Internet Explorer 8 is prone to remote denial-of-service. Below the poc and few details:
TL;DR
-------------------------------------------------------------------------------------------
Found by : code16@04.05.2016
-------------------------------------------------------------------------------------------
0:008> r
eax=00000040 ebx=06367160 ecx=00000000 edx=00000000 esi=06367160 edi=002b233c
eip=0670d0e0 esp=035cfb00 ebp=035cfb48 iopl=0 nv up ei pl zr na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246
Flash6+0x2d0e0:
0670d0e0 f7f9 idiv eax,ecx
0:008> r eax,ecx
eax=00000040 ecx=00000000
0:008> kv
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
035cfb48 0670e709 06362050 06367160 0670e8a6 Flash6+0x2d0e0
035cfbc8 0670e927 00000003 00000000 06367160 Flash6+0x2e709
035cfc20 0673ab1b 00000001 035cfc4c 035cfc7c Flash6+0x2e927
035cfc98 637dda75 00000000 035cfd18 637dd948 Flash6!DllUnregisterServer+0xfb37
035cfca4 637dd948 05187a00 00000013 035cfd18 mshtml!Ordinal103+0x348a1
035cfd18 637dd842 002bbcb8 035cfd58 6364de62 mshtml!Ordinal103+0x34774
035cfd24 6364de62 002bbcb8 00000000 051a70f8 mshtml!Ordinal103+0x3466e
035cfd58 6363c3c5 035cfde0 6363c317 00000000 mshtml!DllGetClassObject+0xbdea5
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\USER32.dll -
035cfd78 7e418734 00030268 0000000e 00000000 mshtml!DllGetClassObject+0xac408
035cfda4 7e418816 6363c317 00030268 00008002 USER32!GetDC+0x6d
035cfe0c 7e4189cd 00000000 6363c317 00030268 USER32!GetDC+0x14f
035cfe6c 7e418a10 035cfe94 00000000 035cfeec USER32!GetWindowLongW+0x127
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\IEFRAME.dll -
035cfe7c 02562ec9 035cfe94 00000000 01be8200 USER32!DispatchMessageW+0xf
035cfeec 025048bf 002c83c0 00141000 00274318 IEFRAME!IEIsProtectedModeProcess+0x70f0
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\iertutil.dll -
035cffa4 5de05a60 01be8200 0012f9fc 035cffec IEFRAME!SetQueryNetSessionCount+0xffa6
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\kernel32.dll -
035cffb4 7c80b713 00274318 00141000 0012f9fc iertutil!Ordinal503+0x2cc
035cffec 00000000 5de05a52 00274318 00000000 kernel32!GetModuleFileNameA+0x1b4
0:008> u eip
Flash6+0x2d0e0:
0670d0e0 f7f9 idiv eax,ecx
0670d0e2 8b4e04 mov ecx,dword ptr [esi+4]
0670d0e5 030e add ecx,dword ptr [esi]
0670d0e7 8bc2 mov eax,edx
0670d0e9 8b5728 mov edx,dword ptr [edi+28h]
0670d0ec c1e002 shl eax,2
0670d0ef 890c02 mov dword ptr [edx+eax],ecx
0670d0f2 8b4e18 mov ecx,dword ptr [esi+18h]
0:008> !analyze -v
(...)
Failed calling InternetOpenUrl, GLE=12007
FAULTING_IP:
Flash6+2d0e0
0670d0e0 f7f9 idiv eax,ecx
EXCEPTION_RECORD: ffffffff -- (.exr 0xffffffffffffffff)
.exr 0xffffffffffffffff
ExceptionAddress: 0670d0e0 (Flash6+0x0002d0e0)
ExceptionCode: c0000094 (Integer divide-by-zero)
ExceptionFlags: 00000000
NumberParameters: 0
FAULTING_THREAD: 00000628
DEFAULT_BUCKET_ID: WRONG_SYMBOLS
PROCESS_NAME: IEXPLORE.EXE
ADDITIONAL_DEBUG_TEXT: Use '!findthebuild' command to search for the target build information.If the build information is available, run '!findthebuild -s ; .reload' to set symbol path and load symbols.
MODULE_NAME: Flash6
FAULTING_MODULE: 7c900000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP: 44c8ff05
ERROR_CODE: (NTSTATUS) 0xc0000094 - {EXCEPTION} Integer division by zero.
EXCEPTION_CODE: (NTSTATUS) 0xc0000094 - {EXCEPTION} Integer division by zero.
