We will start here:
TL;DR - few cases found after 22k iterations:
Case #01:
---<windbg>---
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.
CommandLine: "C:\Program Files\Logo Designer\LogoDesigner.exe" C:\sf_d77f46b6521b09ce1eae9682f3fff802-10908.eld
(...)
Executable search path is:
ModLoad: 00eb0000 01159000 LogoDesigner.exe
(...)
ModLoad: 6e490000 6e5f1000 C:\Program Files\Logo Designer\Office2010.dll
(8a8.900): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=007e0003 ebx=00000000 ecx=0000001e edx=00000078 esi=00000168 edi=00000003
eip=6ea77657 esp=0018eca8 ebp=0018ed00 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010212
ExiVectorRender!StrokeText_Blend+0x3a7:
6ea77657 8808 mov byte ptr [eax],cl ds:0023:007e0003=78
0:000> r;!exploitable -v;q
eax=007e0003 ebx=00000000 ecx=0000001e edx=00000078 esi=00000168 edi=00000003
eip=6ea77657 esp=0018eca8 ebp=0018ed00 iopl=0 nv up ei pl nz ac po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010212
ExiVectorRender!StrokeText_Blend+0x3a7:
6ea77657 8808 mov byte ptr [eax],cl ds:0023:007e0003=78
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x7e0003
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation
Faulting Instruction:6ea77657 mov byte ptr [eax],cl
Exception Hash (Major/Minor): 0x8cc0ef3c.0xd6479f0d
Hash Usage : Stack Trace:
Major+Minor : ExiVectorRender!StrokeText_Blend+0x3a7
Major+Minor : ExiVectorRender!BlurShadowDIB+0x132
Major+Minor : ExiCustomPathLib!ExiCustomPathLib::CBaseShapeObj::CreateDropShadowDIB+0x296
Major+Minor : ExiCustomPathLib!ExiCustomPathLib::CBaseShapeObj::CreateEffectsDIBs+0x2b
Major+Minor : LogoDesigner+0x7eea
Minor : LogoDesigner!ExiImageTransform::CExiSingleFrmGIFOptimal::operator=+0x114f
Minor : mfc100u+0x1f0ef6
Minor : mfc100u+0x1f081f
Minor : mfc100u+0x1f064c
Minor : mfc100u+0x1a7de2
Minor : LogoDesigner+0x9eaa
Minor : mfc100u+0x24e3d0
Minor : LogoDesigner!ExiImageTransform::CExiSingleFrmGIFOptimal::operator=+0x33f81
Minor : kernel32!BaseThreadInitThunk+0x12
Excluded : ntdll!RtlInitializeExceptionChain+0xef
Excluded : ntdll!RtlInitializeExceptionChain+0xc2
Instruction Address: 0x000000006ea77657
Description: User Mode Write AV
Short Description: WriteAV
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at ExiVectorRender!StrokeText_Blend+0x00000000000003a7 (Hash=0x8cc0ef3c.0xd6479f0d)
User mode write access violations that are not near NULL are exploitable.
---</windbg>---
Case #02:
---<windbg>---Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.
CommandLine: "C:\Program Files\Logo Designer\LogoDesigner.exe" C:\sf_d77f46b6521b09ce1eae9682f3fff802-7224.eld
(...)
Executable search path is:
ModLoad: 01080000 01329000 LogoDesigner.exe
(...)
ModLoad: 6d200000 6d361000 C:\Program Files\Logo Designer\Office2010.dll
Critical error detected c0000374
(3e8.d58): Break instruction exception - code 80000003 (first chance)
(3e8.d58): Unknown exception - code c0000374 (first chance)
(3e8.d58): Unknown exception - code c0000374 (!!! second chance !!!)
