Avast! - Heap Overflow Unpacking MoleBox Archives

EDB-ID:

38933

CVE:


EDB Verified:

Author:

Google Security Research

Type:

dos

Exploit:   /  

Platform:

Multiple

Date:

2015-12-10

Vulnerable App: 
Source: https://code.google.com/p/google-security-research/issues/detail?id=552

Trivial fuzzing of molebox archives revealed a heap overflow decrypting the packed image in moleboxMaybeUnpack. This vulnerability is obviously exploitable for remote arbitrary code execution as NT AUTHORITY\SYSTEM.

The attached testcase should cause heap corruption in AvastSvc.exe, please enable page heap if you have trouble reproducing. 

HEAP[AvastSvc.exe]: ZwAllocateVirtualMemory failed c0000018 for heap 00310000 (base 0E560000, size 0006B000)
(474.9f8): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0e5cb478 ebx=0dd70000 ecx=0000d87f edx=0e55f080 esi=00310000 edi=00003bf8
eip=7731836b esp=0be6d338 ebp=0be6d364 iopl=0         nv up ei pl nz na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010206
ntdll!RtlpDeCommitFreeBlock+0x146:
7731836b 80780703        cmp     byte ptr [eax+7],3         ds:002b:0e5cb47f=??

#0  0xf702d588 in asw::root::NewDesCryptBlock(unsigned char*, unsigned int, unsigned char const*, bool, int) ()
#1  0xf702b009 in Mole_DecryptBuffer () from /proc/self/cwd/defs/15092301/engine.so
#2  0xf6f6a124 in moleboxMaybeUnpack(CFMap&, _PEEXE_INFO*, asw::root::CGenericFile*, _EXE_UNPACK_INFO*) () 
#3  0xf6f7630d in CPackWinExec::packGetNext(void*, ARCHIVED_FILE_INFO*) ()
#4  0xf6e8cdf3 in CAllPackers::GetNext(unsigned int, void*, ARCHIVED_FILE_INFO*) ()
#5  0xf6e76fc9 in CScanInfo::ProcessPackingReal(CObjectName&, CFMap&, _VIRUSDATAARRAY*, int&, unsigned int) ()
#6  0xf6e78bdd in CScanInfo::ProcessPacking(CObjectName&, unsigned int, unsigned int) ()
#7  0xf6e74fbd in CScanInfo::ProcessArea(CObjectName&, unsigned int, unsigned int) ()
#8  0xf6e752af in CScanInfo::ProcessTopArea(CObjectName&, unsigned int) ()
#9  0xf6e7d6db in avfilesScanRealMulti ()
#10 0xf6e81915 in avfilesScanReal ()
#11 0x0805d2a5 in avfilesScanReal ()
#12 0x0805498c in engine_scan ()

Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38933.zip
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services