|
WinHex 12.05 SR-14 (maybe others)
number: #18
author: darkeagle
mail: darkeagle [at] linkin-park [dot] cc || darkeagle [at] unl0ck [dot] org
date: 14.04.05
vendor: http://www.x-ways.net/
overview:
WinHex is a powerfully hex editor in win32 systems.
details:
I'mma found heap corruption bug in latest version of WinHex (12.05).
When WinHex opens very long filename in 1st argument, it's crashed.
Look at below code:
...
XOR EAX,EAX
MOV BL,BYTE PTR DS:[EDX+EAX]
MOV BYTE PTR DS:[ECX+EAX],BL
INC EAX
CMP BYTE PTR DS:[EDX+EAX-1],0
...
PUSH EDX ; argv2 <-- put arguments in stack registers ----|
PUSH EAX ; argv1 <----------------------------------------
CALL <JMP.&kernel32.lstrcpynA> ; lstrcpynA <---- using strcpy() without checking...
There is bug. After crash in debugger you can notice that following registers were overwrote:
DS = 0x61616161?
ECX = 0x61616161?
ESI = 0x61616161?
EIP now point to: 0x004EF55B ( WinXP SP0 RUS )
004EF55B |. 881C01 |MOV BYTE PTR DS:[ECX+EAX],BL
Ok! This is means that 0x004EF55B trying to read instruction on 0x61616161 address and then crash.
greetz:
unl0ckerz, nosystemz, rave, 0x333 { c0wboy :P }, lp, 'em etc..
(c) uKt Research
2004-2005
http://unl0ck.org
|
