Hi ;) This time I tried to fuzz QA-CAD (2019 A.04). Below you will find more details about it. Here we go...
Today we'll start here:
I decided to prepare a fresh and new environment for this fuzzing session so I installed Windows 8.1 VM on VirtualBox. Next case was to install the target application and prepare some seedfiles. To do that I used HxD. After a while we should be ready to run our initial fuzzing (like it was described for example for the Active Presenter or OpenAPC in few previous posts). So far we should be somewhere here:
CASE #01:
---<windbg>---
Microsoft (R) Windows Debugger Version 6.11.0001.404 AMD64
Copyright (c) Microsoft Corporation. All rights reserved.
CommandLine: "C:\Program Files (x86)\QA-CAD 2019\qa2019.exe" C:\sf_e32c19211c65e2c301617f5abb975306-34444.dwg
(...)
Executable search path is:
ModLoad: 00000000`01070000 00000000`0b0ae000 image00000000`01070000
(...)
(540.b2c): Access violation - code c0000005 (!!! second chance !!!)
eax=0f99f000 ebx=0000020f ecx=0058b104 edx=0f99ef00 esi=00000077 edi=0f5d8d08
eip=0108b6d8 esp=0058afe4 ebp=0058aff8 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
image00000000_01070000+0x1b6d8:
0108b6d8 8a00 mov al,byte ptr [eax] ds:002b:0f99f000=??
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0xf99f000
Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation
Faulting Instruction:0108b6d8 mov al,byte ptr [eax]
Basic Block:
0108b6d8 mov al,byte ptr [eax]
Tainted Input operands: 'eax'
0108b6da and dl,bl
0108b6dc and al,byte ptr [ebp-1]
Tainted Input operands: 'al'
0108b6df shr al,cl
0108b6e1 mov ecx,dword ptr [ebp-8]
0108b6e4 shl dl,cl
0108b6e6 mov ecx,dword ptr [ebp+8]
0108b6e9 or al,dl
Tainted Input operands: 'al'
0108b6eb inc dword ptr [ebp+8]
0108b6ee mov edx,dword ptr [ebp+0ch]
0108b6f1 dec esi
0108b6f2 mov byte ptr [ecx],al
Tainted Input operands: 'al'
0108b6f4 jne image00000000_01070000+0x1b6cd (0108b6cd)
Exception Hash (Major/Minor): 0x9616ef4e.0x428a8412
Hash Usage : Stack Trace:
Major+Minor : image00000000_01070000+0x1b6d8
Major+Minor : image00000000_01070000+0x1cb2c
(...)
Minor : image00000000_01070000+0xdb10c
Minor : image00000000_01070000+0x25fc48
Minor : image00000000_01070000+0x27f5c8
Minor : KERNEL32!BaseThreadInitThunk+0xe
Excluded : ntdll_771e0000!RtlInitializeExceptionChain+0x84
Excluded : ntdll_771e0000!RtlInitializeExceptionChain+0x5a
Instruction Address: 0x000000000108b6d8
Description: Read Access Violation
Short Description: ReadAV
Exploitability Classification: UNKNOWN
Recommended Bug Title: Read Access Violation starting at image00000000_01070000+0x000000000001b6d8 (Hash=0x9616ef4e.0x428a8412)
(...)
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
0058aff8 0108cb2c 0058b19d 0f99f000 0f5d38d0 image00000000_01070000+0x1b6d8
0058b220 0109e159 0f5d38d0 0f98fcd8 6aa61273 image00000000_01070000+0x1cb2c
0058bae8 0109e5a5 0f5d38d0 00000000 00000005 image00000000_01070000+0x2e159
(...)
---</windbg>---
CASE #02:
---<windbg>---
CommandLine: "C:\Program Files (x86)\QA-CAD 2019\qa2019.exe" C:\sf_e32c19211c65e2c301617f5abb975306-9980.dwg
(...)
Executable search path is:
ModLoad: 00000000`01070000 00000000`0b0ae000 image00000000`01070000
(...)
(e78.b9c): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=0ebf2d78 ecx=00000000 edx=00150000 esi=0f5122f0 edi=00000000
eip=11d70d00 esp=001aa01c ebp=001aa044 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
dcdll!CDCDLL::operator=+0x951ef0:
11d70d00 8b4104 mov eax,dword ptr [ecx+4] ds:002b:00000004=????????