eax=0027ed18 ebx=00000000 ecx=76ea1787 edx=0027eab5 esi=00940000 edi=00aacce0
eip=76f437b7 esp=0027ed08 ebp=0027ed80 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!RtlpNtMakeTemporaryKey+0x1a78:
76f437b7 eb12 jmp ntdll!RtlpNtMakeTemporaryKey+0x1a8c (76f437cb)
0:000> r;!exploitable -v;q
eax=0027ed18 ebx=00000000 ecx=76ea1787 edx=0027eab5 esi=00940000 edi=00aacce0
eip=76f437b7 esp=0027ed08 ebp=0027ed80 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!RtlpNtMakeTemporaryKey+0x1a78:
76f437b7 eb12 jmp ntdll!RtlpNtMakeTemporaryKey+0x1a8c (76f437cb)
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x76f437b7
Second Chance Exception Type: STATUS_HEAP_CORRUPTION (0xC0000374)
Exception Hash (Major/Minor): 0x10da63ce.0x2d04843a
Hash Usage : Stack Trace:
Major+Minor : ntdll!RtlpNtMakeTemporaryKey+0x1a78
Major+Minor : ntdll!RtlpNtMakeTemporaryKey+0x29a8
Major+Minor : ntdll!RtlpNtMakeTemporaryKey+0x2a88
Major+Minor : ntdll!RtlpNtMakeTemporaryKey+0x2cf1
Major+Minor : ntdll!EtwSetMark+0xde9c
Minor : ntdll!wcsnicmp+0x98b
Minor : ntdll!wcsnicmp+0xcaa
Excluded : kernel32!HeapFree+0x14
Minor : MSVCR100!free+0x1c
Minor : ExiVectorRender!ExiVecLib::CExiCurve4::vertex+0xa6
Minor : LogoDesigner+0x7ecc
Minor : LogoDesigner!ExiImageTransform::CExiSingleFrmGIFOptimal::operator=+0x114f
Minor : mfc100u+0x1f0ef6
Minor : mfc100u+0x1f081f
Minor : mfc100u+0x1f064c
Minor : mfc100u+0x1a7de2
Minor : LogoDesigner+0x9eaa
Minor : mfc100u+0x24e3d0
Minor : LogoDesigner!ExiImageTransform::CExiSingleFrmGIFOptimal::operator=+0x33f81
Minor : kernel32!BaseThreadInitThunk+0x12
Excluded : ntdll!RtlInitializeExceptionChain+0xef
Excluded : ntdll!RtlInitializeExceptionChain+0xc2
Instruction Address: 0x0000000076f437b7
Description: Heap Corruption
Short Description: HeapCorruption
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Heap Corruption starting at ntdll!RtlpNtMakeTemporaryKey+0x0000000000001a78 (Hash=0x10da63ce.0x2d04843a)
Heap Corruption has been detected. This is considered exploitable, and must be fixed.
---</windbg>---
Case #03:
---<windbg>---
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.
CommandLine: "C:\Program Files\Logo Designer\LogoDesigner.exe" C:\sf_d77f46b6521b09ce1eae9682f3fff802-appmvq.eld
(...)
Executable search path is:
ModLoad: 00be0000 00e89000 LogoDesigner.exe
(...)
ModLoad: 6d1f0000 6d351000 C:\Program Files\Logo Designer\Office2010.dll
(c84.77c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0001536d ebx=03263a10 ecx=0025ebc8 edx=0000317c esi=fff6ead4 edi=030eacbc
eip=6dccb733 esp=0025eb30 ebp=0025eb6c iopl=0 nv up ei ng nz ac pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010297
ExiCustomPathLib!ExiCustomPathLib::CGradientColorsProfile::BuildGradientColorsTable+0x53:
6dccb733 893493 mov dword ptr [ebx+edx*4],esi ds:0023:03270000=????????
0:000> r;!exploitable -v;q
eax=0001536d ebx=03263a10 ecx=0025ebc8 edx=0000317c esi=fff6ead4 edi=030eacbc
eip=6dccb733 esp=0025eb30 ebp=0025eb6c iopl=0 nv up ei ng nz ac pe cy
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010297
ExiCustomPathLib!ExiCustomPathLib::CGradientColorsProfile::BuildGradientColorsTable+0x53:
6dccb733 893493 mov dword ptr [ebx+edx*4],esi ds:0023:03270000=????????
