Kaspersky AntiVirus – PE Unpacking Integer Overflow

• Exploit Database
• 20 阅读

• 作者： Google Security Research
  日期： 2015-09-22
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/38283/

• Source: https://code.google.com/p/google-security-research/issues/detail?id=526
  
  Fuzzing of packed executables found the attached crash.
  
  0:022> g
  (83c.bbc): Access violation - code c0000005 (first chance)
  First chance exceptions are reported before any exception handling.
  This exception may be expected and handled.
  eax=00000005 ebx=04320481 ecx=7ffffffd edx=f50139ce esi=80000027 edi=0432005c
  eip=15de0bd2 esp=0bb4ee04 ebp=0bb4ee20 iopl=0 ov up ei pl nz na pe nc
  cs=0023ss=002bds=002bes=002bfs=0053gs=002b efl=00010a06
  15de0bd2 8a843700040000mov al,byte ptr [edi+esi+400h] ds:002b:84320483=??
  
  If I step through that address calculation:
  
  0:022> p
  eax=00000005 ebx=04320481 ecx=7ffffffd edx=f50139ce esi=80000022 edi=0432005c
  eip=15de0d3a esp=0bb4ee04 ebp=0bb4ee20 iopl=0 nv up ei pl zr na pe nc
  cs=0023ss=002bds=002bes=002bfs=0053gs=002b efl=00000246
  15de0d3a 03f0add esi,eax
  0:022> p
  eax=00000005 ebx=04320481 ecx=7ffffffd edx=f50139ce esi=80000027 edi=0432005c
  eip=15de0d3c esp=0bb4ee04 ebp=0bb4ee20 iopl=0 nv up ei ng nz na pe nc
  cs=0023ss=002bds=002bes=002bfs=0053gs=002b efl=00000286
  15de0d3c 3b75f0cmp esi,dword ptr [ebp-10h] ss:002b:0bb4ee10=000003f1
  0:022> p
  eax=00000005 ebx=04320481 ecx=7ffffffd edx=f50139ce esi=80000027 edi=0432005c
  eip=15de0d3f esp=0bb4ee04 ebp=0bb4ee20 iopl=0 ov up ei pl nz na pe nc
  cs=0023ss=002bds=002bes=002bfs=0053gs=002b efl=00000a06
  15de0d3f 0f8c8dfeffffjl15de0bd2[br=1]
  0:022> p
  eax=00000005 ebx=04320481 ecx=7ffffffd edx=f50139ce esi=80000027 edi=0432005c
  eip=15de0bd2 esp=0bb4ee04 ebp=0bb4ee20 iopl=0 ov up ei pl nz na pe nc
  cs=0023ss=002bds=002bes=002bfs=0053gs=002b efl=00000a06
  15de0bd2 8a843700040000mov al,byte ptr [edi+esi+400h] ds:002b:84320483=??
  
  This looks like an integer overflow:
  
  int base;
  int index;
  
  if (base + index > argMaxSize)
   goto error;
  
  Because it's a signed comparison, 7ffffffd + 5 is
  
  0:022> ? ecx + eax
  Evaluate expression: -2147483646
  
  Which is less than 0x3f1, the size parameter. Those values are directly from the executable being scanned.
  
  Proof of Concept:
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38283.zip