Immunity Debugger 1.85 - Crash (PoC)

EDB-ID:

37526

CVE:

N/A

EDB Verified:

Author:

Arsyntex

Type:

dos

Exploit: /

Platform:

Windows

Date:

2015-07-08

Vulnerable App:

# Title: Immunity Debugger - Crash
# Date: 08/07/2015
# Author: Arsyntex
# Vendor Homepage: http://www.immunityinc.com/products/debugger/
# Version: v1.85
# Tested on: Windows 8.1 Pro

Incorrect path/file EXtEnsion parsing.

-Create folder with the name: .exe.exe and put any program inside and try debug it.
-Try to debug an executable with the name: test.exe.exe or lib.exe.dll

The "OpenEXEfile" function does not check if the return value of strchr() is zero.
----------------------------------------------------------------------------------
 loc_4B8182:

      mov     [esp+10h+var_10], edi
      add     edi, 4
      mov     [esp+10h+var_C], 20h
      mov     [esp+10h+arg_24], eax
      call    strchr                 ; return EAX= 0
      mov     [esp+10h+var_10], eax
      mov     [esp+10h+arg_28], eax  ; (!)
      call    strlen                 ; ntdll.strlen(s)

---------------------------------------------------------------------
ntdll.strlen(s) - NULL parameter
---------------------------------------------------------------------
ntdll_strlen:

      mov     ecx, [esp+4]           ; [esp+4] = 0  NULL pointer
      test    ecx, 3                 ; ...
      jz      short loc_77C77510     ; jump
      ...

 loc_77C77510:

      mov     eax, [ecx]             ; Access Violation
---------------------------------------------------------------------

Tags:

Advisory/Source: Link

Databases	Links	Sites	Solutions
Exploits	Search Exploit-DB	OffSec	Courses and Certifications
Google Hacking	Submit Entry	Kali Linux	Learn Subscriptions
Papers	SearchSploit Manual	VulnHub	OffSec Cyber Range
Shellcodes	Exploit Statistics		Proving Grounds
			Penetration Testing Services