Microsoft Fax – Cover Page Editor 5.2.3790.3959 Double-Free Memory Corruption

• Exploit Database
• 12 阅读

• 作者： Luigi Auriemma
  日期： 2011-01-24
• 类别：

  • local
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/16024/

• Source: http://aluigi.org/adv/fxscover_1-adv.txt
  
  #######################################################################
  
   Luigi Auriemma
  
  Application:Microsoft Fax Cover Page Editor
  http://windows.microsoft.com/en-US/windows-vista/Create-or-edit-a-fax-cover-page
  Versions: <= 5.2.3790.3959
  Platforms:Windows
  Bug:double free
  Exploitation: local
  Date: 19 Jan 2011
  Author: Luigi Auriemma
  e-mail: aluigi@autistici.org
  web:aluigi.org
  
  
  #######################################################################
  
  
  1) Introduction
  2) Bug
  3) The Code
  4) Fix
  
  
  #######################################################################
  
  ===============
  1) Introduction
  ===============
  
  
  Fax Cover Page Editor is a program for the viewing and editing of
  various formats of fax cover files.
  
  
  #######################################################################
  
  ======
  2) Bug
  ======
  
  
  fxscover.exe is available on Windows after the installation of the Fax
  Service.
  
  The various "Text" elements have a 16bit field that seems used to index
  them and by default it has a negative value like 0x8001.
  By using a positive value major than 0 and lower than the total number
  of elements is possible to cause a problem during the freeing of the
  allocated object.
  
  The provided proof-of-concept demonstrates the possibility of executing
  code immediately after the acknoledgement of the initial message box
  when is called FXSCOVER!CDrawDoc::Remove by
  FXSCOVER!CDrawDoc::DeleteContents.
  
  Modifications:
  00005098 FE CC// code execution starts from here
  000093F5 01 04// 16bit in little endian
  000093F6 80 00
  
  Alternatively is also possible to exploit the bug when the program gets
  closed or another file is opened by modifying the 16 bit at offset
  0x94a5 instead of the one at 0x93f5, so that the file will be
  considered valid.
  
  
  #######################################################################
  
  ===========
  3) The Code
  ===========
  
  DoS:
  http://aluigi.org/poc/fxscover_1.cov
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/16024-fxscover_1.cov
  
  Bind Shell:
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/fxscover_1_bind28876.zip
  
  
  #######################################################################
  
  ======
  4) Fix
  ======
  
  
  No fix.
  
  
  #######################################################################