Below you will find few crashes for the latest FreePlane (1.6.15 32bit). Found few weeks ago (~10.08.2018) during one fuzzing session. Enjoy...
I found the app here:
but you should also check the Wiki for some news and updates.
Below few results:
Case #01:
---<windbg>---
1:016>
eax=00100000 ebx=37d62f20 ecx=00000000 edx=70500001 esi=3750981d edi=03e2e3d4
eip=014a0677 esp=03e2e35c ebp=03e2e384 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
014a0677 3b01 cmp eax,dword ptr [ecx] ds:0023:00000000=????????
(...)
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x0
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation
Faulting Instruction:014a0677 cmp eax,dword ptr [ecx]
Basic Block:
014a0677 cmp eax,dword ptr [ecx]
Tainted Input operands: 'eax','ecx'
014a0679 lea esi,[esp+4]
014a067d mov dword ptr [ebp-8],esi
014a0680 jmp dword ptr [ebx+44h]
Exception Hash (Major/Minor): 0x226007ee.0x6fccfb32
Hash Usage : Stack Trace:
Major+Minor : Unknown
Major+Minor : Unknown
Major+Minor : jvm!JVM_Clone+0x41e62
Major+Minor : jvm!JVM_Clone+0x4259a
Major+Minor : jvm!JVM_FindSignal+0x62d3e
Minor : jvm!JVM_Clone+0x4261d
Minor : jvm+0xa6436
Minor : jvm+0xa6e3e
Minor : jvm+0xa7294
Minor : jvm+0xa75a8
Minor : jvm+0x6fc3c
Minor : jvm+0x70ee2
Minor : jvm+0x6d069
Minor : jvm!JVM_Clone+0x41e62
Minor : jvm!JVM_Clone+0x4259a
Minor : jvm!JVM_FindSignal+0x62d3e
Minor : jvm!JVM_Clone+0x4261d
Minor : jvm+0xa6436
Minor : jvm+0xa6e3e
Minor : jvm+0xa7294
Minor : jvm+0xa75a8
Minor : jvm+0x6fc3c
Minor : jvm+0x70ee2
Minor : jvm+0x6d069
Minor : jvm!JVM_Clone+0x41e62
Minor : jvm!JVM_Clone+0x4259a
Minor : jvm!JVM_FindSignal+0x62d3e
Minor : jvm!JVM_Clone+0x4261d
Minor : jvm+0xa6436
Minor : jvm+0xa6e3e
Minor : jvm+0xa7294
Minor : jvm+0xa75a8
Minor : jvm+0x70f7e
Minor : jvm+0x717e6
Minor : jvm+0x71aa7
Minor : jvm+0x6dc30
Minor : Unknown
Minor : Unknown
Minor : Unknown
Minor : Unknown
Minor : Unknown
Minor : Unknown
Minor : Unknown
Minor : Unknown
Minor : Unknown
Minor : jvm!JVM_Clone+0x41e62
Minor : jvm!JVM_Clone+0x4259a
Minor : jvm!JVM_FindSignal+0x62d3e
Minor : jvm!JVM_Clone+0x42765
Minor : jvm!JVM_Clone+0x427c7
Minor : jvm!jio_printf+0xaf
Minor : jvm!JVM_Clone+0x637dc
Minor : jvm!JVM_Clone+0x64217
Minor : jvm!JVM_FindSignal+0x4c49
Minor : msvcr100!endthreadex+0x3a
Minor : msvcr100!endthreadex+0xe4
Minor : kernel32!BaseThreadInitThunk+0x12
Excluded : ntdll!RtlInitializeExceptionChain+0x63
Excluded : ntdll!RtlInitializeExceptionChain+0x36
Instruction Address: 0x00000000014a0677
Description: Read Access Violation near NULL
Short Description: ReadAVNearNull
Exploitability Classification: PROBABLY_NOT_EXPLOITABLE
Recommended Bug Title: Read Access Violation near NULL starting at Unknown Symbol @ 0x00000000014a0677 called from jvm!JVM_Clone+0x0000000000041e62 (Hash=0x226007ee.0x6fccfb32)
This is a user mode read access violation near null, and is probably not exploitable.