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x3270000
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation
Faulting Instruction:6dccb733 mov dword ptr [ebx+edx*4],esi
Exception Hash (Major/Minor): 0x51cfe2c2.0x3a8122ef
Hash Usage : Stack Trace:
Major+Minor : ExiCustomPathLib!ExiCustomPathLib::CGradientColorsProfile::BuildGradientColorsTable+0x53
Major+Minor : ExiCustomPathLib!ExiCustomPathLib::CRenderVectorShapeDef::RenderGradient+0x8d7
Major+Minor : ExiCustomPathLib!ExiCustomPathLib::CRenderVectorShapeDef::RenderPath+0xa5
Major+Minor : ExiCustomPathLib!ExiCustomPathLib::CCustomPathObj::DrawEx+0x3e6
Major+Minor : ExiCustomPathLib!ExiCustomPathLib::CWorkspaceView::UpdateMainRenderBitmap+0x339
Minor : ExiCustomPathLib!ExiCustomPathLib::CWorkspaceView::OnUpdate+0x4e
Minor : mfc100u+0x1ea4d2
Minor : LogoDesigner!ExiImageTransform::CExiSingleFrmGIFOptimal::operator=+0x1251
Minor : mfc100u+0x1f0ef6
Minor : mfc100u+0x1f081f
Minor : mfc100u+0x1f064c
Minor : mfc100u+0x1a7de2
Minor : LogoDesigner+0x9eaa
Minor : mfc100u+0x24e3d0
Minor : LogoDesigner!ExiImageTransform::CExiSingleFrmGIFOptimal::operator=+0x33f81
Minor : kernel32!BaseThreadInitThunk+0x12
Excluded : ntdll!RtlInitializeExceptionChain+0xef
Excluded : ntdll!RtlInitializeExceptionChain+0xc2
Instruction Address: 0x000000006dccb733
Description: User Mode Write AV
Short Description: WriteAV
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at ExiCustomPathLib!ExiCustomPathLib::CGradientColorsProfile::BuildGradientColorsTable+0x0000000000000053 (Hash=0x51cfe2c2.0x3a8122ef)
User mode write access violations that are not near NULL are exploitable.---</windbg>---
Case #04:
---<windbg>---Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.
CommandLine: "C:\Program Files\Logo Designer\LogoDesigner.exe" C:\sf_d77f46b6521b09ce1eae9682f3fff802-5431.eld
(...)
Executable search path is:
ModLoad: 01190000 01439000 LogoDesigner.exe
(...)
ModLoad: 6d200000 6d361000 C:\Program Files\Logo Designer\Office2010.dll
Critical error detected c0000374
(4ac.a08): Break instruction exception - code 80000003 (first chance)
(4ac.a08): Unknown exception - code c0000374 (first chance)
(4ac.a08): Unknown exception - code c0000374 (!!! second chance !!!)
eax=0015efa0 ebx=00000000 ecx=76ea1787 edx=0015ed3d esi=00930000 edi=030ea408
eip=76f437b7 esp=0015ef90 ebp=0015f008 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!RtlpNtMakeTemporaryKey+0x1a78:
76f437b7 eb12 jmp ntdll!RtlpNtMakeTemporaryKey+0x1a8c (76f437cb)
0:000> r;!exploitable -v;q
eax=0015efa0 ebx=00000000 ecx=76ea1787 edx=0015ed3d esi=00930000 edi=030ea408
eip=76f437b7 esp=0015ef90 ebp=0015f008 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00000246
ntdll!RtlpNtMakeTemporaryKey+0x1a78:
76f437b7 eb12 jmp ntdll!RtlpNtMakeTemporaryKey+0x1a8c (76f437cb)
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x76f437b7
Second Chance Exception Type: STATUS_HEAP_CORRUPTION (0xC0000374)
Exception Hash (Major/Minor): 0x2877cde1.0xb97d6983
Hash Usage : Stack Trace:
Major+Minor : ntdll!RtlpNtMakeTemporaryKey+0x1a78
Major+Minor : ntdll!RtlpNtMakeTemporaryKey+0x29a8
Major+Minor : ntdll!RtlpNtMakeTemporaryKey+0x2a88
Major+Minor : ntdll!EtwSetMark+0xeac4
Major+Minor : ntdll!wcsnicmp+0x1e4
Minor : MSVCR100!malloc+0x36
Minor : mfc100u+0xb5da2
Minor : LogoDesigner+0x7a94
Minor : LogoDesigner!ExiImageTransform::CExiSingleFrmGIFOptimal::operator=+0x114f
Minor : mfc100u+0x1f0ef6
Minor : mfc100u+0x1f081f
Minor : mfc100u+0x1f064c
Minor : mfc100u+0x1a7de2
Minor : LogoDesigner+0x9eaa
Minor : mfc100u+0x24e3d0
Minor : LogoDesigner!ExiImageTransform::CExiSingleFrmGIFOptimal::operator=+0x33f81
Minor : kernel32!BaseThreadInitThunk+0x12
Excluded : ntdll!RtlInitializeExceptionChain+0xef
Excluded : ntdll!RtlInitializeExceptionChain+0xc2
Instruction Address: 0x0000000076f437b7
Description: Heap Corruption
Short Description: HeapCorruption
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - Heap Corruption starting at ntdll!RtlpNtMakeTemporaryKey+0x0000000000001a78 (Hash=0x2877cde1.0xb97d6983)
Heap Corruption has been detected. This is considered exploitable, and must be fixed.
---</windbg>---
Maybe you will find it useful.
See you next time!
Cheers
Brak komentarzy:
Prześlij komentarz