Last time when I was fuzzing I had a pleasure to find few bugs in one IBM product... This time you will find few similar bugs but for Adobe Photoshop CS3. Portable version is available somewhere online, so let's get to the details...
TL;DR - 3 crashes only (found 53 so far, but I need to check them too first;))
Below you will find the log from Windbg, here we go:
---<log>---
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.
CommandLine: C:\Pliki\Adobe.Photoshop.CS3.Extended\photoshop.exe C:\sf_fc2a98f8a8428a9a6d5579c79a94fbd8-13002.ico
(...)
(69c.344): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=000003d8 ebx=7c812fc2 ecx=000000f6 edx=1001001c esi=00000000 edi=00a42090
eip=008cfa48 esp=0006db5c ebp=0006e0bc iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
<Unloaded_l32.dll>+0x8cfa37:
008cfa48 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
2:006> r;!exploitable -v
eax=000003d8 ebx=7c812fc2 ecx=000000f6 edx=1001001c esi=00000000 edi=00a42090
eip=008cfa48 esp=0006db5c ebp=0006e0bc iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
<Unloaded_l32.dll>+0x8cfa37:
008cfa48 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x0
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation
Faulting Instruction:008cfa48 rep movs dword ptr es:[edi],dword ptr [esi]
Exception Hash (Major/Minor): 0xbc57885c.0x0939aaa5
Hash Usage : Stack Trace:
Major+Minor : <Unloaded_l32.dll>+0x8cfa37
Major+Minor : <Unloaded_l32.dll>+0x8d1616
Major+Minor : ntdll!RtlAddRefActivationContext+0xe5
Major+Minor : kernel32!CreateRemoteThread+0x178
Major+Minor : image01000000+0x258d
Minor : kernel32!GetModuleHandleW+0x57
Minor : kernel32!GetModuleHandleW+0x16e
Minor : ntdll!bsearch+0x238
Minor : ntdll!RtlHashUnicodeString+0x164
Minor : ntdll!RtlFindActivationContextSectionString+0xdc
Minor : ntdll!RtlDosApplyFileIsolationRedirection_Ustr+0x3ac
Instruction Address: 0x00000000008cfa48
Description: Read Access Violation on Block Data Move
Short Description: ReadAVonBlockMove
Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - Read Access Violation on Block Data Move starting at <Unloaded_l32.dll>+0x00000000008cfa37 (Hash=0xbc57885c.0x0939aaa5)
This is a read access violation in a block data move, and is therefore classified as probably exploitable.
---</log>---
In case of any questions - you'll know how to find me.
Cheers
o/
Brak komentarzy:
Prześlij komentarz