poniedziałek, 9 września 2019

Crashing DCISoft - 1.21

Last time I tried to run a quick fuzz against DCISoft. This time I'll try to achieve similar results for latest version - 1.21. Here we go...
We will start here:


Details:

---<windbg>---
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "C:\Program Files\Delta Industrial Automation\Communication\DCISoft 1.21\DCISoft.exe" C:\sf_1b626a533fce746074ce56f7fc88dbd4-1.dci
(...)
Executable search path is:
ModLoad: 00400000 00523000   image00400000
(...)
ModLoad: 01420000 01485000   C:\Program Files\Delta Industrial Automation\Communication\DCISoft 1.21\MSVCP60.dll
ModLoad: 01850000 018e0000   C:\Program Files\Delta Industrial Automation\Communication\DCISoft 1.21\IFD9507.dll
ModLoad: 01420000 01485000   C:\Program Files\Delta Industrial Automation\Communication\DCISoft 1.21\MSVCP60.dll
ModLoad: 01850000 018cd000   C:\Program Files\Delta Industrial Automation\Communication\DCISoft 1.21\MOD01C.dll
ModLoad: 01420000 01485000   C:\Program Files\Delta Industrial Automation\Communication\DCISoft 1.21\MSVCP60.dll
(...)
(830.e1c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=8541e0c8 ebx=ffffffff ecx=21506277 edx=8541e0c8 esi=001329c4 edi=10028000
eip=1000343b esp=0012d2b0 ebp=0012fb88 iopl=0         ov up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010a02
CommLib!CCommLib::SetSerializeData+0x1b:
1000343b f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

0:000> r;kb;g;r;kb;!exploitable -v;q
eax=8541e0c8 ebx=ffffffff ecx=21506277 edx=8541e0c8 esi=001329c4 edi=10028000
eip=1000343b esp=0012d2b0 ebp=0012fb88 iopl=0         ov up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010a02
CommLib!CCommLib::SetSerializeData+0x1b:
1000343b f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

ChildEBP RetAddr  Args to Child            
WARNING: Stack unwind information not available. Following frames may be wrong.
0012fb88 00414973 003d8648 019ce710 0012fbf8 CommLib!CCommLib::SetSerializeData+0x1b
0012fbb0 00408451 003d8648 00000000 00000013 image00400000+0x14973
0012fbf8 00407781 00222638 0048fb50 00000080 image00400000+0x8451
0012fec8 73d3cf74 00000000 0022268e 00000000 image00400000+0x7781
0012ff88 755f1174 7ffda000 0012ffd4 76f6b3f5 MFC42!Ordinal1576+0x49
0012ff94 76f6b3f5 7ffda000 65001262 00000000 kernel32!BaseThreadInitThunk+0x12
0012ffd4 76f6b3c8 00421d66 7ffda000 00000000 ntdll!RtlInitializeExceptionChain+0x63
0012ffec 00000000 00421d66 7ffda000 00000000 ntdll!RtlInitializeExceptionChain+0x36

(830.e1c): Access violation - code c0000005 (!!! second chance !!!)
eax=8541e0c8 ebx=ffffffff ecx=21506277 edx=8541e0c8 esi=001329c4 edi=10028000
eip=1000343b esp=0012d2b0 ebp=0012fb88 iopl=0         ov up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010a02
CommLib!CCommLib::SetSerializeData+0x1b:
1000343b f3a5            rep movs dword ptr es:[edi],dword ptr [esi]

ChildEBP RetAddr  Args to Child            
WARNING: Stack unwind information not available. Following frames may be wrong.
0012fb88 00414973 003d8648 019ce710 0012fbf8 CommLib!CCommLib::SetSerializeData+0x1b
0012fbb0 00408451 003d8648 00000000 00000013 image00400000+0x14973
0012fbf8 00407781 00222638 0048fb50 00000080 image00400000+0x8451
0012fec8 73d3cf74 00000000 0022268e 00000000 image00400000+0x7781
0012ff88 755f1174 7ffda000 0012ffd4 76f6b3f5 MFC42!Ordinal1576+0x49
0012ff94 76f6b3f5 7ffda000 65001262 00000000 kernel32!BaseThreadInitThunk+0x12
0012ffd4 76f6b3c8 00421d66 7ffda000 00000000 ntdll!RtlInitializeExceptionChain+0x63
0012ffec 00000000 00421d66 7ffda000 00000000 ntdll!RtlInitializeExceptionChain+0x36

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x10028000
Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation

Faulting Instruction:1000343b rep movs dword ptr es:[edi],dword ptr [esi]

Exception Hash (Major/Minor): 0xdeff4c9d.0xda8adb89

 Hash Usage : Stack Trace:
Major+Minor : CommLib!CCommLib::SetSerializeData+0x1b
Major+Minor : image00400000+0x14973
Major+Minor : image00400000+0x8451
Major+Minor : image00400000+0x7781
Major+Minor : MFC42!Ordinal1576+0x49
Minor       : kernel32!BaseThreadInitThunk+0x12
Excluded    : ntdll!RtlInitializeExceptionChain+0x63
Excluded    : ntdll!RtlInitializeExceptionChain+0x36
Instruction Address: 0x000000001000343b

Description: User Mode Write AV
Short Description: WriteAV
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at CommLib!CCommLib::SetSerializeData+0x000000000000001b (Hash=0xdeff4c9d.0xda8adb89)

User mode write access violations that are not near NULL are exploitable.

---</windbg>---

There are already other (36 so far ;)) crashes waiting to investigate so maybe later I'll update this post. ;)

(Similar) "sample files" you can find at my github.

In case of any questions/comments - you know how to find me.

See you next time!

Cheers






Brak komentarzy:

Prześlij komentarz