piątek, 14 kwietnia 2017

Multiple Crashes in MS Publisher 2010/16 - part 2

Hi, as I promised last time today you'll find below few more bugs found during fuzzing session with MSPublisher 2010. Try it on 2016 because few of them will work there as well. ;)

Environment where I tried it:
- winxp sp3 (with MS Office 2010)
- win7  (with MS Office 2010)
- win10 (feat. MS Office 2016)

Below details:

========================================================
Case #01:
(...)
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "C:\Program Files\Microsoft Office\Office14\MSPUB.EXE" C:\sf_a4f51cf9de2546169858028b21554388-34538.pub
(...)
Executable search path is:
ModLoad: 2d0e0000 2dab1000   mspub.exe
ModLoad: 77d40000 77e7c000   ntdll.dll
ModLoad: 6e710000 6e770000   C:\Windows\system32\verifier.dll
(...)
(288.fc0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000004 ebx=0f398988 ecx=00000001 edx=00000000 esi=00000000 edi=0f398988
eip=7094ac18 esp=001a99fc ebp=001a9a04 iopl=0         nv up ei ng nz ac pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210297
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4926_none_508ed732bcbc0e5a\MSVCR90.dll -
MSVCR90!memcpy+0x158:
7094ac18 8b448efc        mov     eax,dword ptr [esi+ecx*4-4] ds:0023:00000000=????????

0:000> r;sxd *;g;r;!exploitable -v;!analyze -v;kb;u eip;q
eax=00000004 ebx=0f398988 ecx=00000001 edx=00000000 esi=00000000 edi=0f398988
eip=7094ac18 esp=001a99fc ebp=001a9a04 iopl=0         nv up ei ng nz ac pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210297
MSVCR90!memcpy+0x158:
7094ac18 8b448efc        mov     eax,dword ptr [esi+ecx*4-4] ds:0023:00000000=????????

(288.fc0): Access violation - code c0000005 (!!! second chance !!!)
eax=00000004 ebx=0f398988 ecx=00000001 edx=00000000 esi=00000000 edi=0f398988
eip=7094ac18 esp=001a99fc ebp=001a9a04 iopl=0         nv up ei ng nz ac pe cy
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210297
MSVCR90!memcpy+0x158:
7094ac18 8b448efc        mov     eax,dword ptr [esi+ecx*4-4] ds:0023:00000000=????????

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x0
Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:7094ac18 mov eax,dword ptr [esi+ecx*4-4]

Basic Block:
    7094ac18 mov eax,dword ptr [esi+ecx*4-4]
       Tainted Input operands: 'ecx','esi'
    7094ac1c mov dword ptr [edi+ecx*4-4],eax
       Tainted Input operands: 'eax','ecx'
    7094ac20 lea eax,[ecx*4]
       Tainted Input operands: 'ecx'
    7094ac27 add esi,eax
       Tainted Input operands: 'eax','esi'
    7094ac29 add edi,eax
       Tainted Input operands: 'eax'
    7094ac2b jmp dword ptr msvcr90!memcpy+0x174 (7094ac34)[edx*4]

Exception Hash (Major/Minor): 0x12e8150d.0x21d2a430

 Hash Usage : Stack Trace:
Major+Minor : MSVCR90!memcpy+0x158
Major+Minor : PTXT9!QSTextBox_CreateInstance+0x27d65
Instruction Address: 0x000000007094ac18

Description: Data from Faulting Address controls subsequent Write Address
Short Description: TaintedDataControlsWriteAddress
Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - Data from Faulting Address controls subsequent Write Address starting at MSVCR90!memcpy+0x0000000000000158 (Hash=0x12e8150d.0x21d2a430)

The data from the faulting address is later used as the target for a later write.
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************
(...)
FAULTING_IP:
MSVCR90!memcpy+158
7094ac18 8b448efc        mov     eax,dword ptr [esi+ecx*4-4]

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
.exr 0xffffffffffffffff
ExceptionAddress: 7094ac18 (MSVCR90!memcpy+0x00000158)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 00000000
Attempt to read from address 00000000

FAULTING_THREAD:  00000fc0
PROCESS_NAME:  mspub.exe
ADDITIONAL_DEBUG_TEXT: 

MODULE_NAME: MSVCR90
FAULTING_MODULE: 77d40000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP:  4a1743c1
ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod 0x%08lx odwo
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod 0x%08lx odwo
EXCEPTION_PARAMETER1:  00000000
EXCEPTION_PARAMETER2:  00000000
READ_ADDRESS:  00000000

FOLLOWUP_IP:
MSVCR90!memcpy+158
7094ac18 8b448efc        mov     eax,dword ptr [esi+ecx*4-4]

BUGCHECK_STR:  APPLICATION_FAULT_NULL_POINTER_READ_WRONG_SYMBOLS
PRIMARY_PROBLEM_CLASS:  NULL_POINTER_READ
DEFAULT_BUCKET_ID:  NULL_POINTER_READ
LAST_CONTROL_TRANSFER:  from 6dfae5d5 to 7094ac18

STACK_TEXT: 
WARNING: Stack unwind information not available. Following frames may be wrong.
001a9a04 6dfae5d5 0f398988 00000000 00000004 MSVCR90!memcpy+0x158
001a9b44 00000000 fffffffe fffffffe ffffffff PTXT9!QSTextBox_CreateInstance+0x27d65


SYMBOL_STACK_INDEX:  0
SYMBOL_NAME:  MSVCR90!memcpy+158
FOLLOWUP_NAME:  MachineOwner
IMAGE_NAME:  MSVCR90.dll
STACK_COMMAND:  ~0s ; kb
BUCKET_ID:  WRONG_SYMBOLS
FAILURE_BUCKET_ID:  NULL_POINTER_READ_c0000005_MSVCR90.dll!memcpy
WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/mspub_exe/14_0_4750_1000/4b8bab0b/MSVCR90_dll/9_0_30729_4926/4a1743c1/c0000005/0003ac18.htm?Retriage=1

