wtorek, 5 listopada 2019

Crashing Better JPEG

Last week I tried to fuzz few 'new' soft I found somewhere online. Below you will find the details about one image viewer called Better JPEG (v.3.0.3.0). Here we go...
We will start here:



TL;DR: below details directly from Windbg:

---<windbg>---
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "C:\Program Files\BetterJPEG 3\BetterJPEG.exe" C:\sf_8668370e814d6cc4f0add021b1debdb5-79.jpg
(...)
Executable search path is:
ModLoad: 00390000 004ac000   image00390000
(...)
(192b0.19f20): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=72d30000 ecx=72d30000 edx=00005a4d esi=72d30000 edi=013bde90
eip=770f46bf esp=0030f66c ebp=0030f698 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
imagehlp!ImageNtHeader+0x46:
770f46bf 663911          cmp     word ptr [ecx],dx        ds:0023:72d30000=????

0:000> r;g;g;r;!exploitable -v;kb;r;q
eax=00000000 ebx=72d30000 ecx=72d30000 edx=00005a4d esi=72d30000 edi=013bde90
eip=770f46bf esp=0030f66c ebp=0030f698 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
imagehlp!ImageNtHeader+0x46:
770f46bf 663911          cmp     word ptr [ecx],dx        ds:0023:72d30000=????
(...)
eax=72d30014 ebx=72d30000 ecx=72d30000 edx=000000c1 esi=72d30000 edi=013bde90
eip=770f4764 esp=0030f6b4 ebp=0030f6b8 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
imagehlp!ImageDirectoryEntryToDataEx+0x2a:
770f4764 0fb710          movzx   edx,word ptr [eax]       ds:0023:72d30014=????

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x72d30014
Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:770f4764 movzx edx,word ptr [eax]

Basic Block:
    770f4764 movzx edx,word ptr [eax]
       Tainted Input operands: 'eax'
    770f4767 push esi
    770f4768 mov esi,10bh
    770f476d cmp dx,si
       Tainted Input operands: 'dx'
    770f4770 jne imagehlp!imageenumeratecertificates+0x3d3 (770f5254)
       Tainted Input operands: 'ZeroFlag'

Exception Hash (Major/Minor): 0xea7e36f9.0xfcaba5b4

 Hash Usage : Stack Trace:
Major+Minor : imagehlp!ImageDirectoryEntryToDataEx+0x2a
Major+Minor : imagehlp!ImageDirectoryEntryToData+0x18
Major+Minor : ToolkitPro1521vc100U!CXTPSkinManagerApiHook::GetHookedFunction+0x165
Major+Minor : ToolkitPro1521vc100U!CXTPSkinManagerApiHook::IsModuleExcluded+0x1f5
Major+Minor : ToolkitPro1521vc100U!CXTPSkinManagerApiHook::ExcludeModule+0xa6
Minor       : ToolkitPro1521vc100U!CXTPSkinManagerApiHook::HookImport+0xc0
Minor       : ToolkitPro1521vc100U!CXTPSkinManagerApiHook::InitializeHookManagement+0x512
Minor       : ToolkitPro1521vc100U!CXTPSkinManager::LoadSkin+0x74
Minor       : image00390000+0x6490d
Minor       : image00390000+0x4d39c
Minor       : mfc100u+0x2577c6
Minor       : image00390000+0x83213
Minor       : kernel32!BaseThreadInitThunk+0x12
Excluded    : ntdll!RtlInitializeExceptionChain+0x63
Excluded    : ntdll!RtlInitializeExceptionChain+0x36
Instruction Address: 0x00000000770f4764

Description: Data from Faulting Address controls Branch Selection
Short Description: TaintedDataControlsBranchSelection
Exploitability Classification: UNKNOWN
Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at imagehlp!ImageDirectoryEntryToDataEx+0x000000000000002a (Hash=0xea7e36f9.0xfcaba5b4)

The data from the faulting address is later used to determine whether or not a branch is taken.
ChildEBP RetAddr  Args to Child             
WARNING: Stack unwind information not available. Following frames may be wrong.
0030f6b8 770f4731 72d30000 00000001 00000001 imagehlp!ImageDirectoryEntryToDataEx+0x2a
0030f6d4 6a2a0c55 72d30000 00000001 00000001 imagehlp!ImageDirectoryEntryToData+0x18
0030f72c 6a2a1ac5 013bde9c 76f53439 6a2a28b0 ToolkitPro1521vc100U!CXTPSkinManagerApiHook::GetHookedFunction+0x165
0030f76c 6a2a1d16 013bde9c 00390000 6a2a28b0 ToolkitPro1521vc100U!CXTPSkinManagerApiHook::IsModuleExcluded+0x1f5
0030f7a4 6a2a37d0 013bde90 6a3f67b4 6a3f662c ToolkitPro1521vc100U!CXTPSkinManagerApiHook::ExcludeModule+0xa6
0030f7e4 6a2a3d02 0000001e 6a3f67b4 6a3f662c ToolkitPro1521vc100U!CXTPSkinManagerApiHook::HookImport+0xc0
0030f80c 6a29f444 013a4bf0 0139f388 6a2a0340 ToolkitPro1521vc100U!CXTPSkinManagerApiHook::InitializeHookManagement+0x512
0030f820 003f490d 013ac5f0 0042dd88 338baf92 ToolkitPro1521vc100U!CXTPSkinManager::LoadSkin+0x74
0030fa60 003dd39c 338ba91e 004509b8 004509b8 image00390000+0x6490d
0030fcec 6a9577c6 00453318 00000001 00000000 image00390000+0x4d39c
0030fd00 00413213 00390000 00000000 006919b0 mfc100u+0x2577c6
0030fd94 77061174 7ffd4000 0030fde0 77c5b3f5 image00390000+0x83213
0030fda0 77c5b3f5 7ffd4000 72d98672 00000000 kernel32!BaseThreadInitThunk+0x12
0030fde0 77c5b3c8 00413346 7ffd4000 00000000 ntdll!RtlInitializeExceptionChain+0x63
0030fdf8 00000000 00413346 7ffd4000 00000000 ntdll!RtlInitializeExceptionChain+0x36
eax=72d30014 ebx=72d30000 ecx=72d30000 edx=000000c1 esi=72d30000 edi=013bde90
eip=770f4764 esp=0030f6b4 ebp=0030f6b8 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
imagehlp!ImageDirectoryEntryToDataEx+0x2a:
770f4764 0fb710          movzx   edx,word ptr [eax]       ds:0023:72d30014=????

---</windbg>---

Maybe you will find it useful.

See you next time.

Cheers



Brak komentarzy:

Prześlij komentarz