Found 16.08.2017. Maybe you will find it useful.
Below you will find DEP violation bug found during quick fuzzing session.
TL;DR
Crashed in NSFForEachNamObjEntry():
-----------------------------------------------------
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.
CommandLine: "C:\Program Files\IBM\Notes\notes.exe" C:\sf_879c13ad4eba231d656b7fa10f2487b5-653.ntf
(...)
Executable search path is:
ModLoad: 01330000 01513000 notes.exe
(...)
(1454.748): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0000006e ebx=00000000 ecx=63725600 edx=6372aa00 esi=00000000 edi=061cc08c
eip=6413b87d esp=001c38c0 ebp=001c39a4 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
nnotes!NSFForEachNamObjEntry+0x3aad:
6413b87d 668908 mov word ptr [eax],cx ds:0023:0000006e=????
1:001>
(1454.748): Access violation - code c0000005 (!!! second chance !!!)
eax=001c31b8 ebx=00000000 ecx=00000000 edx=00000000 esi=001c31b8 edi=00000000
eip=771f64f4 esp=001c3154 ebp=001c31a4 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
ntdll!KiFastSystemCallRet:
771f64f4 c3 ret
WARNING: Continuing a non-continuable exception
(1454.748): Access violation - code c0000005 (!!! second chance !!!)
WARNING: Continuing a non-continuable exception
(...)
(1454.748): Access violation - code c0000005 (!!! second chance !!!)
eax=001c31b8 ebx=00000000 ecx=00000000 edx=00000000 esi=001c31b8 edi=00000000
eip=771f64f4 esp=001c3154 ebp=001c31a4 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000202
ntdll!KiFastSystemCallRet:
771f64f4 c3 ret
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x0
Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Data Execution Protection (DEP) Violation
Exception Hash (Major/Minor): 0x6b8f89be.0x39f1bda8
Hash Usage : Stack Trace:
Excluded : ntdll!KiFastSystemCallRet+0x0
Major+Minor : ntdll!RtlRemoteCall+0x236
Major+Minor : ntdll!RtlTimeToElapsedTimeFields+0x14877
Major+Minor : ntdll!TpSetTimer+0x25e
Excluded : ntdll!KiUserExceptionDispatcher+0xf
Excluded : Unknown
Excluded : Unknown
Excluded : Unknown
Excluded : Unknown
Excluded : Unknown
Instruction Address: 0x00000000771f64f4
Description: Exception Handler Chain Corrupted
Short Description: ExceptionHandlerCorrupted
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Exception Handler Chain Corrupted starting at ntdll!KiFastSystemCallRet+0x0000000000000000 called from ntdll!RtlRemoteCall+0x0000000000000236 (Hash=0x6b8f89be.0x39f1bda8)
Corruption of the exception handler chain is considered exploitable
>>
ntdll!KiFastSystemCall+0x2:
771f64f2 0f34 sysenter
ntdll!KiFastSystemCallRet:
771f64f4 c3 ret
771f64f5 8da42400000000 lea esp,[esp]
771f64fc 8d642400 lea esp,[esp]
ntdll!KiIntSystemCall:
771f6500 8d542408 lea edx,[esp+8]
771f6504 cd2e int 2Eh
771f6506 c3 ret
771f6507 90 nop
ntdll!KiFastSystemCall+0x3:
771f64f3 34c3 xor al,0C3h
771f64f5 8da42400000000 lea esp,[esp]
771f64fc 8d642400 lea esp,[esp]
ntdll!KiIntSystemCall:
771f6500 8d542408 lea edx,[esp+8]
771f6504 cd2e int 2Eh
771f6506 c3 ret
771f6507 90 nop
ntdll!RtlRaiseException:
771f6508 55 push ebp
ntdll!KiFastSystemCallRet:
771f64f4 c3 ret
771f64f5 8da42400000000 lea esp,[esp]
771f64fc 8d642400 lea esp,[esp]
ntdll!KiIntSystemCall:
771f6500 8d542408 lea edx,[esp+8]
771f6504 cd2e int 2Eh
771f6506 c3 ret
771f6507 90 nop
ntdll!RtlRaiseException:
771f6508 55 push ebp
(...)
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
(...)
FAULTING_IP:
+6901952f0016d40c
00000000 ?? ???
EXCEPTION_RECORD: 6716a585 -- (.exr 0x6716a585)
.exr 0x6716a585
Cannot read Exception record @ 6716a585
FAULTING_THREAD: 00000748
PROCESS_NAME: nlnotes.exe
MODULE_NAME: ntdll
FAULTING_MODULE: 771b0000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP: 4a5bdadb
ERROR_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod 0x%08lx odwo
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - Instrukcja spod 0x%08lx odwo
EXCEPTION_PARAMETER1: 00000008
WRITE_ADDRESS: 00000000
FOLLOWUP_IP:
ntdll!KiFastSystemCallRet+0
771f64f4 c3 ret
FAILED_INSTRUCTION_ADDRESS:
+6901952f0016d40c
00000000 ?? ???
CONTEXT: 255f5600 -- (.cxr 0x255f5600)
.cxr 0x255f5600
Unable to read context, Win32 error 0n30
.cxr
BUGCHECK_STR: APPLICATION_FAULT_SOFTWARE_NX_FAULT_FALSE_POSITIVE_SOFTWARE_NX_FAULT_NULL_WRONG_SYMBOLS
PRIMARY_PROBLEM_CLASS: SOFTWARE_NX_FAULT_FALSE_POSITIVE_NULL
DEFAULT_BUCKET_ID: SOFTWARE_NX_FAULT_FALSE_POSITIVE_NULL
LAST_CONTROL_TRANSFER: from 7726a862 to 771f64f4
STACK_TEXT:
771f64f4 ntdll!KiFastSystemCallRet+0x0
7726a862 ntdll!RtlRemoteCall+0x236
7723dd0b ntdll!RtlTimeToElapsedTimeFields+0x14877
771d8d24 ntdll!TpSetTimer+0x25e
771f6457 ntdll!KiUserExceptionDispatcher+0xf
1e24229b unknown+0x0
4a250d53 unknown+0x0
255f5600 unknown+0x0
6716a585 unknown+0x0
2574aa00 unknown+0x0
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: ntdll!KiFastSystemCallRet+1c31a4
FOLLOWUP_NAME: MachineOwner
IMAGE_NAME: ntdll.dll
STACK_COMMAND: .cxr 255F5600 ; kb ; dds 1c3154 ; kb
BUCKET_ID: WRONG_SYMBOLS
FAILURE_BUCKET_ID: SOFTWARE_NX_FAULT_FALSE_POSITIVE_NULL_c0000005_ntdll.dll!KiFastSystemCallRet
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/nlnotes_exe/9_0_10_13287/525ce2dd/unknown/0_0_0_0/bbbbbbb4/c0000005/00000000.htm?Retriage=1
---------
More:
>> https://code610.blogspot.com
>> https://twitter.com/CodySixteen
Cheers
Brak komentarzy:
Prześlij komentarz