Posts Tagged ‘ overflow

Themida and WinLicense Vulnerabilities

The vulnerability in Themida is caused due to a boundary error in the processing of a project file, which can be exploited to cause a buffer overflow when a user opens e.g. a specially crafted .TMD file. Successful exploitation may allow execution of arbitrary code.

WinLicense is prone to an unspecified memory corruption vulnerability. An attacker can exploit this issue by tricking a victim into opening a malicious XML file to execute arbitrary code and to cause denial-of-service conditions.

Advisories:

ZSL-2012-5079http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5079.php
ZSL-2012-5080http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5080.php

2012
03/20
POSTED BY
CATEGORY
Internal
Comments Off

EdrawSoft Office Viewer Component ActiveX 5.6 (officeviewermme.ocx) BoF PoC

The ActiveX suffers from a buffer overflow vulnerability when parsing large amount of bytes to the FtpUploadFile member in FtpUploadFile() function, resulting memory corruption overwriting severeal registers including the SEH. An attacker can gain access to the system of the affected node and execute arbitrary code.

--------------------------------------------------------------

CompanyName EdrawSoft
FileDescription Edraw Office Viewer Component
FileVersion 5.6.578.1

OriginalFileName officeviewer.ocx
ProductName OfficeViewerOCX
ProductVersion 5.6.5781

Report for Clsid: {F6FE8878-54D2-4333-B9F0-FC543B1BE1ED}
RegKey Safe for Script: True
RegKey Safe for Init: True
Implements IObjectSafety: True
IDisp Safe: Safe for untrusted: caller,data
IPStorage Safe: Safe for untrusted: caller,data

Exception Code: ACCESS_VIOLATION
Disasm: 220324CC MOV [EDI],AX (officeviewermme.ocx)

Seh Chain:
--------------------------------------------------
1 410041

Called From Returns To
--------------------------------------------------
officeviewermme.220324CC officeviewermme.22026402

Registers:
--------------------------------------------------
EIP 220324CC
EAX 00000041
EBX 00001015
ECX 000002A0
EDX 001B2E4C -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA
EDI 01870000
ESI 0186E518 -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA
EBP 0186C490 -> 0186C530
ESP 0186C488 -> 00000000

Block Disassembly:
--------------------------------------------------
220324BD MOV EDI,[EBP+8]
220324C0 MOV ESI,EDI
220324C2 TEST ECX,ECX
220324C4 JE SHORT 220324F7
220324C6 MOV EDX,[EBP+C]
220324C9 MOVZX EAX,WORD PTR [EDX]
220324CC MOV [EDI],AX <--- CRASH
220324CF INC EDI
220324D0 INC EDI
220324D1 INC EDX
220324D2 INC EDX
220324D3 TEST AX,AX
220324D6 JE SHORT 220324DB
220324D8 DEC ECX
220324D9 JNZ SHORT 220324C9

ArgDump:
--------------------------------------------------
EBP+8 0186E518 -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA
EBP+12 001B1364 -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA
EBP+16 00001014
EBP+20 00000000
EBP+24 000007FC
EBP+28 01761EC0 -> Uni: D5")"

Stack Dump:
--------------------------------------------------
186C488 00 00 00 00 64 13 1B 00 30 C5 86 01 02 64 02 22 [....d........d..]
186C498 18 E5 86 01 64 13 1B 00 14 10 00 00 00 00 00 00 [....d...........]
186C4A8 FC 07 00 00 C0 1E 76 01 18 CD 86 01 18 D5 86 01 [......v.........]
186C4B8 18 ED 86 01 64 13 1B 00 10 CD 86 01 18 E5 86 01 [....d...........]
186C4C8 14 10 00 00 8E 33 1B 00 14 10 00 00 00 00 00 00 [................]

