Below you will find few details about it...
06.02.2017:
======================================================
Case #01:
(...)
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.
CommandLine: "C:\Program Files\Microsoft Office\Office14\MSPUB.EXE" C:\sf_a4f51cf9de2546169858028b21554388-2192.pub
(...)
Executable search path is:
ModLoad: 2d760000 2e131000 mspub.exe
ModLoad: 77490000 775cc000 ntdll.dll
ModLoad: 6d200000 6d260000 C:\Windows\system32\verifier.dll
(...)
(e90.de0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=001dfc48 edx=001dfc4c esi=00000200 edi=0f340e30
eip=2d800200 esp=001df96c ebp=001dfc80 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210202
*** ERROR: Module load completed but symbols could not be loaded for mspub.exe
mspub+0xa0200:
2d800200 395804 cmp dword ptr [eax+4],ebx ds:0023:00000004=????????
0:000> r
eax=00000000 ebx=00000000 ecx=001dfc48 edx=001dfc4c esi=00000200 edi=0f340e30
eip=2d800200 esp=001df96c ebp=001dfc80 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210202
mspub+0xa0200:
2d800200 395804 cmp dword ptr [eax+4],ebx ds:0023:00000004=????????
0:000> !load winext\msec.dll;!exploitable -v
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x4
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation
Faulting Instruction:2d800200 cmp dword ptr [eax+4],ebx
Basic Block:
2d800200 cmp dword ptr [eax+4],ebx
Tainted Input operands: 'eax','ebx'
2d800203 je mspub+0xa036a (2d80036a)
Tainted Input operands: 'ZeroFlag'
Exception Hash (Major/Minor): 0x3c4a0b35.0xa9404962
Hash Usage : Stack Trace:
Major+Minor : mspub+0xa0200
Major+Minor : mspub+0xa1805
Major+Minor : mspub+0xa1756
Major+Minor : mspub+0xa163d
Major+Minor : mspub+0x15686c
Minor : mspub+0x351e9
Minor : mspub+0x212d
Minor : mspub+0x20d0
Minor : mspub+0x2083
Minor : kernel32!BaseThreadInitThunk+0x12
Excluded : ntdll!RtlInitializeExceptionChain+0x63
Excluded : ntdll!RtlInitializeExceptionChain+0x36
Instruction Address: 0x000000002d800200
Description: Read Access Violation near NULL
Short Description: ReadAVNearNull
Exploitability Classification: PROBABLY_NOT_EXPLOITABLE
Recommended Bug Title: Read Access Violation near NULL starting at mspub+0x00000000000a0200 (Hash=0x3c4a0b35.0xa9404962)
======================================================
Case #02:
(...)
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.
CommandLine: "C:\Program Files\Microsoft Office\Office14\MSPUB.EXE" C:\sf_a4f51cf9de2546169858028b21554388-81.pub
(...)
ModLoad: 2df30000 2e901000 mspub.exe
(...)
(a1c.438): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=10552f98 ebx=00ffffff ecx=0d1c4e30 edx=10552f98 esi=0c91eff4 edi=00000001
eip=6bbcb827 esp=001fb130 ebp=001fb130 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210202
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Common Files\Microsoft Shared\office14\mso.dll -
mso!Ordinal7862+0x14c:
6bbcb827 8b4258 mov eax,dword ptr [edx+58h] ds:0023:10552ff0=????????
0:000> r
eax=10552f98 ebx=00ffffff ecx=0d1c4e30 edx=10552f98 esi=0c91eff4 edi=00000001
eip=6bbcb827 esp=001fb130 ebp=001fb130 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210202
mso!Ordinal7862+0x14c:
6bbcb827 8b4258 mov eax,dword ptr [edx+58h] ds:0023:10552ff0=????????
