I assume that this is probably useles now so for education purpose only, you will find few
proof-of-concepts (described by !analyze as "not", "probably" and "exploitable") below:
TL;DR: poc #1 + details
-------------------------------------------------------------------------------------------
Found by : code16@04.05.2016
0:022> g
ModLoad: 76360000 76370000 C:\WINDOWS\system32\winsta.dll
ModLoad: 5b860000 5b8b6000 C:\WINDOWS\system32\NETAPI32.dll
ModLoad: 065e0000 06774000 C:\WINDOWS\system32\Macromed\Flash\Flash6.ocx
ModLoad: 71ad0000 71ad9000 C:\WINDOWS\system32\WSOCK32.dll
ModLoad: 6d430000 6d43a000 C:\WINDOWS\system32\ddrawex.dll
ModLoad: 73760000 737ab000 C:\WINDOWS\system32\DDRAW.dll
ModLoad: 73bc0000 73bc6000 C:\WINDOWS\system32\DCIMAN32.dll
(94c.97c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=2b071004 ebx=00000000 ecx=1fffff05 edx=1b070044 esi=06af6e50 edi=21000001
eip=0661eb23 esp=035cf74c ebp=035cf820 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\Macromed\Flash\Flash6.ocx -
Flash6+0x3eb23:
0661eb23 895808 mov dword ptr [eax+8],ebx ds:0023:2b07100c=????????
0:008> .exr -1
ExceptionAddress: 0661eb23 (Flash6+0x0003eb23)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 2b07100c
Attempt to write to address 2b07100c
0:008> kv
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
035cf820 06619f44 06af6e50 06882058 068a8000 Flash6+0x3eb23
035cfbe0 0661c1d1 00000000 06af3300 06882050 Flash6+0x39f44
035cfc20 0663ab1b 00000001 035cfc4c 035cfc7c Flash6+0x3c1d1
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\mshtml.dll -
035cfc98 637dda75 00000000 035cfd18 637dd948 Flash6!DllUnregisterServer+0xfb37
035cfca4 637dd948 002bc128 00000013 035cfd18 mshtml!Ordinal103+0x348a1
035cfd18 637dd842 0031a0f0 035cfd58 6364de62 mshtml!Ordinal103+0x34774
035cfd24 6364de62 0031a0f0 00000000 050864c8 mshtml!Ordinal103+0x3466e
035cfd58 6363c3c5 035cfde0 6363c317 00000000 mshtml!DllGetClassObject+0xbdea5
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\USER32.dll -
035cfd78 7e418734 003a0258 0000000e 00000000 mshtml!DllGetClassObject+0xac408
035cfda4 7e418816 6363c317 003a0258 00008002 USER32!GetDC+0x6d
035cfe0c 7e4189cd 00000000 6363c317 003a0258 USER32!GetDC+0x14f
035cfe6c 7e418a10 035cfe94 00000000 035cfeec USER32!GetWindowLongW+0x127
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\IEFRAME.dll -
035cfe7c 02562ec9 035cfe94 00000000 01be81f8 USER32!DispatchMessageW+0xf
035cfeec 025048bf 002c83f8 00141000 00274318 IEFRAME!IEIsProtectedModeProcess+0x70f0
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\iertutil.dll -
035cffa4 5de05a60 01be81f8 0012f9fc 035cffec IEFRAME!SetQueryNetSessionCount+0xffa6
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\kernel32.dll -
035cffb4 7c80b713 00274318 00141000 0012f9fc iertutil!Ordinal503+0x2cc
035cffec 00000000 5de05a52 00274318 00000000 kernel32!GetModuleFileNameA+0x1b4
0:008> r
eax=2b071004 ebx=00000000 ecx=1fffff05 edx=1b070044 esi=06af6e50 edi=21000001
eip=0661eb23 esp=035cf74c ebp=035cf820 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
Flash6+0x3eb23:
0661eb23 895808 mov dword ptr [eax+8],ebx ds:0023:2b07100c=????????
0:008> u eip
Flash6+0x3eb23:
0661eb23 895808 mov dword ptr [eax+8],ebx
0661eb26 c70006000000 mov dword ptr [eax],6
0661eb2c 895804 mov dword ptr [eax+4],ebx
0661eb2f 83c010 add eax,10h
0661eb32 49 dec ecx
0661eb33 75ee jne Flash6+0x3eb23 (0661eb23)
0661eb35 895590 mov dword ptr [ebp-70h],edx
0661eb38 eb03 jmp Flash6+0x3eb3d (0661eb3d)
0:008> r eax,ebx
eax=2b071004 ebx=00000000
0:008> u eax+8
2b07100c ?? ???
^ Memory access error in 'u eax+8'
0:008> dd eax+8
2b07100c ???????? ???????? ???????? ????????
2b07101c ???????? ???????? ???????? ????????