---------

ChildEBP RetAddr  Args to Child             
WARNING: Stack unwind information not available. Following frames may be wrong.
001a9a04 6dfae5d5 0f398988 00000000 00000004 MSVCR90!memcpy+0x158
001a9b44 00000000 fffffffe fffffffe ffffffff PTXT9!QSTextBox_CreateInstance+0x27d65
MSVCR90!memcpy+0x158:
7094ac18 8b448efc        mov     eax,dword ptr [esi+ecx*4-4]
7094ac1c 89448ffc        mov     dword ptr [edi+ecx*4-4],eax
7094ac20 8d048d00000000  lea     eax,[ecx*4]
7094ac27 03f0            add     esi,eax
7094ac29 03f8            add     edi,eax
7094ac2b ff249534ac9470  jmp     dword ptr MSVCR90!memcpy+0x174 (7094ac34)[edx*4]
7094ac32 8bff            mov     edi,edi
7094ac34 44              inc     esp


========================================================
Case #02:

(...)
CommandLine: "C:\Program Files\Microsoft Office\Office14\MSPUB.EXE" C:\sf_a4f51cf9de2546169858028b21554388-5205.pub
(...)
Executable search path is:
ModLoad: 2dd20000 2e6f1000   mspub.exe
ModLoad: 77490000 775cc000   ntdll.dll
ModLoad: 6d150000 6d1b0000   C:\Windows\system32\verifier.dll
(...)
(fe0.a8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000098 ebx=6cd4f19c ecx=002f98b8 edx=00000000 esi=002f9d96 edi=00000002
eip=6cd54164 esp=002f9278 ebp=002f9330 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210246
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Microsoft Office\Office14\PTXT9.DLL -
PTXT9!QSTextBox_CreateInstance+0x2d8f4:
6cd54164 668b00          mov     ax,word ptr [eax]        ds:0023:00000098=????

0:000>
eax=00000098 ebx=6cd4f19c ecx=002f98b8 edx=00000000 esi=002f9d96 edi=00000002
eip=6cd54164 esp=002f9278 ebp=002f9330 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210246
PTXT9!QSTextBox_CreateInstance+0x2d8f4:
6cd54164 668b00          mov     ax,word ptr [eax]        ds:0023:00000098=????

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x98
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:6cd54164 mov ax,word ptr [eax]

Basic Block:
    6cd54164 mov ax,word ptr [eax]
       Tainted Input operands: 'eax'
    6cd54167 jmp ptxt9!qsmanager_getinstance+0x121b0 (6cd2460a)

Exception Hash (Major/Minor): 0x1afb4e35.0x4f229dd0

 Hash Usage : Stack Trace:
Major+Minor : PTXT9!QSTextBox_CreateInstance+0x2d8f4
Major+Minor : PTXT9!QSManager_GetInstance+0xa8a8
Major+Minor : PTXT9!QSManager_GetInstance+0xa904
Major+Minor : PTXT9!QSManager_GetInstance+0xa765
Major+Minor : PTXT9!QSManager_GetInstance+0xff53
Minor       : ole32!OleQueryLinkFromData+0x407a
Minor       : ole32!OleQueryLinkFromData+0x4089
Minor       : PTXT9!QSManager_GetInstance+0x121bb
Minor       : mspub+0x56068
Minor       : mspub+0x562de
Minor       : PTXT9!QSManager_GetInstance+0xa9dd
Minor       : Unknown
(...)
Minor       : Unknown
Instruction Address: 0x000000006cd54164

Description: Read Access Violation near NULL
Short Description: ReadAVNearNull
Exploitability Classification: PROBABLY_NOT_EXPLOITABLE
Recommended Bug Title: Read Access Violation near NULL starting at PTXT9!QSTextBox_CreateInstance+0x000000000002d8f4 (Hash=0x1afb4e35.0x4f229dd0)

This is a user mode read access violation near null, and is probably not exploitable.

========================================================
Case #03:

(...)
CommandLine: "C:\Program Files\Microsoft Office\Office14\MSPUB.EXE" C:\sf_a4f51cf9de2546169858028b21554388-2192.pub
Executable search path is:
ModLoad: 2d760000 2e131000   mspub.exe
ModLoad: 77490000 775cc000   ntdll.dll
ModLoad: 6d200000 6d260000   C:\Windows\system32\verifier.dll
(...)
(e90.4e4): Unknown exception - code c004f012 (first chance)
(e90.de0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=001dfc48 edx=001dfc4c esi=00000200 edi=0f340e30
eip=2d800200 esp=001df96c ebp=001dfc80 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210202
*** ERROR: Module load completed but symbols could not be loaded for mspub.exe
mspub+0xa0200:
2d800200 395804          cmp     dword ptr [eax+4],ebx ds:0023:00000004=????????


0:000> r;!exploitable -v;q
eax=00000000 ebx=00000000 ecx=001dfc48 edx=001dfc4c esi=00000200 edi=0f340e30
eip=2d800200 esp=001df96c ebp=001dfc80 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210202
mspub+0xa0200:
2d800200 395804          cmp     dword ptr [eax+4],ebx ds:0023:00000004=????????

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x4
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:2d800200 cmp dword ptr [eax+4],ebx

Basic Block:
    2d800200 cmp dword ptr [eax+4],ebx
       Tainted Input operands: 'eax','ebx'
    2d800203 je mspub+0xa036a (2d80036a)
       Tainted Input operands: 'ZeroFlag'

Exception Hash (Major/Minor): 0x3c4a0b35.0xa9404962

 Hash Usage : Stack Trace:
Major+Minor : mspub+0xa0200
Major+Minor : mspub+0xa1805
Major+Minor : mspub+0xa1756
Major+Minor : mspub+0xa163d
Major+Minor : mspub+0x15686c
Minor       : mspub+0x351e9
Minor       : mspub+0x212d
Minor       : mspub+0x20d0
Minor       : mspub+0x2083
Minor       : kernel32!BaseThreadInitThunk+0x12
Excluded    : ntdll!RtlInitializeExceptionChain+0x63
Excluded    : ntdll!RtlInitializeExceptionChain+0x36
Instruction Address: 0x000000002d800200

Description: Read Access Violation near NULL
Short Description: ReadAVNearNull
Exploitability Classification: PROBABLY_NOT_EXPLOITABLE
Recommended Bug Title: Read Access Violation near NULL starting at mspub+0x00000000000a0200 (Hash=0x3c4a0b35.0xa9404962)

This is a user mode read access violation near null, and is probably not exploitable.