--------------------------------------------------------------

(6c9c.6c70): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000041 ebx=00001015 ecx=000002a0 edx=001b2edc esi=0186e518 edi=01870000
eip=220324cc esp=0186c488 ebp=0186c490 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Mindjet\MindManager 10\officeviewermme.ocx -
officeviewermme!DllRegisterServer+0x23bbe:
220324cc 668907 mov word ptr [edi],ax ds:0023:01870000=????
0:004> !exchain
0186fa84: 00410041
Invalid exception stack at 00410041
0:004> d esi
0186e518 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0186e528 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0186e538 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0186e548 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0186e558 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0186e568 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0186e578 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0186e588 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0:004> d edx
001b2edc 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
001b2eec 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
001b2efc 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
001b2f0c 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
001b2f1c 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
001b2f2c 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
001b2f3c 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
001b2f4c 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0:004> d esp+3000
0186f488 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0186f498 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0186f4a8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0186f4b8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0186f4c8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0186f4d8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0186f4e8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0186f4f8 41 00 41 00 41 00 41 00-41 00 41 00 41 00 41 00 A.A.A.A.A.A.A.A.
0:004> !load msec; !exploitable
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at officeviewermme!DllRegisterServer+0x0000000000023bbe (Hash=0x55146322.0x550a2c22)

User mode write access violations that are not near NULL are exploitable.

Advisory ID: ZSL-2012-5069
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5069.php

2012
01/31
POSTED BY
CATEGORY
Internal
Comments Off

Tracker Software pdfSaver ActiveX 3.60 (pdfxctrl.dll) Stack Buffer Overflow (SEH)

The PDF Printer Preferences ActiveX suffers from a buffer overflow vulnerability. When a large buffer is sent to the sub_path item of the StoreInRegistry function, and the sub_key item of the InitFromRegistry function, in pdfxctrl.dll module, we get a SEH overwrite. An attacker can gain access to the system of the affected node and execute arbitrary code.

Discovered on 25.01.2012 included in Mindjet MindManager 2012 for Windows version 10.0.493.

COMRaider Output:

-----------
Exception Code: ACCESS_VIOLATION
Disasm: 7C834D8F REP MOVS DWORD PTR ES:[EDI],DWORD PTR [ESI] (KERNEL32.dll)

Seh Chain:
--------------------------------------------------
1 7C839AC0 KERNEL32.dll
2 41414141

Called From Returns To
--------------------------------------------------
KERNEL32.7C834D8F pdfxctrl.1001D8E7
pdfxctrl.1001D8E7 41414141

Registers:
--------------------------------------------------
EIP 7C834D8F -> Asc: SOFTWARE\Tracker Software\pdf
EAX 0013E9E0 -> Asc: SOFTWARE\Tracker Software\pdf
EBX 00000003
ECX 0000008C
EDX 00001815
EDI 0013FFFD -> 41000000
ESI 0013CD74 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EBP 0013B780 -> 0013EDE4
ESP 0013B75C -> 0000302A -> Uni: *0*0

Block Disassembly:
--------------------------------------------------
7C834D82 MOV CL,[EDI+1]
7C834D85 INC EDI
7C834D86 TEST CL,CL
7C834D88 JNZ SHORT 7C834D82
7C834D8A MOV ECX,EDX
7C834D8C SHR ECX,2
7C834D8F REP MOVS DWORD PTR ES:[EDI],DWORD PTR [ESI] <--- CRASH
7C834D91 MOV ECX,EDX
7C834D93 AND ECX,3
7C834D96 REP MOVS BYTE PTR ES:[EDI],BYTE PTR [ESI]
7C834D98 OR DWORD PTR [EBP-4],FFFFFFFF
7C834D9C CALL 7C802511
7C834DA1 RETN 8
7C834DA4 NOP
7C834DA5 NOP

ArgDump:
--------------------------------------------------
EBP+8 0013E9E0 -> Asc: SOFTWARE\Tracker Software\pdf
EBP+12 0013B790 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EBP+16 41414141
EBP+20 41414141
EBP+24 41414141
EBP+28 41414141

Stack Dump:
--------------------------------------------------
13B75C 2A 30 00 00 84 63 18 00 03 00 00 00 5C B7 13 00 [.....c......\...]
13B76C 2A 30 00 00 AC F1 13 00 C0 9A 83 7C A8 4D 83 7C [.............M..]
13B77C 00 00 00 00 E4 ED 13 00 E7 D8 01 10 E0 E9 13 00 [................]
13B78C 90 B7 13 00 41 41 41 41 41 41 41 41 41 41 41 41 [................]
13B79C 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [................]

