Below you will find few new files from my 'small fuzzing session(s)'. Some older cases you can also find here but below we will present the crash of IBM Lotus Notes 8.5.3. Here we go...
TL;DR - here you will find the zip file contains 9 crashes for IBM Lotus Notes 8.5.3.
(Just to not to make the post 'so big' this time,) below you will find only one crash presented:
---<log>---
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.
CommandLine: "C:\Program Files\IBM\Lotus\Notes\notes.exe" C:\sf_dffe05c8c360073891dd8fe3172fe4c2-fu9x3m.ntf
(...)
Executable search path is:
ModLoad: 00400000 00508000 notes.exe
(...)
(2b8.1468): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=04fb0088 ecx=00000000 edx=00000001 esi=0461cd0c edi=04fb0eb3
eip=609a84e3 esp=0012cec4 ebp=0012ffc0 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
nnotes!NSFDbOpenExtended6+0x3ac3:
609a84e3 80486501 or byte ptr [eax+65h],1 ds:0023:00000065=??
1:001> r;!exploitable -v;kb;!analyze -v;u eip-2;u eip-1;u eip;r;q
eax=00000000 ebx=04fb0088 ecx=00000000 edx=00000001 esi=0461cd0c edi=04fb0eb3
eip=609a84e3 esp=0012cec4 ebp=0012ffc0 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
nnotes!NSFDbOpenExtended6+0x3ac3:
609a84e3 80486501 or byte ptr [eax+65h],1 ds:0023:00000065=??
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x65
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation
Faulting Instruction:609a84e3 or byte ptr [eax+65h],1
Basic Block:
609a84e3 or byte ptr [eax+65h],1
Tainted Input operands: 'eax'
609a84e7 cmp dword ptr [ebp-3ch],0
609a84eb jne nnotes!nsfdbopenextended6+0x3af5 (609a8515)
Exception Hash (Major/Minor): 0x6b199152.0x1a96f8fb
Hash Usage : Stack Trace:
Major+Minor : nnotes!NSFDbOpenExtended6+0x3ac3
Major+Minor : nnotes!NSFDbOpenExtended5+0x40
Major+Minor : nnotes!NSFDbOpenExtended5+0x8a
Major+Minor : nnotes!NSFDbOpenExtended3+0x41
Major+Minor : nnotes!NSFDbOpenExtended2+0x36
Minor : nnotesws!NEMPostStatus+0x13c57
Minor : nnotesws!DocumentModalEdit+0x39e3f
Minor : nnotesws!DocumentModalEdit+0x9563
Minor : nnotesws!NEMGetWindowLong+0x719
Minor : nnotesws+0x4d26
Minor : USER32!GetDC+0x6d
Minor : USER32!GetDC+0x14f
Minor : USER32!GetWindowLongW+0x127
Minor : USER32!DispatchMessageW+0xf
Minor : USER32!CallMsgFilterW+0x213
Minor : USER32!GetCursorFrameInfo+0x1cc
Minor : USER32!SoftModalMessageBox+0x677
Minor : USER32!MessageBoxIndirectA+0x23a
Minor : USER32!MessageBoxTimeoutW+0x7a
Minor : USER32!MessageBoxExW+0x1b
Minor : USER32!MessageBoxW+0x45
Minor : nnotesws!NEMMessageBox+0x508
Minor : nnotesws!NEMDisplayError1+0x1c5
Minor : nnotesws!NEMDisplayError+0x2f
Minor : nnotesws!DocumentModalEdit+0xa565
Minor : nnotesws+0x3be1
Minor : USER32!GetDC+0x6d
Minor : USER32!GetDC+0x14f
Minor : USER32!GetWindowLongW+0x127
Minor : USER32!DispatchMessageW+0xf
Minor : USER32!CallMsgFilterW+0x213
Minor : USER32!GetCursorFrameInfo+0x1cc
Minor : USER32!SoftModalMessageBox+0x677
Minor : USER32!MessageBoxIndirectA+0x23a
Minor : USER32!MessageBoxTimeoutW+0x7a