========================================================
Case #04:

(...)
CommandLine: "C:\Program Files\Microsoft Office\Office14\MSPUB.EXE" C:\sf_a4f51cf9de2546169858028b21554388-23427.pub
(...)
Executable search path is:
ModLoad: 2da80000 2e451000   mspub.exe
ModLoad: 77d40000 77e7c000   ntdll.dll
ModLoad: 6ea90000 6eaf0000   C:\Windows\system32\verifier.dll
(...)
(d60.a04): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=0200014d ecx=00000000 edx=02e5bffe esi=00000054 edi=00000000
eip=6ac934f9 esp=001cbf60 ebp=001cbf70 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210246
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Common Files\Microsoft Shared\office14\mso.dll -
mso!Ordinal6038+0x925:
6ac934f9 f6405808        test    byte ptr [eax+58h],8       ds:0023:00000058=??

0:000> r;sxd *;g;r;!exploitable -v;!analyze -v;kb;u eip;q
eax=00000000 ebx=0200014d ecx=00000000 edx=02e5bffe esi=00000054 edi=00000000
eip=6ac934f9 esp=001cbf60 ebp=001cbf70 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210246
mso!Ordinal6038+0x925:
6ac934f9 f6405808        test    byte ptr [eax+58h],8       ds:0023:00000058=??


(d60.a04): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=0200014d ecx=00000000 edx=02e5bffe esi=00000054 edi=00000000
eip=6ac934f9 esp=001cbf60 ebp=001cbf70 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210246
mso!Ordinal6038+0x925:
6ac934f9 f6405808        test    byte ptr [eax+58h],8       ds:0023:00000058=??

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x58
Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:6ac934f9 test byte ptr [eax+58h],8

Basic Block:
    6ac934f9 test byte ptr [eax+58h],8
       Tainted Input operands: 'eax'
    6ac934fd jne mso!ordinal7184+0xf5 (6ac9844e)
       Tainted Input operands: 'ZeroFlag'

Exception Hash (Major/Minor): 0xb1592792.0x75f5de39

 Hash Usage : Stack Trace:
Major+Minor : mso!Ordinal6038+0x925
Major+Minor : mspub+0xf11e7
Major+Minor : mspub+0xf1196
Major+Minor : mspub+0xf0f8d
Major+Minor : mso!Ordinal3895+0x106
Minor       : mso!Ordinal3895+0xe9
Minor       : mso!Ordinal1774+0x594
Minor       : mso!Ordinal1774+0x57a
Minor       : mspub+0x9dac1
Minor       : mspub+0x9d8e0
Minor       : USER32!IsThreadDesktopComposited+0x11f
Minor       : USER32!MapWindowPoints+0xb7
Minor       : USER32!InflateRect+0x74
Minor       : USER32!DefWindowProcW+0x144
Minor       : ntdll!KiUserCallbackDispatcher+0x2e
Minor       : USER32!DispatchMessageW+0xf
Minor       : mso!Ordinal9774+0x23
Minor       : mspub+0x347ec
Minor       : mspub+0x212d
Minor       : mspub+0x20d0
Minor       : mspub+0x2083
Minor       : kernel32!BaseThreadInitThunk+0x12
Excluded    : ntdll!RtlInitializeExceptionChain+0x63
Excluded    : ntdll!RtlInitializeExceptionChain+0x36
Instruction Address: 0x000000006ac934f9

Description: Read Access Violation near NULL
Short Description: ReadAVNearNull
Exploitability Classification: PROBABLY_NOT_EXPLOITABLE
Recommended Bug Title: Read Access Violation near NULL starting at mso!Ordinal6038+0x0000000000000925 (Hash=0xb1592792.0x75f5de39)

This is a user mode read access violation near null, and is probably not exploitable.
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************
(...)
FAULTING_IP:
mso!Ordinal6038+925
6ac934f9 f6405808        test    byte ptr [eax+58h],8

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
.exr 0xffffffffffffffff
ExceptionAddress: 6ac934f9 (mso!Ordinal6038+0x00000925)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 00000058
Attempt to read from address 00000058

FAULTING_THREAD:  00000a04
PROCESS_NAME:  mspub.exe
ADDITIONAL_DEBUG_TEXT: 
MODULE_NAME: mso
FAULTING_MODULE: 77d40000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP:  4ba90130
ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod 0x%08lx odwo
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod 0x%08lx odwo
EXCEPTION_PARAMETER1:  00000000
EXCEPTION_PARAMETER2:  00000058
READ_ADDRESS:  00000058
FOLLOWUP_IP:
mso!Ordinal6038+925
6ac934f9 f6405808        test    byte ptr [eax+58h],8

BUGCHECK_STR:  APPLICATION_FAULT_NULL_CLASS_PTR_DEREFERENCE_INVALID_POINTER_READ_WRONG_SYMBOLS
PRIMARY_PROBLEM_CLASS:  NULL_CLASS_PTR_DEREFERENCE
DEFAULT_BUCKET_ID:  NULL_CLASS_PTR_DEREFERENCE
LAST_CONTROL_TRANSFER:  from 2db711e7 to 6ac934f9

