wtorek, 25 grudnia 2018

Crashing CANOpen Builder

Last time we talked about few bugs found in ISPSoft and DCISoft. Today we will check the crash for CANOpen Builder by Delta Electronics. Here we go...

Let's try to open our malicious file. We should be somewhere here:



Version I tried you can find here:
 
Results from debugger:


---<windbg>---
eax=003a75f0 ebx=015ca2b0 ecx=7ffdf000 edx=00000000 esi=015ca2b0 edi=ffffffff
eip=015ca2cd esp=001bf158 ebp=001bf168 iopl=0         nv up ei ng nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010282
CANopen_Builder+0x2ea2cd:
015ca2cd e42d            in      al,2Dh

---<windbg>---



---<windbg>---
eax=6b119e5c ebx=014aa2b0 ecx=00000003 edx=00000000 esi=014aa2b0 edi=ffffffff
eip=76e14425 esp=00000000 ebp=001ff288 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
SHELL32!ShellExecuteExW+0x2899:
76e14425 0000            add     byte ptr [eax],al          ds:0023:6b119e5c=78
---<windbg>---



---<windbg>---
eax=0012f408 ebx=0064a2b0 ecx=00000003 edx=00000000 esi=0064a2b0 edi=ffffffff
eip=00609a3f esp=76e73fff ebp=6b119e5c iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010216
CANopen_Builder+0x2a9a3f:
00609a3f 00a03e4b00e0    add     byte ptr [eax-1FFFB4C2h],ah ds:0023:e0133f46=??
---<windbg>---

There are few more bugs found during this fuzzing so if you want them too - feel free to drop me an email/comment or ping me at twitter. I'm waiting...

Balthazar / Constantine
See you next time.


 

Brak komentarzy:

Prześlij komentarz