MOD_LIST: <ANALYSIS/>
PRIMARY_PROBLEM_CLASS: WRONG_SYMBOLS
BUGCHECK_STR: APPLICATION_FAULT_WRONG_SYMBOLS
LAST_CONTROL_TRANSFER: from 0670e709 to 0670d0e0
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
035cfb48 0670e709 06362050 06367160 0670e8a6 Flash6+0x2d0e0
035cfbc8 0670e927 00000003 00000000 06367160 Flash6+0x2e709
035cfc20 0673ab1b 00000001 035cfc4c 035cfc7c Flash6+0x2e927
035cfc98 637dda75 00000000 035cfd18 637dd948 Flash6!DllUnregisterServer+0xfb37
035cfca4 637dd948 05187a00 00000013 035cfd18 mshtml!Ordinal103+0x348a1
035cfd18 637dd842 002bbcb8 035cfd58 6364de62 mshtml!Ordinal103+0x34774
035cfd24 6364de62 002bbcb8 00000000 051a70f8 mshtml!Ordinal103+0x3466e
035cfd58 6363c3c5 035cfde0 6363c317 00000000 mshtml!DllGetClassObject+0xbdea5
035cfd78 7e418734 00030268 0000000e 00000000 mshtml!DllGetClassObject+0xac408
035cfda4 7e418816 6363c317 00030268 00008002 USER32!GetDC+0x6d
035cfe0c 7e4189cd 00000000 6363c317 00030268 USER32!GetDC+0x14f
035cfe6c 7e418a10 035cfe94 00000000 035cfeec USER32!GetWindowLongW+0x127
035cfe7c 02562ec9 035cfe94 00000000 01be8200 USER32!DispatchMessageW+0xf
035cfeec 025048bf 002c83c0 00141000 00274318 IEFRAME!IEIsProtectedModeProcess+0x70f0
035cffa4 5de05a60 01be8200 0012f9fc 035cffec IEFRAME!SetQueryNetSessionCount+0xffa6
035cffb4 7c80b713 00274318 00141000 0012f9fc iertutil!Ordinal503+0x2cc
035cffec 00000000 5de05a52 00274318 00000000 kernel32!GetModuleFileNameA+0x1b4
FOLLOWUP_IP:
Flash6+2d0e0
0670d0e0 f7f9 idiv eax,ecx
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: Flash6+2d0e0
FOLLOWUP_NAME: MachineOwner
STACK_COMMAND: ~8s ; kb
BUCKET_ID: WRONG_SYMBOLS
IMAGE_NAME: C:\WINDOWS\system32\Macromed\Flash\Flash6.ocx
FAILURE_BUCKET_ID: WRONG_SYMBOLS_c0000094_C:_WINDOWS_system32_Macromed_Flash_Flash6.ocx!Unknown
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/IEXPLORE_EXE/8_0_6001_18702/49b3ad2e/Flash6_ocx/6_0_88_0/44c8ff05/c0000094/0002d0e0.htm?Retriage=1
Followup: MachineOwner
---------
0:008> !exploitable -v
!exploitable 1.6.0.0
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
Exception Faulting Address: 0x670d0e0
First Chance Exception Type: STATUS_INTEGER_DIVIDE_BY_ZERO (0xC0000094)
Faulting Instruction:0670d0e0 idiv eax,ecx
Basic Block:
0670d0e0 idiv eax,ecx
Tainted Input operands: 'ax','dx','eax','ecx'
0670d0e2 mov ecx,dword ptr [esi+4]
0670d0e5 add ecx,dword ptr [esi]
0670d0e7 mov eax,edx
Tainted Input operands: 'edx'
0670d0e9 mov edx,dword ptr [edi+28h]
0670d0ec shl eax,2
0670d0ef mov dword ptr [edx+eax],ecx
Tainted Input operands: 'eax'
0670d0f2 mov ecx,dword ptr [esi+18h]
0670d0f5 sub ecx,dword ptr [esi+4]
0670d0f8 mov edx,dword ptr [edi+2ch]
0670d0fb mov dword ptr [edx+eax],ecx
Tainted Input operands: 'eax'
0670d0fe pop edi
0670d0ff pop esi
0670d100 ret
Tainted Input operands: 'eax'
Exception Hash (Major/Minor): 0x2cfecef0.0xb4d6764b
Hash Usage : Stack Trace:
Major+Minor : Flash6+0x2d0e0
Major+Minor : Flash6+0x2e709
Major+Minor : Flash6+0x2e927
Major+Minor : Flash6!DllUnregisterServer+0xfb37
Major+Minor : mshtml!Ordinal103+0x348a1
Minor : mshtml!Ordinal103+0x34774
Minor : mshtml!Ordinal103+0x3466e
Minor : mshtml!DllGetClassObject+0xbdea5
Minor : mshtml!DllGetClassObject+0xac408
Minor : USER32!GetDC+0x6d
Minor : USER32!GetDC+0x14f
Minor : USER32!GetWindowLongW+0x127
Minor : USER32!DispatchMessageW+0xf
Minor : IEFRAME!IEIsProtectedModeProcess+0x70f0
Minor : IEFRAME!SetQueryNetSessionCount+0xffa6
Minor : iertutil!Ordinal503+0x2cc
Minor : kernel32!GetModuleFileNameA+0x1b4
Instruction Address: 0x000000000670d0e0
Description: Integer Divide By Zero
Short Description: DivideByZero
Exploitability Classification: PROBABLY_NOT_EXPLOITABLE
Recommended Bug Title: Integer Divide By Zero starting at Flash6+0x000000000002d0e0 (Hash=0x2cfecef0.0xb4d6764b)
This is a divide by zero, and is probably not exploitable.
0:008> .exr -1
ExceptionAddress: 0670d0e0 (Flash6+0x0002d0e0)
ExceptionCode: c0000094 (Integer divide-by-zero)
ExceptionFlags: 00000000
NumberParameters: 0
0:008> .logclose
-------------------------------------------------------------------------------------------
http://code610.blogspot.com/
-------------------------------------------------------------------------------------------
cheers
Brak komentarzy:
Prześlij komentarz