STACK_TEXT: 
WARNING: Stack unwind information not available. Following frames may be wrong.
001cbf70 2db711e7 001cbf90 00000003 00000000 mso!Ordinal6038+0x925
001cbf88 2db71196 00000000 0200014d 0f5a6fb0 mspub+0xf11e7
001cbfa4 2db70f8d 00000002 0200014d 00000000 mspub+0xf1196
001cf470 6aa0b226 0f5a6fb0 0f5f7fd0 001cf594 mspub+0xf0f8d
001cf488 6aa0b209 001cf594 ffffffff 6ac91a41 mso!Ordinal3895+0x106
001cf73c 6aa14819 00000000 001cf788 6aa147ff mso!Ordinal3895+0xe9
001cf748 6aa147ff 0f5f9fa4 00003210 058baf20 mso!Ordinal1774+0x594
001cf788 2db1dac1 058baf20 0000000f 00000000 mso!Ordinal1774+0x57a
001cf88c 2db1d8e0 0cf707de d7b7f957 00000000 mspub+0x9dac1
001cfa34 77ba86ef 0cf707de 0000000f 00000000 mspub+0x9d8e0
001cfa60 77ba79cc 2da9d3a2 0cf707de 0000000f USER32!IsThreadDesktopComposited+0x11f
001cfad8 77ba70f4 00000000 2da9d3a2 0cf707de USER32!MapWindowPoints+0xb7
001cfb34 77ba738f 01c30f40 0000000f 00000000 USER32!InflateRect+0x74
001cfb5c 77d8642e 001cfb74 00000018 001cfbc0 USER32!DefWindowProcW+0x144
001cfbd0 77ba8e9c 2da9d3a2 00000000 001cfbf0 ntdll!KiUserCallbackDispatcher+0x2e
001cfbe0 6a9fb55b 2e1946d8 00000000 001cfc30 USER32!DispatchMessageW+0xf
001cfbf0 2dab47ec 2e1946d8 2e24577c 011fff8f mso!Ordinal9774+0x23
001cfc30 2da8212d 00000000 00000000 001cfc7c mspub+0x347ec
001cfc40 2da820d0 2da80000 00000000 0000000a mspub+0x212d
001cfc7c 2da82083 2da80000 00000000 011fff8f mspub+0x20d0
001cfd0c 77cb1174 7ffdf000 001cfd58 77d9b3f5 mspub+0x2083
001cfd18 77d9b3f5 7ffdf000 73edb21c 00000000 kernel32!BaseThreadInitThunk+0x12
001cfd58 77d9b3c8 2da81af8 7ffdf000 ffffffff ntdll!RtlInitializeExceptionChain+0x63
001cfd70 00000000 2da81af8 7ffdf000 00000000 ntdll!RtlInitializeExceptionChain+0x36


SYMBOL_STACK_INDEX:  0
SYMBOL_NAME:  mso!Ordinal6038+925
FOLLOWUP_NAME:  MachineOwner
IMAGE_NAME:  mso.dll
STACK_COMMAND:  ~0s ; kb
BUCKET_ID:  WRONG_SYMBOLS
FAILURE_BUCKET_ID:  NULL_CLASS_PTR_DEREFERENCE_c0000005_mso.dll!Ordinal6038
WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/mspub_exe/14_0_4750_1000/4b8bab0b/mso_dll/14_0_4760_1000/4ba90130/c0000005/004134f9.htm?Retriage=1

---------

ChildEBP RetAddr  Args to Child             
WARNING: Stack unwind information not available. Following frames may be wrong.
001cbf70 2db711e7 001cbf90 00000003 00000000 mso!Ordinal6038+0x925
001cbf88 2db71196 00000000 0200014d 0f5a6fb0 mspub+0xf11e7
001cbfa4 2db70f8d 00000002 0200014d 00000000 mspub+0xf1196
001cf470 6aa0b226 0f5a6fb0 0f5f7fd0 001cf594 mspub+0xf0f8d
001cf488 6aa0b209 001cf594 ffffffff 6ac91a41 mso!Ordinal3895+0x106
001cf73c 6aa14819 00000000 001cf788 6aa147ff mso!Ordinal3895+0xe9
001cf748 6aa147ff 0f5f9fa4 00003210 058baf20 mso!Ordinal1774+0x594
001cf788 2db1dac1 058baf20 0000000f 00000000 mso!Ordinal1774+0x57a
001cf88c 2db1d8e0 0cf707de d7b7f957 00000000 mspub+0x9dac1
001cfa34 77ba86ef 0cf707de 0000000f 00000000 mspub+0x9d8e0
001cfa60 77ba79cc 2da9d3a2 0cf707de 0000000f USER32!IsThreadDesktopComposited+0x11f
001cfad8 77ba70f4 00000000 2da9d3a2 0cf707de USER32!MapWindowPoints+0xb7
001cfb34 77ba738f 01c30f40 0000000f 00000000 USER32!InflateRect+0x74
001cfb5c 77d8642e 001cfb74 00000018 001cfbc0 USER32!DefWindowProcW+0x144
001cfbd0 77ba8e9c 2da9d3a2 00000000 001cfbf0 ntdll!KiUserCallbackDispatcher+0x2e
001cfbe0 6a9fb55b 2e1946d8 00000000 001cfc30 USER32!DispatchMessageW+0xf
001cfbf0 2dab47ec 2e1946d8 2e24577c 011fff8f mso!Ordinal9774+0x23
001cfc30 2da8212d 00000000 00000000 001cfc7c mspub+0x347ec
001cfc40 2da820d0 2da80000 00000000 0000000a mspub+0x212d
001cfc7c 2da82083 2da80000 00000000 011fff8f mspub+0x20d0
mso!Ordinal6038+0x925:
6ac934f9 f6405808        test    byte ptr [eax+58h],8
6ac934fd 0f854b4f0000    jne     mso!Ordinal7184+0xf5 (6ac9844e)
6ac93503 c3              ret
6ac93504 55              push    ebp
6ac93505 8bec            mov     ebp,esp
6ac93507 8b4d08          mov     ecx,dword ptr [ebp+8]
6ac9350a ff09            dec     dword ptr [ecx]
6ac9350c 56              push    esi


========================================================
Case #05:


CommandLine: "C:\Program Files\Microsoft Office\Office14\MSPUB.EXE" C:\sf_a4f51cf9de2546169858028b21554388-28727.pub
(...)
Executable search path is:
ModLoad: 2d440000 2de11000   mspub.exe
ModLoad: 77d40000 77e7c000   ntdll.dll
ModLoad: 6c710000 6c770000   C:\Windows\system32\verifier.dll
(...)
(cc0.ff0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0d2e0e8c ebx=001b95be ecx=001b9660 edx=001b9f98 esi=ffffffff edi=0d126ef4
eip=6a09f667 esp=001b951c ebp=001b95fc iopl=0         nv up ei ng nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210286
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Microsoft Office\Office14\PTXT9.DLL -
PTXT9!QSTextBox_CreateInstance+0x28df7:
6a09f667 0fb710          movzx   edx,word ptr [eax]       ds:0023:0d2e0e8c=????