-----------

CompanyName Tracker Software Products
FileDescription PDF Printer Preferences ActiveX
FileVersion 3.60.0128
InternalName pdfxctrl.dll
LegalCopyright Copyright © 2001-2006 by Tracker Software Products
OriginalFileName pdfxctrl.dll
ProductName Tracker Software Products pdfxctrl.PdfPrinterPreferences ActiveX
ProductVersion 3.60

Advisory ID: ZSL-2012-5067 (Tracker Software pdfSaver ActiveX 3.60 (pdfxctrl.dll) Stack Buffer Overflow (SEH))
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5067.php

2012
01/29
POSTED BY
CATEGORY
Internal
Comments Off

SopCast 3.4.7.45585 Multiple Vulnerabilities

SopCast suffers from a stack-based buffer overflow vulnerability when parsing the user input using the SoP protocol in sopocx.ocx module allowing the attacker to gain system access and execute arbitrary code on the affected machine. The issue is triggered when adding 514 bytes of string to the sop:// protocol (GET), causing the app to open the link (channel) and crashing. The application will crash even with ‘sop://[anything]‘ because it fails to properly sanitize and handle the uri segment, but with exactly 514 bytes the stack gets overflowed, poping out the Buffer Overrun error box. Unsuccessful atempts causes denial of service scenario. You can also edit the ‘<address>’ element in the favorites.xml file as the attack vector.

SopCast is also vulnerable to an elevation of privileges vulnerability which can be used by a simple user that can change the executable file with a binary of choice. The vulnerability exist due to the improper permissions, with the ‘F’ flag (full control) for the ‘Everyone’ group, for the ‘Diagnose.exe’ binary file which is bundled with the SopCast installation package.

Advisories:

ZSL-2011-5062SopCast 3.4.7 (Diagnose.exe) Improper Permissions
ZSL-2011-5063SopCast 3.4.7 sop:// URI Handling Remote Stack Buffer Overflow PoC

2011
12/05
POSTED BY
CATEGORY
Internal
Comments Off

Ashampoo Burning Studio Elements 10.0.9 (.ashprj) Heap Overflow Vulnerability

The application suffers from a heap overflow vulnerability because it fails to properly sanitize user supplied input when parsing .ashprj project file format resulting in a crash corrupting the heap-based memory. The attacker can use this scenario to lure unsuspecting users to open malicious crafted .ashprj files with a potential for arbitrary code execution on the affected system.

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5050.php

2011
10/04
POSTED BY
CATEGORY
Internal
Comments Off

Adobe Photoshop Elements 8.0 Multiple Arbitrary Code Execution Vulnerabilities

Photoshop Elements 8 suffers from a buffer overflow vulnerability when dealing with .ABR (brushes) and .GRD (gradients) format files. The application fails to sanitize the user input resulting in a memory corruption, overwriting several memory registers which can aid the atacker to gain the power of executing arbitrary code on the affected system or denial of service scenario.

Tested on:
———-
Microsoft Windows XP Professional Service Pack 3 (English)

Vulnerability discovered by:
—————————-
Gjoko ‘LiquidWorm’ Krstic
Zero Science Lab (http://www.zeroscience.mk)
liquidworm gmail com

Vendor status:
————–
[22.09.2009] Vulnerabilities discovered.
[09.03.2010] Sent detailed info to the vendor with PoC files.
[09.03.2010] Vendor responds with assigned tracking numbers of the issues.
[21.03.2010] Asked vendor for confirmation.
[21.03.2010] Vendor replies confirming the vulnerabilities.
[03.06.2011] Asked vendor for scheduled patch release date.
[05.06.2011] Vendor replies with a scheduled timeframe.
[02.09.2011] Asked vendor for an exact patch release date.
[03.09.2011] Vendor replies.
[09.09.2011] Asked vendor for assigned advisory ID.
[10.09.2011] Vendor tags their Adobe Advisory ID: APSA11-03.
[01.10.2011] Coordinated public security advisory released.

Advisory details:
—————–
Advisory ID: ZSL-2011-5049
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5049.php

Adobe Advisory ID: APSA11-03
Adobe Advisory URL: http://www.adobe.com/support/security/advisories/apsa11-03.html
Adobe PSIRT ID: 447,448

CVE ID: CVE-2011-2443
CVE URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-2443

CWE ID: CWE-120
CWE URL: http://cwe.mitre.org/data/definitions/120.html

REF #1: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4939.php
REF #2: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4940.php

Proof Of Concept:
—————–
http://www.zeroscience.mk/codes/brush_gradiently.rar (11071 bytes)

2011
10/01
POSTED BY
CATEGORY
Internal
Comments Off

ESTsoft ALPlayer 2.0 ASX Playlist File Handling Buffer Overflow Vulnerability

The vulnerability is caused due to a boundary error in the processing of a playlist file , which can be exploited to cause a stack-based buffer overflow when a user opens e.g. a specially crafted .asx file. Successful exploitation may allow execution of arbitrary code.

