Source: https://code.google.com/p/google-security-research/issues/detail?id=521 Fuzzing the ZIP file format found multiple memory corruption issues, some of which are obviously exploitable for remote code execution as NT AUTHORITY\SYSTEM on any system with Kaspersky Antivirus. This testcase should fault by jumping to an unmapped address (aac.fa4): Access violation - code c0000005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=cccccccc ebx=00000000 ecx=01bc2974 edx=73a10002 esi=02e0a598 edi=5b2266bb eip=cccccccc esp=05dde330 ebp=05dde354 iopl=0 nv up ei pl nz na po nc cs=0023ss=002bds=002bes=002bfs=0053gs=002b efl=00010202 cccccccc ????? # where did that come from? 0:036> kvn 2 # ChildEBP RetAddrArgs to Child 00 05dde32c 739fd847 02e0a598 05dde370 00000000 0xcccccccc 01 05dde354 739fe438 01bc2974 002266bb 05dde370 prcore!PragueUnload+0x2687 0:036> ub 739fd847 L9 prcore!PragueUnload+0x2673: 739fd833 8b4d08mov ecx,dword ptr [ebp+8] 739fd836 8b7104mov esi,dword ptr [ecx+4] 739fd839 8975ecmov dword ptr [ebp-14h],esi 739fd83c 85f6testesi,esi 739fd83e 740ajeprcore!PragueUnload+0x268a (739fd84a) 739fd840 8b16mov edx,dword ptr [esi] 739fd842 8b02mov eax,dword ptr [edx] 739fd844 56pushesi 739fd845 ffd0calleax # that pointer is in edx 0:088> dd edx 739a0002cccccccc cccccccc cccccccc 8b55cccc 739a001277e95dec ccffffff cccccccc 8b55cccc 739a00220c4d8bec 8b04418b 42390855 501a7504 739a00320a8b018b d3e85150 83fffff9 c0850cc4 739a004201b80775 5d000000 5dc033c3 8b55ccc3 739a00520c4d8bec 8b04418b 42390855 501a7504 739a00620a8b018b 63e85150 83fffff9 c0850cc4 739a007201b80775 5d000000 5dc033c3 6c83ccc3 # So what is that? 0:088> !address edx Usage:Image Base Address: 73971000 End Address:739aa000 Region Size:00039000 State:00001000 MEM_COMMIT Protect:00000020 PAGE_EXECUTE_READ Type: 01000000 MEM_IMAGE Allocation Base:73970000 Allocation Protect: 00000080 PAGE_EXECUTE_WRITECOPY Image Path: C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\prcore.dll Module Name:prcore Loaded Image Name:C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 15.0.2\prcore.dll Mapped Image Name: 0:088> !chkimg prcore 0 errors : prcore # Hmm, so why is esi pointing there? 0:088> !address esi Mapping file section regions... Mapping module regions... Mapping PEB regions... Mapping TEB and stack regions... Mapping heap regions... Mapping page heap regions... Mapping other regions... Mapping stack trace database regions... Mapping activation context regions... Usage:Heap Base Address: 02a00000 End Address:02c33000 Region Size:00233000 State:00001000 MEM_COMMIT Protect:00000004 PAGE_READWRITE Type: 00020000 MEM_PRIVATE Allocation Base:02a00000 Allocation Protect: 00000004 PAGE_READWRITE More info:heap owning the address: !heap 0x4a0000 More info:heap segment More info:heap entry containing the address: !heap -x 0x2bf4760 0:088> !heap -x 0x2bf4760 Entry UserHeapSegment SizePrevSizeUnusedFlags ----------------------------------------------------------------------------- 02bf475802bf4760004a000002b00ac860-0LFH;free # So looks like an exploitable use after free vulnerability. Proof of Concept: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38736.zip
体验盒子