0:000> r;sxd *;g;r;!exploitable -v;!analyze -v;kb;u eip;q
eax=0d2e0e8c ebx=001b95be ecx=001b9660 edx=001b9f98 esi=ffffffff edi=0d126ef4
eip=6a09f667 esp=001b951c ebp=001b95fc iopl=0         nv up ei ng nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210286
PTXT9!QSTextBox_CreateInstance+0x28df7:
6a09f667 0fb710          movzx   edx,word ptr [eax]       ds:0023:0d2e0e8c=????

(cc0.ff0): Access violation - code c0000005 (!!! second chance !!!)
eax=0d2e0e8c ebx=001b95be ecx=001b9660 edx=001b9f98 esi=ffffffff edi=0d126ef4
eip=6a09f667 esp=001b951c ebp=001b95fc iopl=0         nv up ei ng nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210286
PTXT9!QSTextBox_CreateInstance+0x28df7:
6a09f667 0fb710          movzx   edx,word ptr [eax]       ds:0023:0d2e0e8c=????

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0xd2e0e8c
Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:6a09f667 movzx edx,word ptr [eax]

Basic Block:
    6a09f667 movzx edx,word ptr [eax]
       Tainted Input operands: 'eax'
    6a09f66a shr edx,0bh
    6a09f66d lea edx,ptxt9!qstextbox_createinstance+0x28e28 (6a09f698)[edx*8]
       Tainted Input operands: 'edx'
    6a09f674 cmp dword ptr [edx+4],0
       Tainted Input operands: 'edx'
    6a09f678 mov esi,dword ptr [edx]
       Tainted Input operands: 'edx'
    6a09f67a je ptxt9!qstextbox_createinstance+0x28e15 (6a09f685)
       Tainted Input operands: 'ZeroFlag'

Exception Hash (Major/Minor): 0x1afb4e35.0x1fb1ab3d

 Hash Usage : Stack Trace:
Major+Minor : PTXT9!QSTextBox_CreateInstance+0x28df7
Major+Minor : PTXT9!QSManager_GetInstance+0xa8a8
Major+Minor : PTXT9!QSManager_GetInstance+0xa904
Major+Minor : PTXT9!QSManager_GetInstance+0xa765
Major+Minor : PTXT9!QSManager_GetInstance+0xff53
Minor       : ole32!OleQueryLinkFromData+0x407a
Minor       : ole32!OleQueryLinkFromData+0x4089
Minor       : PTXT9!QSManager_GetInstance+0x121bb
Minor       : mspub+0x56068
Minor       : mspub+0x562de
Minor       : PTXT9!QSManager_GetInstance+0xa9dd
Minor       : Unknown
(...)
Minor       : Unknown
Instruction Address: 0x000000006a09f667

Description: Data from Faulting Address controls Branch Selection
Short Description: TaintedDataControlsBranchSelection
Exploitability Classification: UNKNOWN
Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at PTXT9!QSTextBox_CreateInstance+0x0000000000028df7 (Hash=0x1afb4e35.0x1fb1ab3d)

The data from the faulting address is later used to determine whether or not a branch is taken.
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************
(...)
FAULTING_IP:
PTXT9!QSTextBox_CreateInstance+28df7
6a09f667 0fb710          movzx   edx,word ptr [eax]

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
.exr 0xffffffffffffffff
ExceptionAddress: 6a09f667 (PTXT9!QSTextBox_CreateInstance+0x00028df7)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 0d2e0e8c
Attempt to read from address 0d2e0e8c

FAULTING_THREAD:  00000ff0
PROCESS_NAME:  mspub.exe
MODULE_NAME: PTXT9
FAULTING_MODULE: 77d40000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP:  4b8bab46
ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod 0x%08lx odwo
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod 0x%08lx odwo
EXCEPTION_PARAMETER1:  00000000
EXCEPTION_PARAMETER2:  0d2e0e8c
READ_ADDRESS:  0d2e0e8c
FOLLOWUP_IP:
PTXT9!QSTextBox_CreateInstance+28df7
6a09f667 0fb710          movzx   edx,word ptr [eax]

BUGCHECK_STR:  APPLICATION_FAULT_INVALID_POINTER_READ_WRONG_SYMBOLS_FILL_PATTERN_ffffffff
PRIMARY_PROBLEM_CLASS:  INVALID_POINTER_READ_FILL_PATTERN_ffffffff
DEFAULT_BUCKET_ID:  INVALID_POINTER_READ_FILL_PATTERN_ffffffff
LAST_CONTROL_TRANSFER:  from 6a06cd02 to 6a09f667

STACK_TEXT: 
WARNING: Stack unwind information not available. Following frames may be wrong.
001b95fc 6a06cd02 001b9660 001b9b68 0000004a PTXT9!QSTextBox_CreateInstance+0x28df7
001b96e0 6a06cd5e 001b970c 001b9b58 0000005a PTXT9!QSManager_GetInstance+0xa8a8
001b9734 6a06cbbf 001b97bc 00000224 001b997c PTXT9!QSManager_GetInstance+0xa904
001b9814 6a0723ad 001b997c 001b9aec 0000010c PTXT9!QSManager_GetInstance+0xa765
001b9964 76ab6c8c 76abb730 0c60ac28 76ab6c9b PTXT9!QSManager_GetInstance+0xff53
001b9970 76ab6c9b 116d3bf8 6a09f79c 001b9f7a ole32!OleQueryLinkFromData+0x407a
001b99e0 6a074615 00000000 0000002c 001b9bb0 ole32!OleQueryLinkFromData+0x4089
001b9a0c 2d496068 00000002 00000000 00000000 PTXT9!QSManager_GetInstance+0x121bb
001b9a60 2d4962de 00000002 001b9e76 001b9e78 mspub+0x56068
001b9a70 6a06ce37 001b9aa8 6a06cebb 001b9e72 mspub+0x562de
001b9e78 ffffffff ffffffff ffffffff ffffffff PTXT9!QSManager_GetInstance+0xa9dd
001b9e7c ffffffff ffffffff ffffffff ffffffff 0xffffffff
001b9e80 ffffffff ffffffff ffffffff ffffffff 0xffffffff
(...)
001b9f58 ffffffff ffffffff ffffffff ffffffff 0xffffffff
001b9f5c ffffffff ffffffff ffffffff 00000000 0xffffffff
001b9f60 ffffffff ffffffff 00000000 6c710000 0xffffffff
001b9f64 ffffffff 00000000 6c710000 00000000 0xffffffff
001b9f68 00000000 6c710000 00000000 019600cc 0xffffffff


