Software I tried is available here:
I installed it on Windows7 (32bit). After a while (of using Zelio Soft 2) I saved created 'file' as a sample file to use it during the fuzz. Before I use it I copied it (3 times) and edited a bit with HxD (so sample1 was original saved file, sample2 was a half of the file1 and file3 was modified with 'example' 41414141 strings). Now I was ready to start ('the night' with) the fuzzer.
More details about the app:
I also used new version of PE-Bear to look for some hints inside the file:
 |
| * Currently updated to stable version 0.3.9 |
Checking file behaviour with OllyDbg:
Ok, TL;DR. Time for some examples (results this time comes from Windbg):
Case #01:
---<windbg>---
(8d4.810): Access violation - code c0000005 (!!! second chance !!!)
eax=80950000 ebx=03dda580 ecx=03c021b0 edx=005e0192 esi=03c021b0 edi=04a164ec
eip=80950000 esp=00f8e69c ebp=00f8e6b4 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010202
80950000 ?? ???
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0xffffffff80950000
Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation
Exception Hash (Major/Minor): 0xe93963c9.0xfdf7eb8d
Hash Usage : Stack Trace:
Major+Minor : Unknown
Major+Minor : image00400000+0x17c203
Major+Minor : image00400000+0x96288
Major+Minor : image00400000+0x10a38d
Major+Minor : image00400000+0xe7662
Minor : image00400000+0xf03de
Minor : image00400000+0xf22b8
Minor : image00400000+0xf2ff2
Minor : mfc100+0x1eabad
Minor : mfc100+0x1ea806
Minor : mfc100+0x1ea639
Minor : image00400000+0x923ee
Minor : mfc100+0x1a1a27
Minor : image00400000+0x921a6
Minor : mfc100+0x2486fc
Minor : image00400000+0x199461
Minor : kernel32!BaseThreadInitThunk+0x12
Excluded : ntdll!RtlInitializeExceptionChain+0x63
Excluded : ntdll!RtlInitializeExceptionChain+0x36
Instruction Address: 0xffffffff80950000
Description: Read Access Violation at the Instruction Pointer
Short Description: ReadAVonIP
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Read Access Violation at the Instruction Pointer starting at Unknown Symbol @ 0xffffffff80950000 called from image00400000+0x000000000017c203 (Hash=0xe93963c9.0xfdf7eb8d)
---<windbg>---
Cool. Let's see the next case.
Case #02:
---<windbg>---
(ab0.eec): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
(ab0.eec): Access violation - code c0000005 (!!! second chance !!!)
eax=03b7c9ac ebx=000019df ecx=03b7c9ac edx=00f8e734 esi=01d7f608 edi=00000000
eip=00509caa esp=00f8e720 ebp=00f8e750 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
image00400000+0x109caa:
00509caa 8b17 mov edx,dword ptr [edi] ds:0023:00000000=????????
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x0
Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation
Faulting Instruction:00509caa mov edx,dword ptr [edi]
Basic Block:
00509caa mov edx,dword ptr [edi]
Tainted Input operands: 'edi'
00509cac push eax
00509cad mov eax,dword ptr [edx+24h]
Tainted Input operands: 'edx'
00509cb0 mov ecx,edi
Tainted Input operands: 'edi'
00509cb2 call eax
Tainted Input operands: 'eax','ecx','edx'
Exception Hash (Major/Minor): 0x3eda38dc.0x7f1027f5
Hash Usage : Stack Trace:
Major+Minor : image00400000+0x109caa
Major+Minor : image00400000+0x10b8f9
Major+Minor : image00400000+0xe765c
Major+Minor : image00400000+0xf03de
Major+Minor : image00400000+0xf22b8
Minor : image00400000+0xf2ff2
Minor : mfc100+0x1eabad
Minor : mfc100+0x1ea806
Minor : mfc100+0x1ea639
Minor : image00400000+0x923ee
Minor : mfc100+0x1a1a27
Minor : image00400000+0x921a6
Minor : mfc100+0x2486fc
Minor : image00400000+0x199461
Minor : kernel32!BaseThreadInitThunk+0x12
Excluded : ntdll!RtlInitializeExceptionChain+0x63
Excluded : ntdll!RtlInitializeExceptionChain+0x36
Instruction Address: 0x0000000000509caa
Description: Data from Faulting Address controls Code Flow
Short Description: TaintedDataControlsCodeFlow
Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - Data from Faulting Address controls Code Flow starting at image00400000+0x0000000000109caa (Hash=0x3eda38dc.0x7f1027f5)
---<windbg>---
Case #03: (probably the same/similar one)
---<windbg>---
Critical error detected c0000374
(ed4.b14): Break instruction exception - code 80000003 (first chance)
(ed4.b14): Unknown exception - code c0000374 (first chance)
(ed4.b14): Unknown exception - code c0000374 (!!! second chance !!!)
eax=00f8e4dc ebx=00000000 ecx=773007ed edx=00f8e279 esi=01060000 edi=0453b6a4
eip=773a283b esp=00f8e4cc ebp=00f8e544 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!RtlpNtMakeTemporaryKey+0x1a77:
773a283b eb12 jmp ntdll!RtlpNtMakeTemporaryKey+0x1a8b (773a284f)
0:000> g;g;g;r;!exploitable -v;kb;u eip;q
WARNING: Continuing a non-continuable exception
(ed4.b14): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
(ed4.b14): Access violation - code c0000005 (!!! second chance !!!)
