poniedziałek, 25 czerwca 2018

Fiddler Bug - case 01

One day I started Fiddler in a different way than usual. Below you will find few notes about it... ;]

TL;DR

For now it looks like this:


---<log>---
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "C:\Program Files\Fiddler2\Fiddler.exe" C:\sf_29580c56785a6b4c4567593e1bc04acf-148.saz
(...)
Executable search path is:
ModLoad: 00a20000 00b4c000   Fiddler.exe
(...)
(f18.458): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=0018eaf8 edx=0018eaf8 esi=0018eaf8 edi=0018eb2c
eip=66816e1d esp=0018eae0 ebp=0018eaec iopl=0         nv up ei ng nz na po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010283
System_Xml_ni+0x376e1d:
66816e1d 8b4308          mov     eax,dword ptr [ebx+8] ds:0023:00000008=????????

0:000> r;!exploitable -v
eax=00000000 ebx=00000000 ecx=0018eaf8 edx=0018eaf8 esi=0018eaf8 edi=0018eb2c
eip=66816e1d esp=0018eae0 ebp=0018eaec iopl=0         nv up ei ng nz na po cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010283
System_Xml_ni+0x376e1d:
66816e1d 8b4308          mov     eax,dword ptr [ebx+8] ds:0023:00000008=????????

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x8
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:66816e1d mov eax,dword ptr [ebx+8]

Basic Block:
    66816e1d mov eax,dword ptr [ebx+8]
       Tainted Input operands: 'ebx'
    66816e20 mov dword ptr [esi+30h],eax
       Tainted Input operands: 'eax'
    66816e23 xor edi,edi
    66816e25 jmp system_xml_ni+0x376e2a (66816e2a)

Exception Hash (Major/Minor): 0x08019e4b.0x36ab9251

 Hash Usage : Stack Trace:
Major+Minor : System_Xml_ni+0x376e1d
Major+Minor : System_Xml_ni+0x374f51
Major+Minor : System_Xml_ni+0x2aa0db
Major+Minor : Fiddler_ni+0x18fa46
Major+Minor : Fiddler_ni+0x1d7417
Minor       : Fiddler_ni+0x1d428b
Minor       : Fiddler_ni+0x1ca009
Minor       : Fiddler_ni+0x1c524f
Minor       : System_Windows_Forms_ni+0x2044a5
Minor       : System_Windows_Forms_ni+0x203f45
Minor       : System_Windows_Forms_ni+0x1f6b71
Minor       : System_Windows_Forms_ni+0x1f6974
Minor       : System_Windows_Forms_ni+0x202e08
Minor       : System_Windows_Forms_ni+0x1f8766
Minor       : System_Windows_Forms_ni+0x201baa
Minor       : System_Windows_Forms_ni+0x201b60
Minor       : System_Windows_Forms_ni+0x202d51
Minor       : System_Windows_Forms_ni+0x201934
Minor       : Fiddler_ni+0x1cdcdf
Minor       : System_Windows_Forms_ni+0x1f84a0
Minor       : System_Windows_Forms_ni+0x1f8421
Minor       : System_Windows_Forms_ni+0x1f82fa
Minor       : USER32!IsThreadDesktopComposited+0x11f
Minor       : USER32!IsThreadDesktopComposited+0x2a6
Minor       : USER32!InflateRect+0x74
Minor       : USER32!DefWindowProcW+0x144
Minor       : ntdll!KiUserCallbackDispatcher+0x2e
Minor       : System_Windows_Forms_ni+0x1f5ce3
Minor       : System_Windows_Forms_ni+0x2011d7
Minor       : System_Windows_Forms_ni+0x1f4251
Minor       : System_Windows_Forms_ni+0x2086c8
Minor       : System_Windows_Forms_ni+0x2085a1
Minor       : System_Windows_Forms_ni+0x1c5911
Minor       : Fiddler_ni+0x1daa8b
Minor       : Fiddler_ni+0x1dabfb
Excluded    : mscorwks+0x1b6c
Minor       : mscorwks!LogHelp_NoGuiOnAssert+0x61ad
Minor       : mscorwks!CoUninitializeEE+0x2ea9
Minor       : mscorwks!CoUninitializeEE+0x2edc
Minor       : mscorwks!CoUninitializeEE+0x2efa
Minor       : mscorwks!GetPrivateContextsPerfCounters+0xf546
Minor       : mscorwks!GetPrivateContextsPerfCounters+0xf466
Minor       : mscorwks!GetPrivateContextsPerfCounters+0xf9b6
Minor       : mscorwks!CorExeMain+0x168
Minor       : mscorwks!CorExeMain+0x98
Minor       : MSCOREE!CorExeMain+0x34
Minor       : KERNEL32!BaseThreadInitThunk+0x12
Excluded    : ntdll!RtlInitializeExceptionChain+0x63
Excluded    : ntdll!RtlInitializeExceptionChain+0x36
Instruction Address: 0x0000000066816e1d

Description: Read Access Violation near NULL
Short Description: ReadAVNearNull
Exploitability Classification: PROBABLY_NOT_EXPLOITABLE
Recommended Bug Title: Read Access Violation near NULL starting at System_Xml_ni+0x0000000000376e1d (Hash=0x08019e4b.0x36ab9251)

This is a user mode read access violation near null, and is probably not exploitable.
---</log>---

See you soon...

o/

 
Posted by at
Labels: , , , ,

Brak komentarzy:

Prześlij komentarz

Subskrybuj: Komentarze do posta (Atom)