STACK_COMMAND:  .cxr 00000000 ; kb ; ~0s ; kb
SYMBOL_STACK_INDEX:  0
SYMBOL_NAME:  PTXT9!QSTextBox_CreateInstance+28df7
FOLLOWUP_NAME:  MachineOwner
IMAGE_NAME:  PTXT9.DLL
BUCKET_ID:  WRONG_SYMBOLS
FAILURE_BUCKET_ID:  INVALID_POINTER_READ_FILL_PATTERN_ffffffff_c0000005_PTXT9.DLL!QSTextBox_CreateInstance
WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/mspub_exe/14_0_4750_1000/4b8bab0b/PTXT9_DLL/14_0_4750_1000/4b8bab46/c0000005/0003f667.htm?Retriage=1

---------

ChildEBP RetAddr  Args to Child             
WARNING: Stack unwind information not available. Following frames may be wrong.
001b95fc 6a06cd02 001b9660 001b9b68 0000004a PTXT9!QSTextBox_CreateInstance+0x28df7
001b96e0 6a06cd5e 001b970c 001b9b58 0000005a PTXT9!QSManager_GetInstance+0xa8a8
001b9734 6a06cbbf 001b97bc 00000224 001b997c PTXT9!QSManager_GetInstance+0xa904
001b9814 6a0723ad 001b997c 001b9aec 0000010c PTXT9!QSManager_GetInstance+0xa765
001b9964 76ab6c8c 76abb730 0c60ac28 76ab6c9b PTXT9!QSManager_GetInstance+0xff53
001b9970 76ab6c9b 116d3bf8 6a09f79c 001b9f7a ole32!OleQueryLinkFromData+0x407a
001b99e0 6a074615 00000000 0000002c 001b9bb0 ole32!OleQueryLinkFromData+0x4089
001b9a0c 2d496068 00000002 00000000 00000000 PTXT9!QSManager_GetInstance+0x121bb
001b9a60 2d4962de 00000002 001b9e76 001b9e78 mspub+0x56068
001b9a70 6a06ce37 001b9aa8 6a06cebb 001b9e72 mspub+0x562de
001b9e78 ffffffff ffffffff ffffffff ffffffff PTXT9!QSManager_GetInstance+0xa9dd
001b9e7c ffffffff ffffffff ffffffff ffffffff 0xffffffff
001b9e80 ffffffff ffffffff ffffffff ffffffff 0xffffffff
(...)
001b9e98 ffffffff ffffffff ffffffff ffffffff 0xffffffff
001b9e9c ffffffff ffffffff ffffffff ffffffff 0xffffffff
PTXT9!QSTextBox_CreateInstance+0x28df7:
6a09f667 0fb710          movzx   edx,word ptr [eax]
6a09f66a c1ea0b          shr     edx,0Bh
6a09f66d 8d14d598f6096a  lea     edx,PTXT9!QSTextBox_CreateInstance+0x28e28 (6a09f698)[edx*8]
6a09f674 837a0400        cmp     dword ptr [edx+4],0
6a09f678 8b32            mov     esi,dword ptr [edx]
6a09f67a 7409            je      PTXT9!QSTextBox_CreateInstance+0x28e15 (6a09f685)
6a09f67c 8b5002          mov     edx,dword ptr [eax+2]
6a09f67f 42              inc     edx


========================================================
Case #06:


CommandLine: "C:\Program Files\Microsoft Office\Office14\MSPUB.EXE" C:\sf_a4f51cf9de2546169858028b21554388-34632.pub
(...)
Executable search path is:
ModLoad: 2d090000 2da61000   mspub.exe
ModLoad: 77d40000 77e7c000   ntdll.dll
ModLoad: 6ea90000 6eaf0000   C:\Windows\system32\verifier.dll
(...)
(dc4.914): Integer overflow - code c0000095 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=002eb364 ebx=00000000 ecx=5c000000 edx=00000002 esi=0fadafc8 edi=77000000
eip=75f19617 esp=002eb364 ebp=002eb3b4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200246
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Windows\system32\KERNELBASE.dll -
KERNELBASE!RaiseException+0x54:
75f19617 c9              leave


0:000> r;sxd *;g;r;!exploitable -v;!analyze -v;kb;u eip;q
eax=002eb364 ebx=00000000 ecx=5c000000 edx=00000002 esi=0fadafc8 edi=77000000
eip=75f19617 esp=002eb364 ebp=002eb3b4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200246
KERNELBASE!RaiseException+0x54:
75f19617 c9              leave


(dc4.914): Integer overflow - code c0000095 (!!! second chance !!!)
eax=002eb364 ebx=00000000 ecx=5c000000 edx=00000002 esi=0fadafc8 edi=77000000
eip=75f19617 esp=002eb364 ebp=002eb3b4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00200246
KERNELBASE!RaiseException+0x54:
75f19617 c9              leave

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x75f19617
Second Chance Exception Type: STATUS_INTEGER_OVERFLOW (0xC0000095)

