扫码分享
验证:
体验盒子#######################################################################
Luigi Auriemma
Application:GenStat
Genstat
Versions: <= 14.1.0.5943
Platforms:Windows
Bugs: A] array overflow with write2
B] heap overflow
Exploitation: file
Date: 01 Oct 2011
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web:aluigi.org
#######################################################################
1) Introduction
2) Bugs
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
From vendor's homepage:
"all embracing data analysis tool, offering ease of use via our
comprehensive menu system reinforced with the flexibility of a
sophisticated programming language."
"For over 30 years we have employed, and continue to work with, leading
statisticians and scientists who help to create a package that succeeds
for both novice and expert users in academia, research and industry."
#######################################################################
=======
2) Bugs
=======
-----------------------------
A] array overflow with write2
-----------------------------
Array overflow during the handling of the GWB (GenStat book) files with
possibility of placing a NULL word in an arbitrary memory location:
00630399|> 8B46 24MOV EAX,DWORD PTR DS:[ESI+24] ; EAX controlled
0063039C|. 8B4E 08MOV ECX,DWORD PTR DS:[ESI+8]
0063039F|. 8D0481 LEA EAX,DWORD PTR DS:[ECX+EAX*4]
006303A2|. 3938 CMP DWORD PTR DS:[EAX],EDI
006303A4|. 74 12JE SHORT GenStat.006303B8
006303A6|. 8B00 MOV EAX,DWORD PTR DS:[EAX]
006303A8|. 05 A4040000ADD EAX,4A4
006303AD|. 0FB708 MOVZX ECX,WORD PTR DS:[EAX]
006303B0|. 894D FCMOV DWORD PTR SS:[EBP-4],ECX
006303B3|. 33C9 XOR ECX,ECX
006303B5|. 66:8908MOV WORD PTR DS:[EAX],CX; write2
----------------
B] heap overflow
----------------
Through the text strings in the final part of the GSH (GenStat
SpreadSheet) files it's possible to cause a heap overflow with
consequent freeing of arbitrary memory (write4):
0064D1C7|> 3BBE 78040000 /CMP EDI,DWORD PTR DS:[ESI+478]
0064D1CD|. 7F 74 |JG SHORT GenStat.0064D243
0064D1CF|. FF75 08 |PUSH DWORD PTR SS:[EBP+8]
0064D1D2|. 8D45 F4 |LEA EAX,DWORD PTR SS:[EBP-C]
0064D1D5|. 6A 01 |PUSH 1
0064D1D7|. 6A 04 |PUSH 4
0064D1D9|. 50|PUSH EAX
0064D1DA|. E8 2F3B2600 |CALL GenStat.008B0D0E ; read 32bit
0064D1DF|. 83C4 10 |ADD ESP,10
0064D1E2|. 85C0|TEST EAX,EAX
0064D1E4|.^0F84 06FFFFFF |JE GenStat.0064D0F0
0064D1EA|. 66:837D 0C 00 |CMP WORD PTR SS:[EBP+C],0
0064D1EF|. 74 0A |JE SHORT GenStat.0064D1FB
0064D1F1|. 8D45 F4 |LEA EAX,DWORD PTR SS:[EBP-C]
0064D1F4|. 50|PUSH EAX
0064D1F5|. E8 DD6AFFFF |CALL GenStat.00643CD7
0064D1FA|. 59|POP ECX
0064D1FB|> 837D F4 00|CMP DWORD PTR SS:[EBP-C],0
0064D1FF|. 7E 1E |JLE SHORT GenStat.0064D21F; I use the first one equal to -1
0064D201|. FF75 08 |PUSH DWORD PTR SS:[EBP+8]
0064D204|. 8B46 58 |MOV EAX,DWORD PTR DS:[ESI+58]
0064D207|. 6A 01 |PUSH 1
0064D209|. FF75 F4 |PUSH DWORD PTR SS:[EBP-C] ; 0x61616161
0064D20C|. 03C7|ADD EAX,EDI
0064D20E|. 50|PUSH EAX
0064D20F|. E8 FA3A2600 |CALL GenStat.008B0D0E ; overflow/corruption
0064D214|. 83C4 10 |ADD ESP,10
0064D217|. 85C0|TEST EAX,EAX
0064D219|.^0F84 D1FEFFFF |JE GenStat.0064D0F0
0064D21F|> FF86 74040000 |INC DWORD PTR DS:[ESI+474]
0064D225|. 8B45 F4 |MOV EAX,DWORD PTR SS:[EBP-C]
0064D228|. 43|INC EBX
0064D229|. 3B5D F8 |CMP EBX,DWORD PTR SS:[EBP-8]
0064D22C|. 8D7C07 01 |LEA EDI,DWORD PTR DS:[EDI+EAX+1]; 0 + -1 + 1 = 0
0064D230|.^7C 95 \JL SHORT GenStat.0064D1C7
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/genstat_1.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17931.zip
A] modified 32bit field at offset 0x46
B] modified 32bit field at offset 0x302 and added 'a's
#######################################################################
======
4) Fix
======
No fix.
#######################################################################
体验盒子
