Microsoft WinDbg – ‘logviewer.exe’ Crash (PoC)

• Exploit Database
• 10 阅读

• 作者： hyp3rlinx
  日期： 2016-07-08
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/40074/

• [+] Credits: HYP3RLINX
  
  [+] Website: hyp3rlinx.altervista.org
  
  [+] Source:
  http://hyp3rlinx.altervista.org/advisories/MS-WINDBG-LOGVIEWER-BUFFER-OVERFLOW.txt
  
  [+] ISR: ApparitionSec
  
  
  Vendor:
  =================
  www.microsoft.com
  
  
  Product:
  ====================
  WinDbg logviewer.exe
  
  LogViewer (logviewer.exe), a tool that displays the logs created, part of
  WinDbg application.
  
  
  Vulnerability Type:
  ===================
  Buffer Overflow DOS
  
  
  Vulnerability Details:
  =====================
  
  Buffer overflow in WinDbg "logviewer.exe" when opening corrupted .lgv
  files. App crash then Overwrite of MMX registers etc...
  this utility belongs to Windows Kits/8.1/Debuggers/x86
  
  Read Access Violation / Memory Corruption
  Win32 API Log Viewer
  6.3.9600.17298
  Windbg x86
  logviewer.exe
  Log Viewer 3.01 for x86
  
  
  (5fb8.32fc): Access violation - code c0000005 (first chance)
  First chance exceptions are reported before any exception handling.
  This exception may be expected and handled.
  *** ERROR: Symbol file could not be found.Defaulted to export symbols for
  C:\Windows\syswow64\msvcrt.dll -
  eax=013dad30 ebx=005d0000 ecx=00000041 edx=00000000 esi=005d2000
  edi=013dcd30
  eip=754fa048 esp=0009f840 ebp=0009f848 iopl=0 nv up ei pl nz na pe
  nc
  cs=0023ss=002bds=002bes=002bfs=0053gs=002b
  efl=00210206
  msvcrt!memmove+0x1ee:
  754fa048 660f6f06movdqaxmm0,xmmword ptr [esi]
  ds:002b:005d2000=????????????????????????????????
  
  gs 2b
  fs 53
  es 2b
  ds 2b
  edi 136cd30
  esi 7d2000
  ebx 7d0000
  edx 0
  ecx 41
  eax 136ad30
  ebp df750
  eip 754fa048
  cs 23
  efl 210206
  esp df748
  ss 2b
  dr0 0
  dr1 0
  dr2 0
  dr3 0
  dr6 0
  dr7 0
  di cd30
  si 2000
  bx 0
  dx 0
  cx 41
  ax ad30
  bp f750
  ip a048
  fl 206
  sp f748
  bl 0
  dl 0
  cl 41
  al 30
  bh 0
  dh 0
  ch 0
  ah ad
  fpcw 27f
  fpsw 4020
  fptw ffff
  fopcode 0
  fpip 76454c1e
  fpipsel 23
  fpdp 6aec2c
  fpdpsel 2b
  st0 -1.00000000000000e+000
  st1 -1.00000000000000e+000
  st2 -1.00000000000000e+000
  st3 9.60000000000000e+001
  st4 1.08506945252884e-004
  st5 -1.00000000000000e+000
  st6 0.00000000000000e+000
  st7 0.00000000000000e+000
  mm0 0:2:2:2
  mm1 0:0:2:202
  mm2 0:1:1:1
  mm3 c000:0:0:0
  mm4 e38e:3900:0:0
  mm5 0:0:0:0
  mm6 0:0:0:0
  mm7 0:0:0:0
  mxcsr 1fa0
  xmm0 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001
  xmm1 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001
  xmm2 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001
  xmm3 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001
  xmm4 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001
  xmm5 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001
  xmm6 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001
  xmm7 1.207843e+001: 1.207843e+001: 1.207843e+001: 1.207843e+001
  iopl 0
  of 0
  df 0
  if 1
  tf 0
  sf 0
  zf 0
  af 0
  pf 1
  cf 0
  vip 0
  vif 0
  xmm0l 4141:4141:4141:4141
  xmm1l 4141:4141:4141:4141
  xmm2l 4141:4141:4141:4141
  xmm3l 4141:4141:4141:4141
  xmm4l 4141:4141:4141:4141
  xmm5l 4141:4141:4141:4141
  xmm6l 4141:4141:4141:4141
  xmm7l 4141:4141:4141:4141
  xmm0h 4141:4141:4141:4141
  xmm1h 4141:4141:4141:4141
  xmm2h 4141:4141:4141:4141
  xmm3h 4141:4141:4141:4141
  xmm4h 4141:4141:4141:4141
  xmm5h 4141:4141:4141:4141
  xmm6h 4141:4141:4141:4141
  xmm7h 4141:4141:4141:4141
  xmm0/0 41414141
  xmm0/1 41414141
  xmm0/2 41414141
  xmm0/3 41414141
  xmm1/0 41414141
  xmm1/1 41414141
  xmm1/2 41414141
  xmm1/3 41414141
  xmm2/0 41414141
  xmm2/1 41414141
  xmm2/2 41414141
  xmm2/3 41414141
  xmm3/0 41414141
  xmm3/1 41414141
  xmm3/2 41414141
  xmm3/3 41414141
  xmm4/0 41414141
  xmm4/1 41414141
  xmm4/2 41414141
  xmm4/3 41414141
  xmm5/0 41414141
  xmm5/1 41414141
  xmm5/2 41414141
  xmm5/3 41414141
  xmm6/0 41414141
  xmm6/1 41414141
  xmm6/2 41414141
  xmm6/3 41414141
  xmm7/0 41414141
  xmm7/1 41414141
  xmm7/2 41414141
  xmm7/3 41414141
  
  
  Exploit code(s):
  ===============
  
  1) create.lgv file with bunch of 'A's length of 4096 overwrites XXM
  registers, ECX etc
  2) run from command line pipe the file to it to watch it crash and burn.
  
  ///////////////////////////////////////////////////////////////////////
  
  
  Disclosure Timeline:
  ===============================
  Vendor Notification: June 23, 2016
  Vendor acknowledged: July 1, 2016
  Vendor reply: Will not fix (stability issue)
  July 8, 2016 : Public Disclosure
  
  
  Severity Level:
  ================
  Low
  
  
  [+] Disclaimer
  The information contained within this advisory is supplied "as-is" with no
  warranties or guarantees of fitness of use or otherwise.
  Permission is hereby granted for the redistribution of this advisory,
  provided that it is not altered except by reformatting it, and
  that due credit is given. Permission is explicitly given for insertion in
  vulnerability databases and similar, provided that due credit
  is given to the author. The author is not responsible for any misuse of the
  information contained herein and accepts no responsibility
  for any damage caused by the use or misuse of this information. The author
  prohibits any malicious use of security related information
  or exploits by the author or elsewhere.
  
  HYP3RLINX