————————————————————————-

(188.820): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0095c8e0 ebx=0012e560 ecx=00004141 edx=00ce4fc0 esi=026d1902 edi=0012e5ac
eip=7855c776 esp=0012e458 ebp=0012e468 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246
MSVCR90!_isspace_l+0x3b:
7855c776 0fb70448 movzx eax,word ptr [eax+ecx*2] ds:0023:00964b62=????

————————————————————————-

PoC: alplayer_bof.rar
Advisory ID: ZSL-2011-5023
Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5023.php

2011
07/06
POSTED BY
CATEGORY
Internal
Comments Off

Adobe Audition 3.0 (build 7283) Session File Handling Buffer Overflow PoC

Adobe Audition suffers from a buffer overflow vulnerability when dealing with .SES (session) format file. The application failz to sanitize the user input resulting in a memory corruption, overwriting several memory registers which can aid the atacker to gain the power of executing arbitrary code or denial of service.

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5012.php

2011
05/13
POSTED BY
CATEGORY
Internal
Comments Off

Gesytec ElonFmt ActiveX 1.1.14 (ElonFmt.ocx) pid Item Buffer Overflow (SEH)

The ElonFmt ActiveX Control Module suffers from a buffer overflow vulnerability. When a large buffer is sent to the pid item of the GetItem1 function in elonfmt.ocx module, we get a few memory registers overwritten including the SEH. We’re dealing with a character translation. An attacker can gain access to the system on the affected node and execute arbitrary code.

—————————————————————–
CompanyName
FileDescription ElonFmt ActiveX Control Module
FileVersion 1, 1, 14, 1
InternalName ElonFmt
LegalCopyright Copyright (C) 2002 – 2008 Gesytec GmbH
OriginalFileName ElonFmt.OCX
ProductName ElonFmt ActiveX Control Module
ProductVersion 1, 1, 14, 1
—————————————————————–

Exception Code: ACCESS_VIOLATION
Disasm: AAAAAAAA ????? ()

Seh Chain:
————————————————–
1 7C9032BC ntdll.dll
2 AAAAAAAA

Registers:
————————————————–
EIP AAAAAAAA
EAX 00000000
EBX 00000000
ECX AAAAAAAA
EDX 7C9032BC -> 04244C8B
EDI 00000000
ESI 00000000
EBP 0013E7F8 -> 0013E8A8
ESP 0013E7D8 -> 7C9032A8

Block Disassembly:
————————————————–
AAAAAAAA ????? <--- CRASH

ArgDump:
--------------------------------------------------
EBP+8 0013E8C0 -> C0000005
EBP+12 0013ECF0 -> AAAAAAAA
EBP+16 0013E8DC -> 0001003F
EBP+20 0013E894 -> 7C96F3BC
EBP+24 AAAAAAAA
EBP+28 00000236

Stack Dump:
————————————————–
13EBA8 01 00 00 00 00 00 00 00 08 AF 47 00 81 18 C3 77 [..........G....w]
13EBB8 14 2C 00 00 A2 56 00 10 41 ED 13 00 E8 EB 13 00 [.....V..........]
13EBC8 20 8F 63 01 B8 8E 63 01 81 18 C3 77 01 00 00 00 [..c...c....w....]
13EBD8 64 21 12 77 FF 00 00 00 74 E1 97 7C 51 7C 91 7C [d..w....t...Q...]
13EBE8 AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA AA [................]

