Kaspersky AntiVirus – ExeCryptor Parsing Memory Corruption

• Exploit Database
• 12 阅读

• 作者： Google Security Research
  日期： 2015-09-22
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/38282/

• Source: https://code.google.com/p/google-security-research/issues/detail?id=525
  
  Fuzzing packed executables found the attached crash, it might be usable as an information leak as part of another bug, so filing as a low-risk bug. If I had to guess, I would say this is the ExeCryptor unpacker.
  
  (83c.fc0): Access violation - code c0000005 (first chance)
  First chance exceptions are reported before any exception handling.
  This exception may be expected and handled.
  eax=0b61f00c ebx=00030ff4 ecx=00000000 edx=00000000 esi=0409005c edi=00000000
  eip=15cc7e73 esp=0441ecf8 ebp=0441ef18 iopl=0 nv up ei pl nz ac pe cy
  cs=0023ss=002bds=002bes=002bfs=0053gs=002b efl=00010217
  15cc7e73 803c03e9cmp byte ptr [ebx+eax],0E9hds:002b:0b650000=??
  
  What is that code doing?
  
  0:021> u
  15cc7e73 803c03e9cmp byte ptr [ebx+eax],0E9h
  15cc7e77 0f8596000000jne 15cc7f13
  15cc7e7d 8b540301mov edx,dword ptr [ebx+eax+1]
  15cc7e81 8d441a05lea eax,[edx+ebx+5]
  15cc7e85 33c9xor ecx,ecx
  15cc7e87 3d00100000cmp eax,1000h
  15cc7e8c 0f9cc1setlcl
  15cc7e8f 33d2xor edx,edx
  
  That edx+ebx+5 gives it away, it's searching for a jmp opcode and trying to pull out the branch target.
  
  Why did it get lost? I'll put a breakpoint there and see where it goes wrong:
  
  0:021> bp @eip
  0:021> .restart
  Breakpoint 0 hit
  eax=0584f00c ebx=00000000 ecx=0497eb4c edx=00000000 esi=05a1005c edi=00000000
  eip=15cc7e73 esp=0497ebc4 ebp=0497ede4 iopl=0 nv up ei ng nz na po nc
  cs=0023ss=002bds=002bes=002bfs=0053gs=002b efl=00000282
  15cc7e73 803c03e9cmp byte ptr [ebx+eax],0E9hds:002b:0584f00c=00
  
  That looks fine, eax is the start of the buffer to search, and ebx is the index to look for a jmp opcode.
  
  0:024> t
  eax=0584f00c ebx=00000000 ecx=0497eb4c edx=00000000 esi=05a1005c edi=00000000
  eip=15cc7e77 esp=0497ebc4 ebp=0497ede4 iopl=0 nv up ei pl nz ac pe cy
  cs=0023ss=002bds=002bes=002bfs=0053gs=002b efl=00000217
  15cc7e77 0f8596000000jne 15cc7f13[br=1]
  0:024> t
  eax=0584f00c ebx=00000000 ecx=0497eb4c edx=00000000 esi=05a1005c edi=00000000
  eip=15cc7f13 esp=0497ebc4 ebp=0497ede4 iopl=0 nv up ei pl nz ac pe cy
  cs=0023ss=002bds=002bes=002bfs=0053gs=002b efl=00000217
  15cc7f13 43inc ebx
  0:024> t
  eax=0584f00c ebx=00000001 ecx=0497eb4c edx=00000000 esi=05a1005c edi=00000000
  eip=15cc7f14 esp=0497ebc4 ebp=0497ede4 iopl=0 nv up ei pl nz na po cy
  cs=0023ss=002bds=002bes=002bfs=0053gs=002b efl=00000203
  15cc7f14 8d47fblea eax,[edi-5]
  0:024> t
  eax=fffffffb ebx=00000001 ecx=0497eb4c edx=00000000 esi=05a1005c edi=00000000
  eip=15cc7f17 esp=0497ebc4 ebp=0497ede4 iopl=0 nv up ei pl nz na po cy
  cs=0023ss=002bds=002bes=002bfs=0053gs=002b efl=00000203
  15cc7f17 3bd8cmp ebx,eax
  
  
  Ah, that's the bug, it's wrapping past zero and never exiting. The code is probably doing:
  
  do {
   if (ptr[index] != JMP_OPCODE)
   index -= SIZEOF_JMP;
  } while (index != 0);
  
  
  That's a bug, because if index < SIZEOF_JMP, it will wrap and never exit. I would think it should decrement by 1 not sizeof(jmp) anyway, because jmps do not have to be aligned, butI don't know anything about ExeCryptor - maybe it makes sense.
  
  Proof of Concept:
  https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38282.zip