wtorek, 5 listopada 2019

Crashing HoneyView 5.31

During last week I was looking for some new soft to fuzz. This time I tried Honeyview (v. 5.31). Below you will find the details. Here we go...
We will start here:


TL;DR: below few details directly from Windbg:

---<windbg>---
Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
Copyright (c) Microsoft Corporation. All rights reserved.

CommandLine: "c:\program files\Honeyview\honeyview.exe" C:\sf_625c66bdd7831eed467fc540a782626c-vjyfaa.gif
(...)
Executable search path is:
ModLoad: 01290000 01b37000   Honeyview32.exe
(...)
This exception may be expected and handled.
eax=01de79e8 ebx=00000000 ecx=01aee52c edx=000004c2 esi=01de79e8 edi=01de5c12
eip=014138a5 esp=039ff8bc ebp=0026c5b4 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
Honeyview32+0x1838a5:
014138a5 8b4708          mov     eax,dword ptr [edi+8] ds:0023:01de5c1a=????????

!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x1de5c1a
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation

Faulting Instruction:014138a5 mov eax,dword ptr [edi+8]

Basic Block:
    014138a5 mov eax,dword ptr [edi+8]
       Tainted Input operands: 'edi'
    014138a8 mov ebx,dword ptr [eax]
       Tainted Input operands: 'eax'
    014138aa mov dword ptr [esp+1ch],ebx
       Tainted Input operands: 'ebx'
    014138ae test ebx,ebx
       Tainted Input operands: 'ebx'
    014138b0 je honeyview32+0x18393e (0141393e)
       Tainted Input operands: 'ZeroFlag'

Exception Hash (Major/Minor): 0x69448213.0xb3e52cd0

 Hash Usage : Stack Trace:
Major+Minor : Honeyview32+0x1838a5
Major+Minor : Honeyview32+0x182db0
Major+Minor : Honeyview32+0x182cda
Major+Minor : Honeyview32+0x171c3c
Instruction Address: 0x00000000014138a5

Description: Data from Faulting Address controls Branch Selection
Short Description: TaintedDataControlsBranchSelection
Exploitability Classification: UNKNOWN
Recommended Bug Title: Data from Faulting Address controls Branch Selection starting at Honeyview32+0x00000000001838a5 (Hash=0x69448213.0xb3e52cd0)

The data from the faulting address is later used to determine whether or not a branch is taken.
ChildEBP RetAddr  Args to Child             
WARNING: Stack unwind information not available. Following frames may be wrong.
039ff9a0 01412db0 0026c5b4 01de79e8 004f4b08 Honeyview32+0x1838a5
039ff9dc 01412cda 039ff9b4 00000000 01401c3c Honeyview32+0x182db0
039ff9e8 01401c3c 00000000 00000000 01e37950 Honeyview32+0x182cda
00000000 00000000 00000000 00000000 00000000 Honeyview32+0x171c3c
eax=01de79e8 ebx=00000000 ecx=01aee52c edx=000004c2 esi=01de79e8 edi=01de5c12
eip=014138a5 esp=039ff8bc ebp=0026c5b4 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
Honeyview32+0x1838a5:
014138a5 8b4708          mov     eax,dword ptr [edi+8] ds:0023:01de5c1a=????????

---</windbg>---

Maybe you will find it useful.

Cheers





Posted by at
Labels: , , , ,

Brak komentarzy:

Prześlij komentarz

Subskrybuj: Komentarze do posta (Atom)