Faulting Instruction:75f19617 leave


Basic Block:
    75f19617 leave

    75f19618 ret 10h

Exception Hash (Major/Minor): 0x25c9d603.0x27a62e3d

 Hash Usage : Stack Trace:
Major+Minor : KERNELBASE!RaiseException+0x54
Major+Minor : PTXT9!QSTextBox_CreateInstance+0x50018
Major+Minor : PTXT9!QSManager_GetInstance+0x1f1c
Major+Minor : PTXT9!QSManager_GetInstance+0xf795
Major+Minor : PTXT9!QSManager_GetInstance+0x10c0a
Minor       : PTXT9!QSManager_GetInstance+0xfd64
Minor       : PTXT9!QSManager_GetInstance+0xfcb1
Minor       : PTXT9!QSManager_GetInstance+0x10850
Minor       : PTXT9!QSManager_GetInstance+0x10529
Minor       : PTXT9!QSManager_GetInstance+0x10496
Minor       : mspub+0xe0f05
Minor       : mspub+0xa72e8
Minor       : mspub+0x2d9af9
Minor       : mspub+0x17f557
Minor       : mspub+0x2a90
Minor       : mspub+0x2117
Minor       : mspub+0x20d0
Minor       : mspub+0x2083
Minor       : kernel32!BaseThreadInitThunk+0x12
Excluded    : ntdll!RtlInitializeExceptionChain+0x63
Excluded    : ntdll!RtlInitializeExceptionChain+0x36
Instruction Address: 0x0000000075f19617

Description: Integer Overflow
Short Description: IntegerOverflow
Exploitability Classification: UNKNOWN
Recommended Bug Title: Integer Overflow starting at KERNELBASE!RaiseException+0x0000000000000054 (Hash=0x25c9d603.0x27a62e3d)
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************
(...)
FAULTING_IP:
KERNELBASE!RaiseException+54
75f19617 c9              leave

EXCEPTION_RECORD:  ffffffff -- (.exr 0xffffffffffffffff)
.exr 0xffffffffffffffff
ExceptionAddress: 75f19617 (KERNELBASE!RaiseException+0x00000054)
   ExceptionCode: c0000095 (Integer overflow)
  ExceptionFlags: 00000001
NumberParameters: 0

FAULTING_THREAD:  00000914
DEFAULT_BUCKET_ID:  WRONG_SYMBOLS
PROCESS_NAME:  mspub.exe
MODULE_NAME: PTXT9
FAULTING_MODULE: 77d40000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP:  4b8bab46
ERROR_CODE: (NTSTATUS) 0xc0000095 - {WYJ
EXCEPTION_CODE: (NTSTATUS) 0xc0000095 - {WYJ
PRIMARY_PROBLEM_CLASS:  WRONG_SYMBOLS
BUGCHECK_STR:  APPLICATION_FAULT_WRONG_SYMBOLS
LAST_CONTROL_TRANSFER:  from 6e726888 to 75f19617

STACK_TEXT: 
WARNING: Stack unwind information not available. Following frames may be wrong.
002eb3b4 6e726888 c0000095 00000001 00000000 KERNELBASE!RaiseException+0x54
002eb3e4 6e6c4376 002eb3fc 00000004 00000000 PTXT9!QSTextBox_CreateInstance+0x50018
002eb400 6e6d1bef 00000000 77000000 00000000 PTXT9!QSManager_GetInstance+0x1f1c
002eb430 6e6d3064 0b80af38 002eb568 00000000 PTXT9!QSManager_GetInstance+0xf795
002eb45c 6e6d21be 0b80af38 0000000c 00000006 PTXT9!QSManager_GetInstance+0x10c0a
002eb488 6e6d210b 002eb568 4e4b4f54 00000009 PTXT9!QSManager_GetInstance+0xfd64
002eb4b8 6e6d2caa 0fab2fa0 002eb568 4e4b4f54 PTXT9!QSManager_GetInstance+0xfcb1
002eb558 6e6d2983 0b80af38 00000009 0b80af38 PTXT9!QSManager_GetInstance+0x10850
002eb5bc 6e6d28f0 0d210e80 ffffffff 2d15df4f PTXT9!QSManager_GetInstance+0x10529
002eb638 2d170f05 02000100 00000002 00000002 PTXT9!QSManager_GetInstance+0x10496
002ebfcc 2d1372e8 002ee66c 105d0fb0 00000008 mspub+0xe0f05
002ee620 2d369af9 002ee65c 00000000 00000000 mspub+0xa72e8
002eea44 2d20f557 002eeadc 6a885625 00000000 mspub+0x2d9af9
002efdc0 2d092a90 0000000a 2d85577c 0008ff8f mspub+0x17f557
002efe98 2d092117 2d090000 00000000 0000000a mspub+0x2a90
002efeac 2d0920d0 2d090000 00000000 0000000a mspub+0x2117
002efee8 2d092083 2d090000 00000000 0008ff8f mspub+0x20d0
002eff78 77cb1174 7ffde000 002effc4 77d9b3f5 mspub+0x2083
002eff84 77d9b3f5 7ffde000 7d9376ff 00000000 kernel32!BaseThreadInitThunk+0x12
002effc4 77d9b3c8 2d091af8 7ffde000 ffffffff ntdll!RtlInitializeExceptionChain+0x63
002effdc 00000000 2d091af8 7ffde000 00000000 ntdll!RtlInitializeExceptionChain+0x36


FOLLOWUP_IP:
PTXT9!QSTextBox_CreateInstance+50018
6e726888 c3              ret

SYMBOL_STACK_INDEX:  1
SYMBOL_NAME:  PTXT9!QSTextBox_CreateInstance+50018
FOLLOWUP_NAME:  MachineOwner
IMAGE_NAME:  PTXT9.DLL
STACK_COMMAND:  ~0s ; kb
BUCKET_ID:  WRONG_SYMBOLS
FAILURE_BUCKET_ID:  WRONG_SYMBOLS_c0000095_PTXT9.DLL!QSTextBox_CreateInstance
WATSON_STAGEONE_URL:  http://watson.microsoft.com/StageOne/mspub_exe/14_0_4750_1000/4b8bab0b/KERNELBASE_dll/6_1_7600_16385/4a5bdaae/c0000095/00009617.htm?Retriage=1
Followup: MachineOwner
---------