---</windbg>---
Case #02:
---<windbg>--
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x100100
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation
Faulting Instruction:01705529 test dword ptr ds:[100100h],eax
Basic Block:
01705529 test dword ptr ds:[100100h],eax
Tainted Input operands: 'eax'
0170552f ret
Tainted Input operands: 'eax'
Exception Hash (Major/Minor): 0x83f3e768.0x2ae6309c
Hash Usage : Stack Trace:
Major+Minor : Unknown
Major+Minor : Unknown
Major+Minor : Unknown
Major+Minor : Unknown
Major+Minor : Unknown
Minor : Unknown
Minor : Unknown
Minor : Unknown
Minor : Unknown
Minor : Unknown
Minor : Unknown
Minor : Unknown
Minor : Unknown
Minor : Unknown
Minor : Unknown
Minor : Unknown
Minor : Unknown
Minor : Unknown
Minor : Unknown
Minor : Unknown
Minor : Unknown
Minor : Unknown
Minor : jvm!JVM_Clone+0x41e62
Minor : jvm!JVM_Clone+0x4259a
Minor : jvm!JVM_FindSignal+0x62d3e
Minor : jvm!JVM_Clone+0x42765
Minor : jvm!JVM_Clone+0x427c7
Minor : jvm!jio_printf+0xaf
Minor : jvm!JVM_Clone+0x637dc
Minor : jvm!JVM_Clone+0x64217
Minor : jvm!JVM_FindSignal+0x4c49
Minor : msvcr100!endthreadex+0x3a
Minor : msvcr100!endthreadex+0xe4
Minor : kernel32!BaseThreadInitThunk+0x12
Excluded : ntdll!RtlInitializeExceptionChain+0x63
Excluded : ntdll!RtlInitializeExceptionChain+0x36
Instruction Address: 0x0000000001705529
Description: Data from Faulting Address may be used as a return value
Short Description: TaintedDataReturnedFromFunction
Exploitability Classification: UNKNOWN
Recommended Bug Title: Data from Faulting Address may be used as a return value starting at Unknown Symbol @ 0x0000000001705529 called from jvm!JVM_Clone+0x0000000000041e62 (Hash=0x83f3e768.0x2ae6309c)
---</windbg>--
Case #03:
---<windbg>--
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x190100
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation
Faulting Instruction:01a2f823 test dword ptr ds:[190100h],eax
Basic Block:
01a2f823 test dword ptr ds:[190100h],eax
Tainted Input operands: 'eax'
01a2f829 ret
Tainted Input operands: 'eax'
Exception Hash (Major/Minor): 0xb6fdbb4a.0x914e6706
Hash Usage : Stack Trace:
Major+Minor : Unknown
Major+Minor : Unknown
Major+Minor : Unknown
Major+Minor : Unknown
Major+Minor : jvm!JVM_Clone+0x41e62
Minor : jvm!JVM_Clone+0x4259a
Minor : jvm!JVM_FindSignal+0x62d3e
Minor : jvm!JVM_Clone+0x4261d
Minor : jvm!JVM_DoPrivileged+0x2ea
Minor : java!Java_java_security_AccessController_doPrivileged__Ljava_security_PrivilegedAction_2+0x15
Minor : Unknown
Minor : Unknown
Minor : Unknown
Minor : Unknown
Minor : Unknown
Minor : Unknown
Minor : Unknown
Minor : Unknown
Minor : Unknown
Minor : Unknown
Minor : Unknown
Minor : Unknown
Minor : Unknown
Minor : Unknown
Minor : Unknown
Minor : Unknown
Minor : Unknown
Minor : Unknown
Minor : jvm!JVM_Clone+0x41e62
Minor : jvm!JVM_Clone+0x4259a
Minor : jvm!JVM_FindSignal+0x62d3e
Minor : jvm!JVM_Clone+0x42765
Minor : jvm!JVM_Clone+0x427c7
Minor : jvm!jio_printf+0xaf
Minor : jvm!JVM_Clone+0x637dc
Minor : jvm!JVM_Clone+0x64217
Minor : jvm!JVM_FindSignal+0x4c49
Minor : msvcr100!endthreadex+0x3a
Minor : msvcr100!endthreadex+0xe4
Minor : kernel32!BaseThreadInitThunk+0x12
Excluded : ntdll!RtlInitializeExceptionChain+0x63
Excluded : ntdll!RtlInitializeExceptionChain+0x36
Instruction Address: 0x0000000001a2f823
Description: Data from Faulting Address may be used as a return value
Short Description: TaintedDataReturnedFromFunction
Exploitability Classification: UNKNOWN
Recommended Bug Title: Data from Faulting Address may be used as a return value starting at Unknown Symbol @ 0x0000000001a2f823 called from jvm!JVM_Clone+0x0000000000041e62 (Hash=0xb6fdbb4a.0x914e6706)
The data from the faulting address may later be used as a return value from this function.
---</windbg>--
All described (and not yet) cases you can find here.
In case of any questions - you'll know how to find me.
Cheers
Brak komentarzy:
Prześlij komentarz