Minor : USER32!MessageBoxExW+0x1b
Minor : USER32!MessageBoxW+0x45
Minor : nnotesws!NEMMessageBox+0x508
Minor : nnotesws!NEMDisplayError1+0x1c5
Minor : nnotesws!NEMDisplayError+0x2f
Minor : nnotesws!DocumentModalEdit+0xa565
Minor : nnotesws+0x3be1
Minor : USER32!GetDC+0x6d
Minor : USER32!GetDC+0x14f
Minor : USER32!GetWindowLongW+0x127
Minor : USER32!DispatchMessageW+0xf
Minor : USER32!CallMsgFilterW+0x213
Minor : USER32!GetCursorFrameInfo+0x1cc
Minor : USER32!SoftModalMessageBox+0x677
Minor : USER32!MessageBoxIndirectA+0x23a
Minor : USER32!MessageBoxTimeoutW+0x7a
Minor : USER32!MessageBoxExW+0x1b
Minor : USER32!MessageBoxW+0x45
Minor : nnotesws!NEMMessageBox+0x508
Minor : nnotesws!NEMDisplayError1+0x1c5
Minor : nnotesws!NEMDisplayError+0x2f
Minor : nnotesws!DocumentModalEdit+0xa565
Minor : nnotesws+0x3be1
Minor : USER32!GetDC+0x6d
Minor : USER32!GetDC+0x14f
Minor : USER32!GetWindowLongW+0x127
Minor : USER32!DispatchMessageW+0xf
Minor : nnotesws!NEMMainLoop+0x32b
Minor : nlnotes+0x1a41
Instruction Address: 0x00000000609a84e3
Description: User Mode Write AV near NULL
Short Description: WriteAVNearNull
Exploitability Classification: UNKNOWN
Recommended Bug Title: User Mode Write AV near NULL starting at nnotes!NSFDbOpenExtended6+0x0000000000003ac3 (Hash=0x6b199152.0x1a96f8fb)
User mode write access violations that are near NULL are unknown.
(...)
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0012ffc0 609adaf0 04d2fb20 00006002 00000000 nnotes!NSFDbOpenExtended6+0x3ac3
00130004 609adb3a 04d2fb20 00006002 00000000 nnotes!NSFDbOpenExtended5+0x40
00130040 60031cc1 04d2fb20 00006002 00000000 nnotes!NSFDbOpenExtended5+0x8a
00130120 6008ee86 04d2fb20 00006002 00000000 nnotes!NSFDbOpenExtended3+0x41
00130158 630845f7 04d2fb20 00006002 00000000 nnotes!NSFDbOpenExtended2+0x36
001302b0 635c0e6f 04d2fb20 001308b8 00000000 nnotesws!NEMPostStatus+0x13c57
00130778 63590593 04d2fb20 006cffff 001308b8 nnotesws!DocumentModalEdit+0x39e3f
001308bc 63025739 63c82348 00130fe8 011e9218 nnotesws!DocumentModalEdit+0x9563
00130b84 63024d26 011e9218 00000113 000003ef nnotesws!NEMGetWindowLong+0x719
00130fec 7e418734 01dc00f8 00000113 000003ef nnotesws+0x4d26
00131018 7e418816 63022ec0 01dc00f8 00000113 USER32!GetDC+0x6d
00131080 7e4189cd 00000000 63022ec0 01dc00f8 USER32!GetDC+0x14f
001310e0 7e418a10 00131108 00000000 00131128 USER32!GetWindowLongW+0x127
001310f0 7e427721 00131108 00880382 00000001 USER32!DispatchMessageW+0xf
00131128 7e4249c4 006b02e2 00880382 00000000 USER32!CallMsgFilterW+0x213
00131150 7e43a956 7e410000 001910f0 00880382 USER32!GetCursorFrameInfo+0x1cc
00131410 7e43a2bc 0013156c 0000002c 00880382 USER32!SoftModalMessageBox+0x677
00131560 7e4663fd 0013156c 00000028 00880382 USER32!MessageBoxIndirectA+0x23a
001315b8 7e450853 00880382 00131618 00132118 USER32!MessageBoxTimeoutW+0x7a
001315d8 7e466579 00880382 00131618 00132118 USER32!MessageBoxExW+0x1b
(...)
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
(...)