———————————————–

(fc.1608): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=cccccccc edx=7c9032bc esi=00000000 edi=00000000
eip=cccccccc esp=0013e7d8 ebp=0013e7f8 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
cccccccc ?? ???
0:000> !exchain
0013e7ec: ntdll!ExecuteHandler2+3a (7c9032bc)
0013ecf0: cccccccc
Invalid exception stack at bbbbbbbb
0:000> u 0013ecf0
0013ecf0 bbbbbbbbcc mov ebx,0CCBBBBBBh
0013ecf5 cc int 3
0013ecf6 cc int 3
0013ecf7 cc int 3
0013ecf8 dddd fstp st(5)
0013ecfa dddd fstp st(5)
0013ecfc dddd fstp st(5)
0013ecfe dddd fstp st(5)

0:000> d esp
0013eb58 01 00 00 00 8d 61 53 80-7c 5a 63 af 00 00 00 00 …..aS.|Zc…..
0013eb68 88 d5 2e ba 00 00 00 00-24 46 53 8a 00 86 8f bf ……..$FS…..
0013eb78 a8 5a 63 af a8 5a 63 af-fb 0a 80 bf 60 29 53 89 .Zc..Zc…..`)S.
0013eb88 ce 86 8f bf 68 d5 2e ba-88 d5 2e ba 00 00 00 00 ….h………..
0013eb98 06 00 05 00 a1 00 00 00-2e 0e 73 74 d1 18 43 7e ……….st..C~
0013eba8 01 00 00 00 00 00 00 00-40 f7 47 00 81 18 c3 77 ……..@.G….w
0013ebb8 1a 03 00 00 a2 56 00 10-00 ed 13 00 e8 eb 13 00 …..V……….
0013ebc8 20 8f 63 01 b8 8e 63 01-81 18 c3 77 01 00 00 00 .c…c….w….
0:000> d
0013ebd8 64 21 12 77 ff 00 00 00-74 e1 97 7c 51 7c 91 7c d!.w….t..|Q|.|
0013ebe8 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ebf8 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec08 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec18 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec28 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec38 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec48 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0:000> d
0013ebe8 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ebf8 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec08 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec18 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec28 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec38 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec48 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec58 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0:000> d
0013ec68 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec78 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec88 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ec98 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013eca8 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ecb8 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ecc8 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0013ecd8 aa aa aa aa aa aa aa aa-aa aa aa aa aa aa aa aa …………….
0:000> d
0013ece8 aa aa aa aa aa aa aa aa-bb bb bb bb cc cc cc cc …………….
0013ecf8 dd dd dd dd dd dd dd dd-dd ad d0 01 01 00 63 01 …………..c.
0013ed08 00 00 00 00 b8 8e 63 01-01 00 00 00 00 ed 13 00 ……c………
0013ed18 82 a5 00 10 8c ed 13 00-b8 8e 63 01 28 ee 13 00 ……….c.(…
0013ed28 00 00 00 00 80 02 63 01-80 ed 13 00 ae 43 dd 73 ……c……C.s
0013ed38 5c ed 13 00 d8 f0 00 10-02 00 00 00 d9 a3 00 10 \……………
0013ed48 80 02 63 01 24 8e 56 01-01 00 00 00 78 8e 63 01 ..c.$.V…..x.c.
0013ed58 48 ed 13 00 80 ed 13 00-98 f0 00 10 01 00 00 00 H……………

Advisory ID: ZSL-2011-5011
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5011.php

2011
04/21
POSTED BY
CATEGORY
Internal
Comments Off

Elecard MPEG Player 5.7 Local Buffer Overflow PoC (SEH)

The program suffers from a buffer overflow (with SEH overwrite) vulnerability when opening playlist file (.m3u), as a result of adding extra bytes.

——————————————————————————–

(d08.33c): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000104 ebx=000037bb ecx=0000002a edx=00000104 esi=0013c73c edi=0013ffff
eip=0045563e esp=0013c6c0 ebp=0013cb14 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210206
*** ERROR: Module load completed but symbols could not be loaded for image00400000
image00400000+0x5563e:
0045563e f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
Missing image name, possible paged-out or corrupt data.
0:000> g
(d08.33c): Access violation – code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000000 ecx=44444444 edx=7c9032bc esi=00000000 edi=00000000
eip=44444444 esp=0013c2f0 ebp=0013c310 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00210246
+0×44444443:
44444444 ?? ???
0:000> !exchain
0013c304: ntdll!RtlConvertUlongToLargeInteger+7e (7c9032bc)
0013cb04: +44444443 (44444444)
Invalid exception stack at 43434343

——————————————————————————–

Advisory: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-4998.php

2011
02/24
POSTED BY
CATEGORY
Internal
Comments Off

Rete Mirabilia

Site Meter