2b07102c ???????? ???????? ???????? ????????
2b07103c ???????? ???????? ???????? ????????
2b07104c ???????? ???????? ???????? ????????
2b07105c ???????? ???????? ???????? ????????
2b07106c ???????? ???????? ???????? ????????
2b07107c ???????? ???????? ???????? ????????
0:008> dd ebx
00000000 ???????? ???????? ???????? ????????
00000010 ???????? ???????? ???????? ????????
00000020 ???????? ???????? ???????? ????????
00000030 ???????? ???????? ???????? ????????
00000040 ???????? ???????? ???????? ????????
00000050 ???????? ???????? ???????? ????????
00000060 ???????? ???????? ???????? ????????
00000070 ???????? ???????? ???????? ????????
0:008> u eip
Flash6+0x3eb23:
0661eb23 895808 mov dword ptr [eax+8],ebx
0661eb26 c70006000000 mov dword ptr [eax],6
0661eb2c 895804 mov dword ptr [eax+4],ebx
0661eb2f 83c010 add eax,10h
0661eb32 49 dec ecx
0661eb33 75ee jne Flash6+0x3eb23 (0661eb23)
0661eb35 895590 mov dword ptr [ebp-70h],edx
0661eb38 eb03 jmp Flash6+0x3eb3d (0661eb3d)
0:008> u eip-1
Flash6+0x3eb22:
0661eb22 41 inc ecx
0661eb23 895808 mov dword ptr [eax+8],ebx
0661eb26 c70006000000 mov dword ptr [eax],6
0661eb2c 895804 mov dword ptr [eax+4],ebx
0661eb2f 83c010 add eax,10h
0661eb32 49 dec ecx
0661eb33 75ee jne Flash6+0x3eb23 (0661eb23)
0661eb35 895590 mov dword ptr [ebp-70h],edx
0:008> u eip-2
Flash6+0x3eb21:
0661eb21 134189 adc eax,dword ptr [ecx-77h]
0661eb24 58 pop eax
0661eb25 08c7 or bh,al
0661eb27 0006 add byte ptr [esi],al
0661eb29 0000 add byte ptr [eax],al
0661eb2b 0089580483c0 add byte ptr [ecx-3F7CFBA8h],cl
0661eb31 104975 adc byte ptr [ecx+75h],cl
0661eb34 ee out dx,al
0:008> u eip-3
Flash6+0x3eb20:
0661eb20 7c13 jl Flash6+0x3eb35 (0661eb35)
0661eb22 41 inc ecx
0661eb23 895808 mov dword ptr [eax+8],ebx
0661eb26 c70006000000 mov dword ptr [eax],6
0661eb2c 895804 mov dword ptr [eax+4],ebx
0661eb2f 83c010 add eax,10h
0661eb32 49 dec ecx
0661eb33 75ee jne Flash6+0x3eb23 (0661eb23)
0:008> u eip-4
Flash6+0x3eb1f:
0661eb1f c27c13 ret 137Ch
0661eb22 41 inc ecx
0661eb23 895808 mov dword ptr [eax+8],ebx
0661eb26 c70006000000 mov dword ptr [eax],6
0661eb2c 895804 mov dword ptr [eax+4],ebx
0661eb2f 83c010 add eax,10h
0661eb32 49 dec ecx
0661eb33 75ee jne Flash6+0x3eb23 (0661eb23)
0:008> u eip-5
Flash6+0x3eb1e:
0661eb1e 8bc2 mov eax,edx
0661eb20 7c13 jl Flash6+0x3eb35 (0661eb35)
0661eb22 41 inc ecx
0661eb23 895808 mov dword ptr [eax+8],ebx
0661eb26 c70006000000 mov dword ptr [eax],6
0661eb2c 895804 mov dword ptr [eax+4],ebx
0661eb2f 83c010 add eax,10h
0661eb32 49 dec ecx
0:008> u eip-6
Flash6+0x3eb1d:
0661eb1d cb retf
0661eb1e 8bc2 mov eax,edx
0661eb20 7c13 jl Flash6+0x3eb35 (0661eb35)
0661eb22 41 inc ecx
0661eb23 895808 mov dword ptr [eax+8],ebx
0661eb26 c70006000000 mov dword ptr [eax],6
0661eb2c 895804 mov dword ptr [eax+4],ebx
0661eb2f 83c010 add eax,10h
0:008> u eip-7
Flash6+0x3eb1c:
0661eb1c 3bcb cmp ecx,ebx
0661eb1e 8bc2 mov eax,edx
0661eb20 7c13 jl Flash6+0x3eb35 (0661eb35)
0661eb22 41 inc ecx
0661eb23 895808 mov dword ptr [eax+8],ebx
0661eb26 c70006000000 mov dword ptr [eax],6
0661eb2c 895804 mov dword ptr [eax+4],ebx
0661eb2f 83c010 add eax,10h
0:008> u eip-8
Flash6+0x3eb1b:
0661eb1b 383b cmp byte ptr [ebx],bh
0661eb1d cb retf
0661eb1e 8bc2 mov eax,edx
0661eb20 7c13 jl Flash6+0x3eb35 (0661eb35)
0661eb22 41 inc ecx
0661eb23 895808 mov dword ptr [eax+8],ebx