FAULTING_IP:
nnotes!NSFDbOpenExtended6+3ac3
609a84e3 80486501 or byte ptr [eax+65h],1
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
.exr 0xffffffffffffffff
ExceptionAddress: 609a84e3 (nnotes!NSFDbOpenExtended6+0x00003ac3)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 00000065
Attempt to write to address 00000065
FAULTING_THREAD: 00001468
PROCESS_NAME: nlnotes.exe
MODULE_NAME: nnotes
FAULTING_MODULE: 7c900000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP: 4e72fa6a
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
EXCEPTION_PARAMETER1: 00000001
EXCEPTION_PARAMETER2: 00000065
WRITE_ADDRESS: 00000065
FOLLOWUP_IP:
nnotes!NSFDbOpenExtended6+3ac3
609a84e3 80486501 or byte ptr [eax+65h],1
BUGCHECK_STR: APPLICATION_FAULT_NULL_CLASS_PTR_DEREFERENCE_INVALID_POINTER_WRITE_WRONG_SYMBOLS
PRIMARY_PROBLEM_CLASS: NULL_CLASS_PTR_DEREFERENCE
DEFAULT_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE
LAST_CONTROL_TRANSFER: from 609adaf0 to 609a84e3
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
0012ffc0 609adaf0 04d2fb20 00006002 00000000 nnotes!NSFDbOpenExtended6+0x3ac3
00130004 609adb3a 04d2fb20 00006002 00000000 nnotes!NSFDbOpenExtended5+0x40
00130040 60031cc1 04d2fb20 00006002 00000000 nnotes!NSFDbOpenExtended5+0x8a
00130120 6008ee86 04d2fb20 00006002 00000000 nnotes!NSFDbOpenExtended3+0x41
00130158 630845f7 04d2fb20 00006002 00000000 nnotes!NSFDbOpenExtended2+0x36
001302b0 635c0e6f 04d2fb20 001308b8 00000000 nnotesws!NEMPostStatus+0x13c57
00130778 63590593 04d2fb20 006cffff 001308b8 nnotesws!DocumentModalEdit+0x39e3f
001308bc 63025739 63c82348 00130fe8 011e9218 nnotesws!DocumentModalEdit+0x9563
00130b84 63024d26 011e9218 00000113 000003ef nnotesws!NEMGetWindowLong+0x719
00130fec 7e418734 01dc00f8 00000113 000003ef nnotesws+0x4d26
00131018 7e418816 63022ec0 01dc00f8 00000113 USER32!GetDC+0x6d
00131080 7e4189cd 00000000 63022ec0 01dc00f8 USER32!GetDC+0x14f
001310e0 7e418a10 00131108 00000000 00131128 USER32!GetWindowLongW+0x127
001310f0 7e427721 00131108 00880382 00000001 USER32!DispatchMessageW+0xf
00131128 7e4249c4 006b02e2 00880382 00000000 USER32!CallMsgFilterW+0x213
00131150 7e43a956 7e410000 001910f0 00880382 USER32!GetCursorFrameInfo+0x1cc
00131410 7e43a2bc 0013156c 0000002c 00880382 USER32!SoftModalMessageBox+0x677
00131560 7e4663fd 0013156c 00000028 00880382 USER32!MessageBoxIndirectA+0x23a
001315b8 7e450853 00880382 00131618 00132118 USER32!MessageBoxTimeoutW+0x7a
001315d8 7e466579 00880382 00131618 00132118 USER32!MessageBoxExW+0x1b
001315f4 63169bb8 00880382 00131618 00132118 USER32!MessageBoxW+0x45
00132a90 6316eb55 0000038e 00132bb4 00000000 nnotesws!NEMMessageBox+0x508
001330b4 6316ec4f 0000038e 00000000 01223df5 nnotesws!NEMDisplayError1+0x1c5
001332c8 63591595 0000038e 00000000 00000000 nnotesws!NEMDisplayError+0x2f
00133868 63023be1 0000d304 00000031 00133d2c nnotesws!DocumentModalEdit+0xa565
00133cc4 7e418734 01ab0110 000004ab 0000d304 nnotesws+0x3be1
00133cf0 7e418816 63022ec0 01ab0110 000004ab USER32!GetDC+0x6d
00133d58 7e4189cd 00000000 63022ec0 01ab0110 USER32!GetDC+0x14f
00133db8 7e418a10 00133de0 00000000 00133e00 USER32!GetWindowLongW+0x127
00133dc8 7e427721 00133de0 01de0172 00000001 USER32!DispatchMessageW+0xf
