wtorek, 16 stycznia 2018

Fuzzing ArcSight 6.x - 01 - ArcSoloBug.exe

I think it is some kind of an old-ancient exe 'still available' after the default installation... Anyway. Few details below. Maybe you will find it useful...

TL;DR:

---<cut>---
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: C:\Pliki\Soft\arg\Console_6.91\current\bin\util\win32\ArcSoloBug.exe C:\jupar.sbg
(...)
Executable search path is:
ModLoad: 00400000 00467000   SOLOBUG.EXE
(...)
(e4.65c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000001 ebx=009aa028 ecx=41414141 edx=7c90e514 esi=41414141 edi=009aa028
eip=00401b2c esp=0006fa40 ebp=0006fb88 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
SOLOBUG+0x1b2c:
00401b2c 8b4604          mov     eax,dword ptr [esi+4] ds:0023:41414145=????????

0:000> r;g;r;!exploitable -v;!analyze -v; u eip-2;u eip-1;u eip;r;kb;q
eax=00000001 ebx=009aa028 ecx=41414141 edx=7c90e514 esi=41414141 edi=009aa028
eip=00401b2c esp=0006fa40 ebp=0006fb88 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
SOLOBUG+0x1b2c:
00401b2c 8b4604          mov     eax,dword ptr [esi+4] ds:0023:41414145=????????

(e4.65c): Access violation - code c0000005 (!!! second chance !!!)
eax=00000001 ebx=009aa028 ecx=41414141 edx=7c90e514 esi=41414141 edi=009aa028
eip=00401b2c esp=0006fa40 ebp=0006fb88 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
SOLOBUG+0x1b2c:
00401b2c 8b4604          mov     eax,dword ptr [esi+4] ds:0023:41414145=????????

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x41414145
Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:00401b2c mov eax,dword ptr [esi+4]

Basic Block:
    00401b2c mov eax,dword ptr [esi+4]
       Tainted Input operands: 'esi'
    00401b2f test eax,eax
       Tainted Input operands: 'eax'
    00401b31 je solobug+0x1b42 (00401b42)
       Tainted Input operands: 'ZeroFlag'

Exception Hash (Major/Minor): 0xfd01422b.0xd00a8293

 Hash Usage : Stack Trace:
Major+Minor : SOLOBUG+0x1b2c
Major+Minor : SOLOBUG+0x3df0
Major+Minor : SOLOBUG+0x930e
Major+Minor : SOLOBUG+0x232dd
Major+Minor : kernel32!RegisterWaitForInputIdle+0x49
Instruction Address: 0x0000000000401b2c

Description: Data from Faulting Address controls Branch Selection
Short Description: TaintedDataControlsBranchSelection
Exploitability Classification: UNKNOWN
Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at SOLOBUG+0x0000000000001b2c (Hash=0xfd01422b.0xd00a8293)

The data from the faulting address is later used to determine whether or not a branch is taken.

---</cut>---

(*for now pocfile will be available only for request.) 

Enjoy.

o/

tbc...

Brak komentarzy:

Prześlij komentarz