0661eb26 c70006000000 mov dword ptr [eax],6
0661eb2c 895804 mov dword ptr [eax+4],ebx
0:008> u eip-9
Flash6+0x3eb1a:
0661eb1a 8938 mov dword ptr [eax],edi
0661eb1c 3bcb cmp ecx,ebx
0661eb1e 8bc2 mov eax,edx
0661eb20 7c13 jl Flash6+0x3eb35 (0661eb35)
0661eb22 41 inc ecx
0661eb23 895808 mov dword ptr [eax+8],ebx
0661eb26 c70006000000 mov dword ptr [eax],6
0661eb2c 895804 mov dword ptr [eax+4],ebx
0:008> u eip-10
Flash6+0x3eb13:
0661eb13 268d4fff lea ecx,es:[edi-1]
0661eb17 8d5004 lea edx,[eax+4]
0661eb1a 8938 mov dword ptr [eax],edi
0661eb1c 3bcb cmp ecx,ebx
0661eb1e 8bc2 mov eax,edx
0661eb20 7c13 jl Flash6+0x3eb35 (0661eb35)
0661eb22 41 inc ecx
0661eb23 895808 mov dword ptr [eax+8],ebx
0:008> u edi-1
21000000 e0e0 loopne 20ffffe2
21000002 e0e0 loopne 20ffffe4
21000004 06 push es
21000005 0000 add byte ptr [eax],al
21000007 0000 add byte ptr [eax],al
21000009 0000 add byte ptr [eax],al
2100000b 0000 add byte ptr [eax],al
2100000d 0000 add byte ptr [eax],al
0:008> !analyze -v
*******************************************************************************
(...)
*** ***
*** Type referenced: nt!IMAGE_NT_HEADERS32 ***
*** ***
*************************************************************************
Failed calling InternetOpenUrl, GLE=12007
FAULTING_IP:
Flash6+3eb23
0661eb23 895808 mov dword ptr [eax+8],ebx
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
.exr 0xffffffffffffffff
ExceptionAddress: 0661eb23 (Flash6+0x0003eb23)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 2b07100c
Attempt to write to address 2b07100c
FAULTING_THREAD: 0000097c
PROCESS_NAME: IEXPLORE.EXE
ADDITIONAL_DEBUG_TEXT:
Use '!findthebuild' command to search for the target build
information.If the build information is available, run '!
findthebuild -s ; .reload' to set symbol path and load symbols.
MODULE_NAME: Flash6
FAULTING_MODULE: 7c900000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP: 44c8ff05
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory at "0x%08lx". The memory could not be "%s".
EXCEPTION_CODE:
(NTSTATUS) 0xc0000005 - The instruction at "0x%08lx" referenced memory
at "0x%08lx". The memory could not be "%s".
EXCEPTION_PARAMETER1: 00000001
EXCEPTION_PARAMETER2: 2b07100c
WRITE_ADDRESS: 2b07100c
FOLLOWUP_IP:
Flash6+3eb23
0661eb23 895808 mov dword ptr [eax+8],ebx
MOD_LIST: <ANALYSIS/>
BUGCHECK_STR: APPLICATION_FAULT_INVALID_POINTER_WRITE_WRONG_SYMBOLS_EXPLOITABLE
PRIMARY_PROBLEM_CLASS: INVALID_POINTER_WRITE_EXPLOITABLE
DEFAULT_BUCKET_ID: INVALID_POINTER_WRITE_EXPLOITABLE
LAST_CONTROL_TRANSFER: from 06619f44 to 0661eb23
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
035cf820 06619f44 06af6e50 06882058 068a8000 Flash6+0x3eb23
035cfbe0 0661c1d1 00000000 06af3300 06882050 Flash6+0x39f44
035cfc20 0663ab1b 00000001 035cfc4c 035cfc7c Flash6+0x3c1d1
035cfc98 637dda75 00000000 035cfd18 637dd948 Flash6!DllUnregisterServer+0xfb37
035cfca4 637dd948 002bc128 00000013 035cfd18 mshtml!Ordinal103+0x348a1
035cfd18 637dd842 0031a0f0 035cfd58 6364de62 mshtml!Ordinal103+0x34774
035cfd24 6364de62 0031a0f0 00000000 050864c8 mshtml!Ordinal103+0x3466e
035cfd58 6363c3c5 035cfde0 6363c317 00000000 mshtml!DllGetClassObject+0xbdea5
035cfd78 7e418734 003a0258 0000000e 00000000 mshtml!DllGetClassObject+0xac408
035cfda4 7e418816 6363c317 003a0258 00008002 USER32!GetDC+0x6d
035cfe0c 7e4189cd 00000000 6363c317 003a0258 USER32!GetDC+0x14f
