Kaspersky AntiVirus - ExeCryptor Parsing Memory Corruption

EDB-ID:

38282

CVE:

N/A


Platform:

Windows

Published:

2015-09-22

Source: https://code.google.com/p/google-security-research/issues/detail?id=525

Fuzzing packed executables found the attached crash, it might be usable as an information leak as part of another bug, so filing as a low-risk bug. If I had to guess, I would say this is the ExeCryptor unpacker.

(83c.fc0): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0b61f00c ebx=00030ff4 ecx=00000000 edx=00000000 esi=0409005c edi=00000000
eip=15cc7e73 esp=0441ecf8 ebp=0441ef18 iopl=0         nv up ei pl nz ac pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010217
15cc7e73 803c03e9        cmp     byte ptr [ebx+eax],0E9h    ds:002b:0b650000=??

What is that code doing?

0:021> u
15cc7e73 803c03e9        cmp     byte ptr [ebx+eax],0E9h
15cc7e77 0f8596000000    jne     15cc7f13
15cc7e7d 8b540301        mov     edx,dword ptr [ebx+eax+1]
15cc7e81 8d441a05        lea     eax,[edx+ebx+5]
15cc7e85 33c9            xor     ecx,ecx
15cc7e87 3d00100000      cmp     eax,1000h
15cc7e8c 0f9cc1          setl    cl
15cc7e8f 33d2            xor     edx,edx

That edx+ebx+5 gives it away, it's searching for a jmp opcode and trying to pull out the branch target.

Why did it get lost? I'll put a breakpoint there and see where it goes wrong:

0:021> bp @eip
0:021> .restart
Breakpoint 0 hit
eax=0584f00c ebx=00000000 ecx=0497eb4c edx=00000000 esi=05a1005c edi=00000000
eip=15cc7e73 esp=0497ebc4 ebp=0497ede4 iopl=0         nv up ei ng nz na po nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000282
15cc7e73 803c03e9        cmp     byte ptr [ebx+eax],0E9h    ds:002b:0584f00c=00

That looks fine, eax is the start of the buffer to search, and ebx is the index to look for a jmp opcode.

0:024> t
eax=0584f00c ebx=00000000 ecx=0497eb4c edx=00000000 esi=05a1005c edi=00000000
eip=15cc7e77 esp=0497ebc4 ebp=0497ede4 iopl=0         nv up ei pl nz ac pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000217
15cc7e77 0f8596000000    jne     15cc7f13                                [br=1]
0:024> t
eax=0584f00c ebx=00000000 ecx=0497eb4c edx=00000000 esi=05a1005c edi=00000000
eip=15cc7f13 esp=0497ebc4 ebp=0497ede4 iopl=0         nv up ei pl nz ac pe cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000217
15cc7f13 43              inc     ebx
0:024> t
eax=0584f00c ebx=00000001 ecx=0497eb4c edx=00000000 esi=05a1005c edi=00000000
eip=15cc7f14 esp=0497ebc4 ebp=0497ede4 iopl=0         nv up ei pl nz na po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000203
15cc7f14 8d47fb          lea     eax,[edi-5]
0:024> t
eax=fffffffb ebx=00000001 ecx=0497eb4c edx=00000000 esi=05a1005c edi=00000000
eip=15cc7f17 esp=0497ebc4 ebp=0497ede4 iopl=0         nv up ei pl nz na po cy
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00000203
15cc7f17 3bd8            cmp     ebx,eax


Ah, that's the bug, it's wrapping past zero and never exiting. The code is probably doing:

do {
 if (ptr[index] != JMP_OPCODE)
   index -= SIZEOF_JMP;
} while (index != 0);


That's a bug, because if index < SIZEOF_JMP, it will wrap and never exit. I would think it should decrement by 1 not sizeof(jmp) anyway, because jmps do not have to be aligned, but  I don't know anything about ExeCryptor - maybe it makes sense.

Proof of Concept:
https://github.com/offensive-security/exploitdb-bin-sploits/raw/master/bin-sploits/38282.zip