Kaspersky AntiVirus – PE Unpacking Integer Overflow

• Exploit Database
• 113 阅读

• 作者： Google Security Research
  日期： 2015-09-22
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/38283/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54

  Source: https://code.google.com/p/google-security-research/issues/detail?id=526   Fuzzing of packed executables found the attached crash.   0:022> g (83c.bbc): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=00000005 ebx=04320481 ecx=7ffffffd edx=f50139ce esi=80000027 edi=0432005c eip=15de0bd2 esp=0bb4ee04 ebp=0bb4ee20 iopl=0 ov up ei pl nz na pe nc cs=0023ss=002bds=002bes=002bfs=0053gs=002b efl=00010a06 15de0bd2 8a843700040000mov al,byte ptr [edi+esi+400h] ds:002b:84320483=??   If I step through that address calculation:   0:022> p eax=00000005 ebx=04320481 ecx=7ffffffd edx=f50139ce esi=80000022 edi=0432005c eip=15de0d3a esp=0bb4ee04 ebp=0bb4ee20 iopl=0 nv up ei pl zr na pe nc cs=0023ss=002bds=002bes=002bfs=0053gs=002b efl=00000246 15de0d3a 03f0add esi,eax 0:022> p eax=00000005 ebx=04320481 ecx=7ffffffd edx=f50139ce esi=80000027 edi=0432005c eip=15de0d3c esp=0bb4ee04 ebp=0bb4ee20 iopl=0 nv up ei ng nz na pe nc cs=0023ss=002bds=002bes=002bfs=0053gs=002b efl=00000286 15de0d3c 3b75f0cmp esi,dword ptr [ebp-10h] ss:002b:0bb4ee10=000003f1 0:022> p eax=00000005 ebx=04320481 ecx=7ffffffd edx=f50139ce esi=80000027 edi=0432005c eip=15de0d3f esp=0bb4ee04 ebp=0bb4ee20 iopl=0 ov up ei pl nz na pe nc cs=0023ss=002bds=002bes=002bfs=0053gs=002b efl=00000a06 15de0d3f 0f8c8dfeffffjl15de0bd2[br=1] 0:022> p eax=00000005 ebx=04320481 ecx=7ffffffd edx=f50139ce esi=80000027 edi=0432005c eip=15de0bd2 esp=0bb4ee04 ebp=0bb4ee20 iopl=0 ov up ei pl nz na pe nc cs=0023ss=002bds=002bes=002bfs=0053gs=002b efl=00000a06 15de0bd2 8a843700040000mov al,byte ptr [edi+esi+400h] ds:002b:84320483=??   This looks like an integer overflow:   int base; int index;   if (base + index > argMaxSize) goto error;   Because it's a signed comparison, 7ffffffd + 5 is   0:022> ? ecx + eax Evaluate expression: -2147483646   Which is less than 0x3f1, the size parameter. Those values are directly from the executable being scanned.   Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38283.zip