poniedziałek, 9 września 2019

Crashing Omegon Fluid Technology 2

This time I decided to check the software called "Omegon Fluid Technology". Below you will find few quick results...
I started here:


After another 24h with fuzzed samples (generated when I was using the program to learn it a little bit) I found that the program will crash here:

---<windbg>---
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "c:\Program Files\Omegon\OFT2\OftGC.exe" C:\sf_579917da7bb5189245e0481a8696512a-2.Oft2
(...)
Executable search path is:
ModLoad: 00400000 00a70000   OFT.exe
(...)
(b08.938): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000009 ecx=fffffffe edx=00746d94 esi=00000000 edi=00000000
eip=0084e9f4 esp=0012fdd8 ebp=0012fe1c iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
OFT!ExceptionManager+0x3b3a24:
0084e9f4 8b4068          mov     eax,dword ptr [eax+68h] ds:0023:00000068=????????

0:000> r
eax=00000000 ebx=00000009 ecx=fffffffe edx=00746d94 esi=00000000 edi=00000000
eip=0084e9f4 esp=0012fdd8 ebp=0012fe1c iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
OFT!ExceptionManager+0x3b3a24:
0084e9f4 8b4068          mov     eax,dword ptr [eax+68h] ds:0023:00000068=????????

0:000> kb;g
ChildEBP RetAddr  Args to Child             
WARNING: Stack unwind information not available. Following frames may be wrong.
0012fe1c 0084b208 0012fe58 0084b274 0012fe50 OFT!ExceptionManager+0x3b3a24
0012fe50 0052504f 0012fe88 00525059 0012fe74 OFT!ExceptionManager+0x3b0238
0012fe74 00524c97 00000000 005f2d9c 00404e88 OFT!ExceptionManager+0x8a07f
0012fea4 005b0c00 0012ff18 00404e39 0012ff10 OFT!ExceptionManager+0x89cc7
0012ff10 0052eb9d 0012ff24 0052eba7 0012ff48 OFT!ExceptionManager+0x115c30
0012ff48 0085ceb4 0012ff5c 0085cee6 0012ff88 OFT!ExceptionManager+0x93bcd
0012ff88 75701174 7ffda000 0012ffd4 76e5b3f5 OFT!ExceptionManager+0x3c1ee4
0012ff94 76e5b3f5 7ffda000 750c1ae3 00000000 kernel32!BaseThreadInitThunk+0x12
0012ffd4 76e5b3c8 0085cd0c 7ffda000 00000000 ntdll!RtlInitializeExceptionChain+0x63
0012ffec 00000000 0085cd0c 7ffda000 00000000 ntdll!RtlInitializeExceptionChain+0x36
(b08.938): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.

0:000> r;kb;!exploitable -v;q
eax=0000000c ebx=020814b0 ecx=00000003 edx=01fef9cc esi=00525894 edi=020814b0
eip=00406f66 esp=0012fa9c ebp=0012fad0 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
OFT+0x6f66:
00406f66 8710            xchg    edx,dword ptr [eax]  ds:0023:0000000c=????????

ChildEBP RetAddr  Args to Child             
WARNING: Stack unwind information not available. Following frames may be wrong.
0012fad0 0084b2d0 0012fb00 0084b2e6 0012faf0 OFT+0x6f66
0012faf0 005258af 0012fcec 00529d32 0012fb0c OFT!ExceptionManager+0x3b0300
0012fb48 0050d931 020814b0 00000004 0012fcec OFT!ExceptionManager+0x8a8df
0012fc74 00511e44 0012fcec 01a87600 0012fcc4 OFT!ExceptionManager+0x72961
0012fcb4 00526251 020814b0 00000004 020814b0 OFT!ExceptionManager+0x76e74
0012fce0 0050d557 00000000 0000b019 00000000 OFT!ExceptionManager+0x8b281
0012fcfc 00511306 00000000 0012fd14 0051131e OFT!ExceptionManager+0x72587
0012fd34 00511415 020814b0 020814b0 020814b0 OFT!ExceptionManager+0x76336
0012fd48 00513f4b 0012fef4 0050d931 020814b0 OFT!ExceptionManager+0x76445
0012fe7c 00511e44 0012fef4 020814b0 0012fec4 OFT!ExceptionManager+0x78f7b
0012febc 00526251 020814b0 00525b4c 020814b0 OFT!ExceptionManager+0x76e74
0012fee8 0050d557 02053f01 0000b00b 00000001 OFT!ExceptionManager+0x8b281
0012ff04 0050c0fb 00000000 00000000 020814b0 OFT!ExceptionManager+0x72587
0012ff48 0085cecc 0012ff5c 0085cee6 0012ff88 OFT!ExceptionManager+0x7112b
0012ff88 75701174 7ffda000 0012ffd4 76e5b3f5 OFT!ExceptionManager+0x3c1efc
0012ff94 76e5b3f5 7ffda000 750c1ae3 00000000 kernel32!BaseThreadInitThunk+0x12
0012ffd4 76e5b3c8 0085cd0c 7ffda000 00000000 ntdll!RtlInitializeExceptionChain+0x63
0012ffec 00000000 0085cd0c 7ffda000 00000000 ntdll!RtlInitializeExceptionChain+0x36

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0xc
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation

Faulting Instruction:00406f66 xchg edx,dword ptr [eax]

Basic Block:
    00406f66 xchg edx,dword ptr [eax]
       Tainted Input operands: 'eax'
    00406f68 test edx,edx
       Tainted Input operands: 'edx'
    00406f6a je oft+0x6f80 (00406f80)
       Tainted Input operands: 'ZeroFlag'

Exception Hash (Major/Minor): 0x2e8920fe.0xdf9cd3db

 Hash Usage : Stack Trace:
Major+Minor : OFT+0x6f66
Major+Minor : OFT!ExceptionManager+0x3b0300
Major+Minor : OFT!ExceptionManager+0x8a8df
Major+Minor : OFT!ExceptionManager+0x72961
Major+Minor : OFT!ExceptionManager+0x76e74
Minor       : OFT!ExceptionManager+0x8b281
Minor       : OFT!ExceptionManager+0x72587
Minor       : OFT!ExceptionManager+0x76336
Minor       : OFT!ExceptionManager+0x76445
Minor       : OFT!ExceptionManager+0x78f7b
Minor       : OFT!ExceptionManager+0x76e74
Minor       : OFT!ExceptionManager+0x8b281
Minor       : OFT!ExceptionManager+0x72587
Minor       : OFT!ExceptionManager+0x7112b
Minor       : OFT!ExceptionManager+0x3c1efc
Minor       : kernel32!BaseThreadInitThunk+0x12
Excluded    : ntdll!RtlInitializeExceptionChain+0x63
Excluded    : ntdll!RtlInitializeExceptionChain+0x36
Instruction Address: 0x0000000000406f66

Description: User Mode Write AV near NULL
Short Description: WriteAVNearNull
Exploitability Classification: UNKNOWN
Recommended Bug Title: User Mode Write AV near NULL starting at OFT+0x0000000000006f66 (Hash=0x2e8920fe.0xdf9cd3db)

User mode write access violations that are near NULL are unknown.

---</windbg>---

Opening the file in OFT2.exe:


Click OK: we will see another error-msg, click ok again and program should open:

 Let's try to close it:


Now the error msg will be in a loop-state, "klicken Sie hier":

 Pretty cool 'error message', isn't it? ;)



Maybe you'll find it useful.

See you next time.

Cheers





Brak komentarzy:

Prześlij komentarz