Avast! – Heap Overflow Unpacking MoleBox Archives

  • 作者: Google Security Research
    日期: 2015-12-10
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/38933/
  • Source: https://code.google.com/p/google-security-research/issues/detail?id=552
    
    Trivial fuzzing of molebox archives revealed a heap overflow decrypting the packed image in moleboxMaybeUnpack. This vulnerability is obviously exploitable for remote arbitrary code execution as NT AUTHORITY\SYSTEM.
    
    The attached testcase should cause heap corruption in AvastSvc.exe, please enable page heap if you have trouble reproducing. 
    
    HEAP[AvastSvc.exe]: ZwAllocateVirtualMemory failed c0000018 for heap 00310000 (base 0E560000, size 0006B000)
    (474.9f8): Access violation - code c0000005 (first chance)
    First chance exceptions are reported before any exception handling.
    This exception may be expected and handled.
    eax=0e5cb478 ebx=0dd70000 ecx=0000d87f edx=0e55f080 esi=00310000 edi=00003bf8
    eip=7731836b esp=0be6d338 ebp=0be6d364 iopl=0 nv up ei pl nz na pe nc
    cs=0023ss=002bds=002bes=002bfs=0053gs=002b efl=00010206
    ntdll!RtlpDeCommitFreeBlock+0x146:
    7731836b 80780703cmp byte ptr [eax+7],3 ds:002b:0e5cb47f=??
    
    #00xf702d588 in asw::root::NewDesCryptBlock(unsigned char*, unsigned int, unsigned char const*, bool, int) ()
    #10xf702b009 in Mole_DecryptBuffer () from /proc/self/cwd/defs/15092301/engine.so
    #20xf6f6a124 in moleboxMaybeUnpack(CFMap&, _PEEXE_INFO*, asw::root::CGenericFile*, _EXE_UNPACK_INFO*) () 
    #30xf6f7630d in CPackWinExec::packGetNext(void*, ARCHIVED_FILE_INFO*) ()
    #40xf6e8cdf3 in CAllPackers::GetNext(unsigned int, void*, ARCHIVED_FILE_INFO*) ()
    #50xf6e76fc9 in CScanInfo::ProcessPackingReal(CObjectName&, CFMap&, _VIRUSDATAARRAY*, int&, unsigned int) ()
    #60xf6e78bdd in CScanInfo::ProcessPacking(CObjectName&, unsigned int, unsigned int) ()
    #70xf6e74fbd in CScanInfo::ProcessArea(CObjectName&, unsigned int, unsigned int) ()
    #80xf6e752af in CScanInfo::ProcessTopArea(CObjectName&, unsigned int) ()
    #90xf6e7d6db in avfilesScanRealMulti ()
    #10 0xf6e81915 in avfilesScanReal ()
    #11 0x0805d2a5 in avfilesScanReal ()
    #12 0x0805498c in engine_scan ()
    
    Proof of Concept:
    https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38933.zip