Few days ago I started learning how to record a video... and that's how I found few bugs in ActivePresenter software. Below you'll find few details. Here we go...
Today we'll start here:
I used FOE2 fuzzer with the ActivePresenter available here. Version I used was 6.1.6 (x86).
After 2 days I was able to find fe crashes, for example:
#01 - Write Access Violation
---<cut>---
CommandLine: "C:\Program Files\ATOMI\ActivePresenter\ActivePresenter.exe" C:\FOE2\sf_0ebf6f654829a47e5131e344f3b0b234-vwgocx.approj
(...)
(9a0.948): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=049b6ef8 ecx=6d6e5f23 edx=0000000c esi=3a002200 edi=049bfaf0
eip=018ff515 esp=002ee804 ebp=04a77078 iopl=0 nv up ei pl nz na po nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210202
image01310000+0x5ef515:
018ff515 0106 add dword ptr [esi],eax ds:0023:3a002200=????????
(...)
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x3a002200
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation
Faulting Instruction:018ff515 add dword ptr [esi],eax
Exception Hash (Major/Minor): 0xf2f9f686.0x0c7eab62
Hash Usage : Stack Trace:
Major+Minor : image01310000+0x5ef515
Major+Minor : image01310000+0x601b80
Major+Minor : image01310000+0x647d18
Major+Minor : image01310000+0x647db6
Major+Minor : image01310000+0x5ecc6c
Minor : image01310000+0x5edee4
Minor : image01310000+0x410da5
Minor : MSVCR90!free+0xec
Minor : image01310000+0x3d45f5
Minor : image01310000+0x3d2e68
Minor : wxmsw30u!wxMatchWild+0x20f
Minor : wxmsw30u!wxMatchWild+0x217
Excluded : ntdll!RtlFreeHeap+0x7e
Instruction Address: 0x00000000018ff515
Description: User Mode Write AV
Short Description: WriteAV
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at image01310000+0x00000000005ef515 (Hash=0xf2f9f686.0x0c7eab62)
---</cut>---
#02 - Write Access Violation
---<cut>---
CommandLine: "C:\Program Files\ATOMI\ActivePresenter\ActivePresenter.exe" C:\FOE2\sf_0ebf6f654829a47e5131e344f3b0b234-gw8d5x.approj
(...)
(ac.200): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=004d0024 ebx=04a3afe8 ecx=0018ebdc edx=01380101 esi=004d0024 edi=004d0020
eip=775a6b90 esp=0018eb94 ebp=0018eba8 iopl=0 nv up ei pl nz ac pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210216
ntdll!RtlEnterCriticalSection+0x12:
775a6b90 f00fba3000 lock btr dword ptr [eax],0 ds:0023:004d0024=????????
(...)
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x4d0024
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation
Faulting Instruction:775a6b90 lock btr dword ptr [eax],0
Exception Hash (Major/Minor): 0x11f58bfd.0x6bd38f05
Hash Usage : Stack Trace:
Major+Minor : ntdll!RtlEnterCriticalSection+0x12
Major+Minor : image013b0000+0x5ef1eb
Major+Minor : image013b0000+0x647dae
Major+Minor : image013b0000+0x5ecc6c
Major+Minor : image013b0000+0x5edee4
Minor : image013b0000+0x410da5
Minor : MSVCR90!free+0xec
Minor : image013b0000+0x3d45f5
Minor : image013b0000+0x3d2e68
Minor : wxmsw30u!wxMatchWild+0x20f
Minor : wxmsw30u!wxMatchWild+0x217
Excluded : ntdll!RtlFreeHeap+0x7e
Instruction Address: 0x00000000775a6b90
Description: User Mode Write AV
Short Description: WriteAV
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at ntdll!RtlEnterCriticalSection+0x0000000000000012 (Hash=0x11f58bfd.0x6bd38f05)
---</cut>---
Maybe you'll find it useful. ;)
The fuzzing process is now available on the short video I created. You can find it here: ;)
Cheers
Brak komentarzy:
Prześlij komentarz