ChildEBP RetAddr  Args to Child             
WARNING: Stack unwind information not available. Following frames may be wrong.
002eb3b4 6e726888 c0000095 00000001 00000000 KERNELBASE!RaiseException+0x54
002eb3e4 6e6c4376 002eb3fc 00000004 00000000 PTXT9!QSTextBox_CreateInstance+0x50018
002eb400 6e6d1bef 00000000 77000000 00000000 PTXT9!QSManager_GetInstance+0x1f1c
002eb430 6e6d3064 0b80af38 002eb568 00000000 PTXT9!QSManager_GetInstance+0xf795
002eb45c 6e6d21be 0b80af38 0000000c 00000006 PTXT9!QSManager_GetInstance+0x10c0a
002eb488 6e6d210b 002eb568 4e4b4f54 00000009 PTXT9!QSManager_GetInstance+0xfd64
002eb4b8 6e6d2caa 0fab2fa0 002eb568 4e4b4f54 PTXT9!QSManager_GetInstance+0xfcb1
002eb558 6e6d2983 0b80af38 00000009 0b80af38 PTXT9!QSManager_GetInstance+0x10850
002eb5bc 6e6d28f0 0d210e80 ffffffff 2d15df4f PTXT9!QSManager_GetInstance+0x10529
002eb638 2d170f05 02000100 00000002 00000002 PTXT9!QSManager_GetInstance+0x10496
002ebfcc 2d1372e8 002ee66c 105d0fb0 00000008 mspub+0xe0f05
002ee620 2d369af9 002ee65c 00000000 00000000 mspub+0xa72e8
002eea44 2d20f557 002eeadc 6a885625 00000000 mspub+0x2d9af9
002efdc0 2d092a90 0000000a 2d85577c 0008ff8f mspub+0x17f557
002efe98 2d092117 2d090000 00000000 0000000a mspub+0x2a90
002efeac 2d0920d0 2d090000 00000000 0000000a mspub+0x2117
002efee8 2d092083 2d090000 00000000 0008ff8f mspub+0x20d0
002eff78 77cb1174 7ffde000 002effc4 77d9b3f5 mspub+0x2083
002eff84 77d9b3f5 7ffde000 7d9376ff 00000000 kernel32!BaseThreadInitThunk+0x12
002effc4 77d9b3c8 2d091af8 7ffde000 ffffffff ntdll!RtlInitializeExceptionChain+0x63
KERNELBASE!RaiseException+0x54:
75f19617 c9              leave
75f19618 c21000          ret     10h
75f1961b 8945c0          mov     dword ptr [ebp-40h],eax
75f1961e ebed            jmp     KERNELBASE!RaiseException+0x4a (75f1960d)
75f19620 90              nop
75f19621 90              nop
75f19622 90              nop
75f19623 90              nop


========================================================
Case #07:

CommandLine: "C:\Program Files\Microsoft Office\Office14\MSPUB.EXE" C:\sf_a4f51cf9de2546169858028b21554388-9943.pub
(...)
Executable search path is:
ModLoad: 2de90000 2e861000   mspub.exe
ModLoad: 77490000 775cc000   ntdll.dll
ModLoad: 6d150000 6d1b0000   C:\Windows\system32\verifier.dll
(...)
(d24.f40): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0d1f10b0 ebx=001d9882 ecx=001d9ba0 edx=001da1a6 esi=ffffffff edi=0d016f0a
eip=6cb6f667 esp=001d97e0 ebp=001d98c0 iopl=0         nv up ei ng nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210286
PTXT9!QSTextBox_CreateInstance+0x28df7:
6cb6f667 0fb710          movzx   edx,word ptr [eax]       ds:0023:0d1f10b0=????

0:000>
eax=0d1f10b0 ebx=001d9882 ecx=001d9ba0 edx=001da1a6 esi=ffffffff edi=0d016f0a
eip=6cb6f667 esp=001d97e0 ebp=001d98c0 iopl=0         nv up ei ng nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00210286
PTXT9!QSTextBox_CreateInstance+0x28df7:
6cb6f667 0fb710          movzx   edx,word ptr [eax]       ds:0023:0d1f10b0=????

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for ntdll.dll -
Exception Faulting Address: 0xd1f10b0
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:6cb6f667 movzx edx,word ptr [eax]

Basic Block:
    6cb6f667 movzx edx,word ptr [eax]
       Tainted Input operands: 'eax'
    6cb6f66a shr edx,0bh
    6cb6f66d lea edx,ptxt9!qstextbox_createinstance+0x28e28 (6cb6f698)[edx*8]
       Tainted Input operands: 'edx'
    6cb6f674 cmp dword ptr [edx+4],0
       Tainted Input operands: 'edx'
    6cb6f678 mov esi,dword ptr [edx]
       Tainted Input operands: 'edx'
    6cb6f67a je ptxt9!qstextbox_createinstance+0x28e15 (6cb6f685)
       Tainted Input operands: 'ZeroFlag'

Exception Hash (Major/Minor): 0xc8d7a75c.0x4d7c01da

 Hash Usage : Stack Trace:
Major+Minor : PTXT9!QSTextBox_CreateInstance+0x28df7
Major+Minor : PTXT9!QSManager_GetInstance+0x12307
Major+Minor : PTXT9!QSManager_GetInstance+0x12706
Major+Minor : PTXT9!QSManager_GetInstance+0x1023b
Instruction Address: 0x000000006cb6f667

Description: Data from Faulting Address controls Branch Selection
Short Description: TaintedDataControlsBranchSelection
Exploitability Classification: UNKNOWN
Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at PTXT9!QSTextBox_CreateInstance+0x0000000000028df7 (Hash=0xc8d7a75c.0x4d7c01da)

The data from the faulting address is later used to determine whether or not a branch is taken.


Maybe you will find it useful.

More details as well as all poc's you will find here.

Cheers.



Brak komentarzy:

Publikowanie komentarza