(ed4.b14): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=9090d0eb ebx=6c8f1fa8 ecx=01060000 edx=6c8f1fa8 esi=bbc6c0df edi=6c8f1fa0
eip=77331ffe esp=00f8e56c ebp=00f8e5a0 iopl=0 nv up ei ng nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010282
ntdll!RtlFreeHeap+0xcd:
77331ffe 8b4604 mov eax,dword ptr [esi+4] ds:0023:bbc6c0e3=????????
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0xffffffffbbc6c0e3
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation
Faulting Instruction:77331ffe mov eax,dword ptr [esi+4]
Basic Block:
77331ffe mov eax,dword ptr [esi+4]
Tainted Input operands: 'esi'
77332001 mov dword ptr [ebp-0ch],eax
Tainted Input operands: 'eax'
77332004 mov byte ptr [edi+7],80h
77332008 mov byte ptr [edi+6],0
7733200c mov ebx,dword ptr [esi+8]
Tainted Input operands: 'esi'
7733200f mov ecx,dword ptr [esi+0ch]
Tainted Input operands: 'esi'
77332012 mov dword ptr [ebp-20h],ebx
Tainted Input operands: 'ebx'
77332015 add ebx,1
Tainted Input operands: 'ebx'
77332018 mov dword ptr [ebp-1ch],ecx
Tainted Input operands: 'ecx'
7733201b adc ecx,1
Tainted Input operands: 'ecx','CarryFlag'
7733201e and ebx,7fffh
Tainted Input operands: 'ebx'
77332024 cmp bx,word ptr [esi+14h]
Tainted Input operands: 'bx','esi'
77332028 je ntdll!rtlacquiresrwlockexclusive+0x18d (77335789)
Tainted Input operands: 'ZeroFlag'
Exception Hash (Major/Minor): 0xbd4e356d.0x8f9f93bb
Hash Usage : Stack Trace:
Excluded : ntdll!RtlFreeHeap+0xcd
Excluded : ntdll!RtlFreeHeap+0x7e
Excluded : kernel32!HeapFree+0x14
Major+Minor : MSVCR100!free+0x1c
Major+Minor : image00400000+0x157db0
Major+Minor : image00400000+0x1595e3
Major+Minor : image00400000+0x15df1d
Major+Minor : image00400000+0x15f05d
Minor : image00400000+0x151750
Minor : image00400000+0x10b2ff
Minor : image00400000+0x10b8e4
Minor : image00400000+0xe765c
Minor : image00400000+0xf03de
Minor : image00400000+0xf22b8
Minor : image00400000+0xf2ff2
Minor : mfc100+0x1eabad
Minor : mfc100+0x1ea806
Minor : mfc100+0x1ea639
Minor : image00400000+0x923ee
Minor : mfc100+0x1a1a27
Minor : image00400000+0x921a6
Minor : mfc100+0x2486fc
Minor : image00400000+0x199461
Minor : kernel32!BaseThreadInitThunk+0x12
Excluded : ntdll!RtlInitializeExceptionChain+0x63
Excluded : ntdll!RtlInitializeExceptionChain+0x36
Instruction Address: 0x0000000077331ffe
Description: Data from Faulting Address controls Branch Selection
Short Description: TaintedDataControlsBranchSelection
Exploitability Classification: UNKNOWN
Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at ntdll!RtlFreeHeap+0x00000000000000cd called from MSVCR100!free+0x000000000000001c (Hash=0xbd4e356d.0x8f9f93bb)
(...)
The data from the faulting address is later used to determine whether or not a branch is taken.
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00f8e5a0 77331faf 04629bcc 00000928 04610820 ntdll!RtlFreeHeap+0xcd
00f8e5b8 76bcf1ac 01060000 00000000 6c8f1fa8 ntdll!RtlFreeHeap+0x7e
00f8e5cc 6c8f016a 01060000 00000000 6c8f1fa8 kernel32!HeapFree+0x14
00f8e5e0 00557db0 6c8f1fa8 00f8e7cc 00f8e638 MSVCR100!free+0x1c
00f8e5f0 005595e3 00000928 00000001 8ced9582 image00400000+0x157db0
00f8e638 0055df1d 00000928 8ced95ca 04610820 image00400000+0x1595e3
(...)
---<windbg>---
More? Maybe later... I did not check all of the found crashes yet. ;)
Cheers
Brak komentarzy:
Prześlij komentarz