扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 |
####################################################################### Luigi Auriemma Application:EViews http://www.eviews.com Versions: <= 7.0.0.1 (aka 7.2) Platforms:Windows Bugs: A] memory corruption B] heap overflow Exploitation: remote Date: 19 Sep 2011 Author: Luigi Auriemma e-mail: aluigi@autistici.org web:aluigi.org ####################################################################### 1) Introduction 2) Bugs 3) The Code 4) Fix ####################################################################### =============== 1) Introduction =============== EViews is a software for econometric and statistical analysis. From vendor's website: "Estimation, forecasting, statistical analysis, graphics, simulation, data management, all in a powerful, graphical object-oriented interface." ####################################################################### ====== 2) Bugs ====== -------------------- A] memory corruption -------------------- The program uses a particular function for allocating memory for the arrays used in the WF1 files. In short if the reallocation fails it's possible to write a memory pointer and a NULL in the expected last two positions of the "supposedly" reallocated array so with possibilities of corrupting memory zones almost arbitrarialy: 00B1A2B0/$ 56PUSH ESI ; value + 0x32 00B1A2B1|. 57PUSH EDI 00B1A2B2|. 8B7C24 0C MOV EDI,DWORD PTR SS:[ESP+C] 00B1A2B6|. 8BF1MOV ESI,ECX 00B1A2B8|. 56PUSH ESI 00B1A2B9|. 8D04BD 00000000 LEA EAX,DWORD PTR DS:[EDI*4] ; value * 4 (unexploitable) 00B1A2C0|. 50PUSH EAX 00B1A2C1|. B9 38F8E600 MOV ECX,EViews7.00E6F838 00B1A2C6|. E8 4527F7FF CALL EViews7.00A8CA10; allocation ... 00A8BB41|. 897C39 FC MOV DWORD PTR DS:[ECX+EDI-4],EDI ; write4 00A8BB45|. C70439 00000000 MOV DWORD PTR DS:[ECX+EDI],0 ; write4 ---------------- B] heap overflow ---------------- Heap overflow/corruption (no additional analysis) during the handling of the PRG files: 00B90BF4|. 8B1496 MOV EDX,DWORD PTR DS:[ESI+EDX*4] 00B90BF7|. EB 07JMP SHORT EViews7.00B90C00; EDX is controlled 00B90BF9|> 397A 04/CMP DWORD PTR DS:[EDX+4],EDI ; EDI is usually zero 00B90BFC|. 74 0E|JE SHORT EViews7.00B90C0C 00B90BFE|. 8B12 |MOV EDX,DWORD PTR DS:[EDX] 00B90C00|> 85D2TEST EDX,EDX 00B90C02|.^75 F5\JNZ SHORT EViews7.00B90BF9 00B90C04|. 33C0 XOR EAX,EAX 00B90C06|> 5F POP EDI 00B90C07|> 5E POP ESI 00B90C08|. 5D POP EBP 00B90C09|. C2 0400RETN 4 00B90C0C|> 8B42 08MOV EAX,DWORD PTR DS:[EDX+8]; get the new value 00B90C0F\.^EB F5JMP SHORT EViews7.00B90C06 ... 00B295D8|. E8 EF750600CALL EViews7.00B90BCC ; the above function 00B295DD|. 85C0 TEST EAX,EAX 00B295DF|. 74 14JE SHORT EViews7.00B295F5 00B295E1|. 8378 4C 00 CMP DWORD PTR DS:[EAX+4C],0 00B295E5|. 74 0EJE SHORT EViews7.00B295F5 00B295E7|. 8B48 4CMOV ECX,DWORD PTR DS:[EAX+4C] 00B295EA|. 8B01 MOV EAX,DWORD PTR DS:[ECX] 00B295EC|. 6A 00PUSH 0 00B295EE|. 56 PUSH ESI 00B295EF|. FF90 9C000000CALL DWORD PTR DS:[EAX+9C]; code execution The only "obstacle" to the exploitation could be EDI handled at address 00B54CE5 because sometimes it's zero and other times it isn't but my proof-of-concept and analysis is absolutely far from being optimized so I there are for sure ways to control it better and bypassing the comparison. ####################################################################### =========== 3) The Code =========== http://aluigi.org/poc/eviews_1.zip https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17878.zip ####################################################################### ====== 4) Fix ====== No fix. ####################################################################### |
体验盒子