035cfe6c 7e418a10 035cfe94 00000000 035cfeec USER32!GetWindowLongW+0x127
035cfe7c 02562ec9 035cfe94 00000000 01be81f8 USER32!DispatchMessageW+0xf
035cfeec 025048bf 002c83f8 00141000 00274318 IEFRAME!IEIsProtectedModeProcess+0x70f0
035cffa4 5de05a60 01be81f8 0012f9fc 035cffec IEFRAME!SetQueryNetSessionCount+0xffa6
035cffb4 7c80b713 00274318 00141000 0012f9fc iertutil!Ordinal503+0x2cc
035cffec 00000000 5de05a52 00274318 00000000 kernel32!GetModuleFileNameA+0x1b4
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: Flash6+3eb23
FOLLOWUP_NAME: MachineOwner
STACK_COMMAND: ~8s ; kb
BUCKET_ID: WRONG_SYMBOLS
IMAGE_NAME: C:\WINDOWS\system32\Macromed\Flash\Flash6.ocx
FAILURE_BUCKET_ID: INVALID_POINTER_WRITE_EXPLOITABLE_c0000005_C:_WINDOWS_system32_Macromed_Flash_Flash6.ocx!Unknown
WATSON_STAGEONE_URL:
http://watson.microsoft.com/StageOne/IEXPLORE_EXE/8_0_6001_18702/49b3ad2e/Flash6_ocx/6_0_88_0/44c8ff05/c0000005/0003eb23.htm?
Retriage=1
Followup: MachineOwner
---------
0:008> !exploitable -v
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x2b07100c
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Write Access Violation
Faulting Instruction:0661eb23 mov dword ptr [eax+8],ebx
Exception Hash (Major/Minor): 0x2cfecef0.0x8e10d8c5
Hash Usage : Stack Trace:
Major+Minor : Flash6+0x3eb23
Major+Minor : Flash6+0x39f44
Major+Minor : Flash6+0x3c1d1
Major+Minor : Flash6!DllUnregisterServer+0xfb37
Major+Minor : mshtml!Ordinal103+0x348a1
Minor : mshtml!Ordinal103+0x34774
Minor : mshtml!Ordinal103+0x3466e
Minor : mshtml!DllGetClassObject+0xbdea5
Minor : mshtml!DllGetClassObject+0xac408
Minor : USER32!GetDC+0x6d
Minor : USER32!GetDC+0x14f
Minor : USER32!GetWindowLongW+0x127
Minor : USER32!DispatchMessageW+0xf
Minor : IEFRAME!IEIsProtectedModeProcess+0x70f0
Minor : IEFRAME!SetQueryNetSessionCount+0xffa6
Minor : iertutil!Ordinal503+0x2cc
Minor : kernel32!GetModuleFileNameA+0x1b4
Instruction Address: 0x000000000661eb23
Description: User Mode Write AV
Short Description: WriteAV
Exploitability Classification: EXPLOITABLE
Recommended Bug Title: Exploitable - User Mode Write AV starting at Flash6+0x000000000003eb23 (Hash=0x2cfecef0.0x8e10d8c5)
User mode write access violations that are not near NULL are exploitable.
0:008> ub
Flash6+0x3eb12:
0661eb12 7426 je Flash6+0x3eb3a (0661eb3a)
0661eb14 8d4fff lea ecx,[edi-1]
0661eb17 8d5004 lea edx,[eax+4]
0661eb1a 8938 mov dword ptr [eax],edi
0661eb1c 3bcb cmp ecx,ebx
0661eb1e 8bc2 mov eax,edx
0661eb20 7c13 jl Flash6+0x3eb35 (0661eb35)
0661eb22 41 inc ecx
0:008> kvn3
# ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 035cf820 06619f44 06af6e50 06882058 068a8000 Flash6+0x3eb23
01 035cfbe0 0661c1d1 00000000 06af3300 06882050 Flash6+0x39f44
02 035cfc20 0663ab1b 00000001 035cfc4c 035cfc7c Flash6+0x3c1d1
0:008> .logclose
-------------------------------------------------------------------------------------------
Now time for 'probably exploitable', enjoy the second poc.
3rd poc identified by !analyze as 'not exploitable' is here.
-------------------------------------------------------------------------------------------
btw, if you would like to see more details in details.txt files let me know.
also, maybe I'm doing something wrong during debug - feel free to send me some hints.
I will appreciate it.
Thanks,
cheers
Brak komentarzy:
Prześlij komentarz