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x4
Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation
Faulting Instruction:11d70d00 mov eax,dword ptr [ecx+4]
Basic Block:
11d70d00 mov eax,dword ptr [ecx+4]
Tainted Input operands: 'ecx'
11d70d03 ret
Tainted Input operands: 'eax'
Exception Hash (Major/Minor): 0xe4adbd8c.0xf117f3e9
Hash Usage : Stack Trace:
Major+Minor : dcdll!CDCDLL::operator=+0x951ef0
Major+Minor : dcdll!CDCDLL::CDCDLL+0x294ca7
Major+Minor : dcdll!CDCDLL::CDCDLL+0x1788eb
(...)
Minor : image00000000_01070000+0x25fc48
Minor : image00000000_01070000+0x27f5c8
Minor : KERNEL32!BaseThreadInitThunk+0xe
Excluded : ntdll_771e0000!RtlInitializeExceptionChain+0x84
Excluded : ntdll_771e0000!RtlInitializeExceptionChain+0x5a
Instruction Address: 0x0000000011d70d00
Description: Read Access Violation near NULL
Short Description: ReadAVNearNull
Exploitability Classification: PROBABLY_NOT_EXPLOITABLE
Recommended Bug Title: Read Access Violation near NULL starting at dcdll!CDCDLL::operator=+0x0000000000951ef0 (Hash=0xe4adbd8c.0xf117f3e9)
This is a user mode read access violation near null, and is probably not exploitable.
(...)
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
001aa044 120887b7 0ebf2d70 0f537dc8 00000000 dcdll!CDCDLL::operator=+0x951ef0
001aa090 11f6c3fb 0ebf2d70 00000000 00000017 dcdll!CDCDLL::CDCDLL+0x294ca7
001aa0a8 1246f38e 00000000 00000017 001aa50c dcdll!CDCDLL::CDCDLL+0x1788eb
001aa1c4 1247103b 001aa1fc 00000139 001aa50c dcdll!CDCDLL::CDCDLL+0x67b87e
(...)
---</windbg>---
CASE #03:
---<windbg>---
CommandLine: "C:\Program Files (x86)\QA-CAD 2019\qa2019.exe" C:\sf_e32c19211c65e2c301617f5abb975306-10339.dwg
(...)
Executable search path is:
ModLoad: 00000000`01070000 00000000`0b0ae000 image00000000`01070000
(...)
(5ec.f24): Access violation - code c0000005 (!!! second chance !!!)
eax=0f64e0ec ebx=00efe0b4 ecx=00002833 edx=0000b018 esi=00eff000 edi=0f8b0fa4
eip=12e8be00 esp=00dca548 ebp=00dca590 iopl=0 nv up ei pl nz na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010206
dcdll!CDCDLL::CDCDLL+0x6e82f0:
12e8be00 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0xeff000
Second Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation
Faulting Instruction:12e8be00 rep movs dword ptr es:[edi],dword ptr [esi]
Exception Hash (Major/Minor): 0x27c4ca3b.0x815f1fb0
Hash Usage : Stack Trace:
Major+Minor : dcdll!CDCDLL::CDCDLL+0x6e82f0
Major+Minor : dcdll!CDCDLL::CDCDLL+0x365116
Major+Minor : dcdll!CDCDLL::CDCDLL+0x3654d8
Major+Minor : dcdll!CDCDLL::CDCDLL+0x178b3d
Major+Minor : dcdll!CDCDLL::CDCDLL+0x17a99b
(...)
Minor : image00000000_01070000+0x27f5c8
Minor : KERNEL32!BaseThreadInitThunk+0xe
Excluded : ntdll_771e0000!RtlInitializeExceptionChain+0x84
Excluded : ntdll_771e0000!RtlInitializeExceptionChain+0x5a
Instruction Address: 0x0000000012e8be00
Description: Read Access Violation on Block Data Move
Short Description: ReadAVonBlockMove
Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - Read Access Violation on Block Data Move starting at dcdll!CDCDLL::CDCDLL+0x00000000006e82f0 (Hash=0x27c4ca3b.0x815f1fb0)
This is a read access violation in a block data move, and is therefore classified as probably exploitable.
(...)
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00dca590 12b08c26 00dca60c 00000000 00dca600 dcdll!CDCDLL::CDCDLL+0x6e82f0
00dca5a0 12b08fe8 00dca60c b6785b1c 00dca644 dcdll!CDCDLL::CDCDLL+0x365116
00dca600 1291c64d 00dca6d8 0fe61630 b6785bd0 dcdll!CDCDLL::CDCDLL+0x3654d8
00dca6cc 1291e4ab 0f8ffd60 00000000 b6785a0c dcdll!CDCDLL::CDCDLL+0x178b3d
(...)
---</windbg>---
Maybe you'll find it useful. ;)
See you next time!
Cheers
Brak komentarzy:
Prześlij komentarz