扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 |
####################################################################### Luigi Auriemma Application:GenStat <blockquote class="wp-embedded-content" data-secret="CzcqVqvVjp"><a href="https://vsni.co.uk/software/genstat/" target="_blank"rel="external nofollow" class="external" >Genstat</a></blockquote><iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" style="position: absolute; visibility: hidden;" title="“Genstat” — VSNi" src="https://vsni.co.uk/software/genstat/embed/#?secret=gR4r8EQdld#?secret=CzcqVqvVjp" data-secret="CzcqVqvVjp" frameborder="0" marginmarginscrolling="no"></iframe> Versions: <= 14.1.0.5943 Platforms:Windows Bugs: A] array overflow with write2 B] heap overflow Exploitation: file Date: 01 Oct 2011 Author: Luigi Auriemma e-mail: aluigi@autistici.org web:aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== From vendor's homepage: "all embracing data analysis tool, offering ease of use via our comprehensive menu system reinforced with the flexibility of a sophisticated programming language." "For over 30 years we have employed, and continue to work with, leading statisticians and scientists who help to create a package that succeeds for both novice and expert users in academia, research and industry." ####################################################################### ======= 2) Bugs ======= ----------------------------- A] array overflow with write2 ----------------------------- Array overflow during the handling of the GWB (GenStat book) files with possibility of placing a NULL word in an arbitrary memory location: 00630399|> 8B46 24MOV EAX,DWORD PTR DS:[ESI+24] ; EAX controlled 0063039C|. 8B4E 08MOV ECX,DWORD PTR DS:[ESI+8] 0063039F|. 8D0481 LEA EAX,DWORD PTR DS:[ECX+EAX*4] 006303A2|. 3938 CMP DWORD PTR DS:[EAX],EDI 006303A4|. 74 12JE SHORT GenStat.006303B8 006303A6|. 8B00 MOV EAX,DWORD PTR DS:[EAX] 006303A8|. 05 A4040000ADD EAX,4A4 006303AD|. 0FB708 MOVZX ECX,WORD PTR DS:[EAX] 006303B0|. 894D FCMOV DWORD PTR SS:[EBP-4],ECX 006303B3|. 33C9 XOR ECX,ECX 006303B5|. 66:8908MOV WORD PTR DS:[EAX],CX; write2 ---------------- B] heap overflow ---------------- Through the text strings in the final part of the GSH (GenStat SpreadSheet) files it's possible to cause a heap overflow with consequent freeing of arbitrary memory (write4): 0064D1C7|> 3BBE 78040000 /CMP EDI,DWORD PTR DS:[ESI+478] 0064D1CD|. 7F 74 |JG SHORT GenStat.0064D243 0064D1CF|. FF75 08 |PUSH DWORD PTR SS:[EBP+8] 0064D1D2|. 8D45 F4 |LEA EAX,DWORD PTR SS:[EBP-C] 0064D1D5|. 6A 01 |PUSH 1 0064D1D7|. 6A 04 |PUSH 4 0064D1D9|. 50|PUSH EAX 0064D1DA|. E8 2F3B2600 |CALL GenStat.008B0D0E ; read 32bit 0064D1DF|. 83C4 10 |ADD ESP,10 0064D1E2|. 85C0|TEST EAX,EAX 0064D1E4|.^0F84 06FFFFFF |JE GenStat.0064D0F0 0064D1EA|. 66:837D 0C 00 |CMP WORD PTR SS:[EBP+C],0 0064D1EF|. 74 0A |JE SHORT GenStat.0064D1FB 0064D1F1|. 8D45 F4 |LEA EAX,DWORD PTR SS:[EBP-C] 0064D1F4|. 50|PUSH EAX 0064D1F5|. E8 DD6AFFFF |CALL GenStat.00643CD7 0064D1FA|. 59|POP ECX 0064D1FB|> 837D F4 00|CMP DWORD PTR SS:[EBP-C],0 0064D1FF|. 7E 1E |JLE SHORT GenStat.0064D21F; I use the first one equal to -1 0064D201|. FF75 08 |PUSH DWORD PTR SS:[EBP+8] 0064D204|. 8B46 58 |MOV EAX,DWORD PTR DS:[ESI+58] 0064D207|. 6A 01 |PUSH 1 0064D209|. FF75 F4 |PUSH DWORD PTR SS:[EBP-C] ; 0x61616161 0064D20C|. 03C7|ADD EAX,EDI 0064D20E|. 50|PUSH EAX 0064D20F|. E8 FA3A2600 |CALL GenStat.008B0D0E ; overflow/corruption 0064D214|. 83C4 10 |ADD ESP,10 0064D217|. 85C0|TEST EAX,EAX 0064D219|.^0F84 D1FEFFFF |JE GenStat.0064D0F0 0064D21F|> FF86 74040000 |INC DWORD PTR DS:[ESI+474] 0064D225|. 8B45 F4 |MOV EAX,DWORD PTR SS:[EBP-C] 0064D228|. 43|INC EBX 0064D229|. 3B5D F8 |CMP EBX,DWORD PTR SS:[EBP-8] 0064D22C|. 8D7C07 01 |LEA EDI,DWORD PTR DS:[EDI+EAX+1]; 0 + -1 + 1 = 0 0064D230|.^7C 95 \JL SHORT GenStat.0064D1C7 ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/genstat_1.zip https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17931.zip A] modified 32bit field at offset 0x46 B] modified 32bit field at offset 0x302 and added 'a's ####################################################################### ====== 4) Fix ====== No fix. ####################################################################### |
体验盒子
