#######################################################################
Luigi Auriemma
Application: NCSS (aka NCSS 2007)
http://www.ncss.com/ncss.html
Versions: <= 07.1.21
Platforms: Windows
Bug: array overflow with write2
Exploitation: file
Date: 28 Sep 2011
Author: Luigi Auriemma
e-mail: aluigi@autistici.org
web: aluigi.org
#######################################################################
1) Introduction
2) Bug
3) The Code
4) Fix
#######################################################################
===============
1) Introduction
===============
From vendor's homepage:
"NCSS has specialized in providing statistical analysis software to
researchers, businesses, and academic institutions."
#######################################################################
======
2) Bug
======
Through the S0 files it's possible to exploit various array overflow
vulnerabilities for writing the word 0xfffd in an arbitrary zone of the
memory.
The following is one of these bugs, from VCF132.dll:
1D044E91 |. 0FB750 06 ||MOVZX EDX,WORD PTR DS:[EAX+6] ; EDX controlled
1D044E95 |. 8B0491 ||MOV EAX,DWORD PTR DS:[ECX+EDX*4]
1D044E98 |. 8BCB ||MOV ECX,EBX
1D044E9A |. 66:C740 04 FDFF ||MOV WORD PTR DS:[EAX+4],0FFFD ; write2
For the other array overflows it's enough to search the 0xfffd constant
and all the operations like the above one.
#######################################################################
===========
3) The Code
===========
http://aluigi.org/poc/ncss_1.s0
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17903.s0
the 16bit value for EDX is located at offset 0x8bd.
#######################################################################
======
4) Fix
======
No fix.
#######################################################################