00133e00 7e4249c4 00880382 01de0172 00000000 USER32!CallMsgFilterW+0x213
00133e28 7e43a956 7e410000 00189648 01de0172 USER32!GetCursorFrameInfo+0x1cc
001340e8 7e43a2bc 00134244 0000002c 01de0172 USER32!SoftModalMessageBox+0x677
00134238 7e4663fd 00134244 00000028 01de0172 USER32!MessageBoxIndirectA+0x23a
00134290 7e450853 01de0172 001342f0 00134df0 USER32!MessageBoxTimeoutW+0x7a
001342b0 7e466579 01de0172 001342f0 00134df0 USER32!MessageBoxExW+0x1b
001342cc 63169bb8 01de0172 001342f0 00134df0 USER32!MessageBoxW+0x45
00135768 6316eb55 0000038e 0013588c 00000000 nnotesws!NEMMessageBox+0x508
00135d8c 6316ec4f 0000038e 00000000 01223d75 nnotesws!NEMDisplayError1+0x1c5
00135fa0 63591595 0000038e 00000000 00000000 nnotesws!NEMDisplayError+0x2f
00136540 63023be1 0000d303 00000031 00136a04 nnotesws!DocumentModalEdit+0xa565
0013699c 7e418734 01ab0110 000004ab 0000d303 nnotesws+0x3be1
001369c8 7e418816 63022ec0 01ab0110 000004ab USER32!GetDC+0x6d
00136a30 7e4189cd 00000000 63022ec0 01ab0110 USER32!GetDC+0x14f
00136a90 7e418a10 00136ab8 00000000 00136ad8 USER32!GetWindowLongW+0x127
00136aa0 7e427721 00136ab8 01de0172 00000000 USER32!DispatchMessageW+0xf
00136ad8 7e4249c4 01c80294 01de0172 00000001 USER32!CallMsgFilterW+0x213
00136b00 7e43a956 7e410000 00172b98 01de0172 USER32!GetCursorFrameInfo+0x1cc
00136dc0 7e43a2bc 00136f1c 0000002c 01de0172 USER32!SoftModalMessageBox+0x677
00136f10 7e4663fd 00136f1c 00000028 01de0172 USER32!MessageBoxIndirectA+0x23a
00136f68 7e450853 01de0172 00136fc8 00137ac8 USER32!MessageBoxTimeoutW+0x7a
00136f88 7e466579 01de0172 00136fc8 00137ac8 USER32!MessageBoxExW+0x1b
00136fa4 63169bb8 01de0172 00136fc8 00137ac8 USER32!MessageBoxW+0x45
00138440 6316eb55 0000038e 00138564 00000000 nnotesws!NEMMessageBox+0x508
00138a64 6316ec4f 0000038e 00000000 01223cf5 nnotesws!NEMDisplayError1+0x1c5
00138c78 63591595 0000038e 00000000 00000000 nnotesws!NEMDisplayError+0x2f
00139218 63023be1 0000d302 00000031 001396dc nnotesws!DocumentModalEdit+0xa565
00139674 7e418734 01ab0110 000004ab 0000d302 nnotesws+0x3be1
001396a0 7e418816 63022ec0 01ab0110 000004ab USER32!GetDC+0x6d
00139708 7e4189cd 00000000 63022ec0 01ab0110 USER32!GetDC+0x14f
00139768 7e418a10 00139790 00000000 001397b4 USER32!GetWindowLongW+0x127
00139778 630b8efb 00139790 00000001 01ab0110 USER32!DispatchMessageW+0xf
001397b4 00401a41 004013a0 7c80b741 0016231d nnotesws!NEMMainLoop+0x32b
0013ff18 00402721 630f67c0 00000000 0016231d nlnotes+0x1a41
0013ffc0 7c817077 7c910460 7c980620 7ffdf000 nlnotes+0x2721
0013fff0 00000000 0040259c 00000000 78746341 kernel32!RegisterWaitForInputIdle+0x49
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: nnotes!NSFDbOpenExtended6+3ac3
FOLLOWUP_NAME: MachineOwner
IMAGE_NAME: nnotes.dll
STACK_COMMAND: ~1s ; kb
BUCKET_ID: WRONG_SYMBOLS
FAILURE_BUCKET_ID: NULL_CLASS_PTR_DEREFERENCE_c0000005_nnotes.dll!NSFDbOpenExtended6
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/nlnotes_exe/8_5_30_11258/4e72fa51/nnotes_dll/8_5_30_11258/4e72fa6a/c0000005/009a84e3.htm?Retriage=1
---</log>---
All of the mentioned 9 crashes you will find in the zip file on my github.
In case of any quesitions - feel free to ping me at @twitter or drop me an email.
Cheers,
Cody
o/
Brak komentarzy:
Prześlij komentarz