem+0x1c3:
63b11be3 8b33 mov esi,dword ptr [ebx]
63b11be5 8bd9 mov ebx,ecx
63b11be7 8930 mov dword ptr [eax],esi
63b11be9 8d4b04 lea ecx,[ebx+4]
63b11bec 83c004 add eax,4
63b11bef 3bca cmp ecx,edx
63b11bf1 76f0 jbe nnotes!Cmovmem+0x1c3 (63b11be3)
63b11bf3 3bda cmp ebx,edx
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
FAULTING_IP:
nnotes!Cmovmem+1c3
63b11be3 8b33 mov esi,dword ptr [ebx]
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
.exr 0xffffffffffffffff
ExceptionAddress: 63b11be3 (nnotes!Cmovmem+0x000001c3)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000000
Parameter[1]: b9a29d14
Attempt to read from address b9a29d14
FAULTING_THREAD: 00001450
PROCESS_NAME: nlnotes.exe
MODULE_NAME: nnotes
FAULTING_MODULE: 773b0000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP: 525ce30c
ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod 0x%08lx odwo
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod 0x%08lx odwo
EXCEPTION_PARAMETER1: 00000000
EXCEPTION_PARAMETER2: b9a29d14
READ_ADDRESS: b9a29d14
FOLLOWUP_IP:
nnotes!Cmovmem+1c3
63b11be3 8b33 mov esi,dword ptr [ebx]
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_READ_WRONG_SYMBOLS
PRIMARY_PROBLEM_CLASS: INVALID_POINTER_READ
DEFAULT_BUCKET_ID: INVALID_POINTER_READ
LAST_CONTROL_TRANSFER: from 63b14b34 to 63b11be3
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
00162e68 63b14b34 b9a29d54 00c01574 00000014 nnotes!Cmovmem+0x1c3
00162e84 64507cad 001636e8 0000002f 00c01574 nnotes!ODSReadMemory+0x74
00162ec0 63bf1a60 068467b0 001636f4 001633b0 nnotes!DbDumpSuperBlocks+0x21fd
0016304c 6450cebf 00166b30 001636f4 001633b0 nnotes!DbSuperBlockRead+0x450
00163868 63bf167d 00166b30 00000000 00000000 nnotes!NSFDumpSuperBlock+0x29df
00163888 63bf749c 00166b30 00000000 00000000 nnotes!DbSuperBlockRead+0x6d
00163a6c 64652c64 00166b30 05855524 00166e4c nnotes!NSFNoteIsSignedOrSealed+0x29ac
00166bc8 63b4db77 05855524 00006002 00000000 nnotes!NSFDbOpenExtended6+0x6d84
00166cb4 63bc4366 05855524 00006002 00000000 nnotes!NSFDbOpenExtended3+0x47
00166cec 616c87d0 05855524 00006002 00000000 nnotes!NSFDbOpenExtended2+0x36
00166e44 61c5e7b2 00000000 0016744c 00000000 nnotesws!NEMPostStatus+0x14b90
0016730c 61c233d4 0585006a 0000006e 0016744c nnotesws!DocumentModalEdit+0x44e32
00167450 61665be5 009a8618 00e7095a 00168ea4 nnotesws!DocumentModalEdit+0x9a54
00168a44 6166513d 009a8618 00000113 000003ef nnotesws!NEMGetWindowLong+0x775
00168ea8 76be86ef 00e7095a 00000113 000003ef nnotesws+0x513d
00168ed4 76be8876 61662f50 00e7095a 00000113 USER32!IsThreadDesktopComposited+0x11f
00168f4c 76be89b5 00000000 61662f50 00e7095a USER32!IsThreadDesktopComposited+0x2a6
00168fac 76be8e9c 61662f50 00000000 00168ff8 USER32!IsThreadDesktopComposited+0x3e5
00168fbc 61700574 00168fd4 61660000 76be7756 USER32!DispatchMessageW+0xf
00168ff8 01091f90 010913b0 01097c50 003321bd nnotesws!NEMMainLoop+0x4a4
0016f76c 01092fa4 01090000 00000000 00000001 nlnotes+0x1f90
0016f800 76d21174 7ffde000 0016f84c 7740b3f5 nlnotes+0x2fa4
0016f80c 7740b3f5 7ffde000 77021f65 00000000 kernel32!BaseThreadInitThunk+0x12
0016f84c 7740b3c8 010930e7 7ffde000 00000000 ntdll!RtlInitializeExceptionChain+0x63
0016f864 00000000 010930e7 7ffde000 00000000 ntdll!RtlInitializeExceptionChain+0x36
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: nnotes!Cmovmem+1c3
FOLLOWUP_NAME: MachineOwner
IMAGE_NAME: nnotes.dll
STACK_COMMAND: ~1s ; kb
BUCKET_ID: WRONG_SYMBOLS
FAILURE_BUCKET_ID: INVALID_POINTER_READ_c0000005_nnotes.dll!Cmovmem
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/nlnotes_exe/9_0_10_13287/525ce2dd/nnotes_dll/9_0_10_13287/525ce30c/c0000005/00001be3.htm?Retriage=1
Followup: MachineOwner
---------
More:
>> https://code610.blogspot.com
>> https://twitter.com/CodySixteen
Cheers
Brak komentarzy:
Prześlij komentarz