0:000> !load winext\msec.dll;!exploitable -v
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
*** ERROR: Symbol file could not be found. Defaulted to export symbols for ntdll.dll -
*** ERROR: Module load completed but symbols could not be loaded for mspub.exe
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Windows\system32\kernel32.dll -
Exception Faulting Address: 0x10552ff0
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation
Faulting Instruction:6bbcb827 mov eax,dword ptr [edx+58h]
Basic Block:
6bbcb827 mov eax,dword ptr [edx+58h]
Tainted Input operands: 'edx'
6bbcb82a mov ecx,40000h
6bbcb82f test ecx,eax
Tainted Input operands: 'eax'
6bbcb831 jne mso!ordinal7862+0x15d (6bbcb838)
Tainted Input operands: 'ZeroFlag'
Exception Hash (Major/Minor): 0x302d39fa.0xc81d45f3
Hash Usage : Stack Trace:
Major+Minor : mso!Ordinal7862+0x14c
Major+Minor : mspub+0x11577a
Major+Minor : mspub+0x115a15
Major+Minor : mspub+0x115c67
Major+Minor : mspub+0x74b66
Minor : mspub+0x76237
Minor : mspub+0x1e3466
Minor : mspub+0xa72e8
Minor : mspub+0x2d9af9
Minor : mspub+0x17f557
Minor : mspub+0x2a90
Minor : mspub+0x2117
Minor : mspub+0x20d0
Minor : mspub+0x2083
Minor : kernel32!BaseThreadInitThunk+0x12
Excluded : ntdll!RtlInitializeExceptionChain+0x63
Excluded : ntdll!RtlInitializeExceptionChain+0x36
Instruction Address: 0x000000006bbcb827
Description: Data from Faulting Address controls Branch Selection
Short Description: TaintedDataControlsBranchSelection
Exploitability Classification: UNKNOWN
Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at mso!Ordinal7862+0x000000000000014c (Hash=0x302d39fa.0xc81d45f3)
======================================================
Case #03:
(...)
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.
CommandLine: "C:\Program Files\Microsoft Office\Office14\MSPUB.EXE" C:\sf_a4f51cf9de2546169858028b21554388-71.pub
(...)
ModLoad: 2d6c0000 2e091000 mspub.exe
(...)
(f8c.dfc): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=00000000 edx=ffffffff esi=000008f0 edi=002e9d04
eip=6cf17d6e esp=002e99c4 ebp=002e99e4 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210212
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Microsoft Office\Office14\PTXT9.DLL -
PTXT9!QSManager_GetInstance+0x5914:
6cf17d6e 813b01000080 cmp dword ptr [ebx],80000001h ds:0023:00000000=????????
0:000> r
eax=00000000 ebx=00000000 ecx=00000000 edx=ffffffff esi=000008f0 edi=002e9d04
eip=6cf17d6e esp=002e99c4 ebp=002e99e4 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210212
PTXT9!QSManager_GetInstance+0x5914:
6cf17d6e 813b01000080 cmp dword ptr [ebx],80000001h ds:0023:00000000=????????
0:000> !load winext\msec.dll;!exploitable -v
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x0
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation
Faulting Instruction:6cf17d6e cmp dword ptr [ebx],80000001h
Basic Block:
6cf17d6e cmp dword ptr [ebx],80000001h
Tainted Input operands: 'ebx'
6cf17d74 je ptxt9!qstextbox_createinstance+0x32d65 (6cf595d5)
Tainted Input operands: 'ZeroFlag'
Exception Hash (Major/Minor): 0x086477ff.0xa2d00ef6
Hash Usage : Stack Trace:
Major+Minor : PTXT9!QSManager_GetInstance+0x5914
Major+Minor : PTXT9!QSManager_GetInstance+0x3993
Major+Minor : ole32!OleQueryLinkFromData+0x407a
Major+Minor : ole32!OleQueryLinkFromData+0x4089
Major+Minor : PTXT9!QSManager_GetInstance+0x121bb
Minor : mspub+0x56068
Minor : mspub+0x562de
Minor : PTXT9!QSManager_GetInstance+0xa9dd
Minor : Unknown
(...)
Minor : Unknown
Minor : Unknown
Minor : Unknown
Instruction Address: 0x000000006cf17d6e
Description: Read Access Violation near NULL
Short Description: ReadAVNearNull
Exploitability Classification: PROBABLY_NOT_EXPLOITABLE
Recommended Bug Title: Read Access Violation near NULL starting at PTXT9!QSManager_GetInstance+0x0000000000005914 (Hash=0x086477ff.0xa2d00ef6)
======================================================
For all those cases (and soon for a few more too), example file(s) you will find @github.
Use it only for legal purposes.
Thanks.
Cheers.
Brak komentarzy:
Prześlij komentarz