Source: https://code.google.com/p/google-security-research/issues/detail?id=527
While fuzzing UPX packed files, this crash was discovered resulting in an arbitrary stack-relative write. This vulnerability is obviously remotely exploitable for remote code execution as NT AUTHORITY\SYSTEM.
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=00000001 ecx=f93900c7 edx=00000020 esi=00000001 edi=057b9d60
eip=15ea22da esp=0497eb2c ebp=0497ec80 iopl=0 nv up ei pl zr na pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010246
15ea22da 01840dbcfeffff add dword ptr [ebp+ecx-144h],eax ss:002b:fdd0ec03=????????
This decoding loop is trying to modify a value in a stack buffer with an attacker controlled index.
The index and Those values are taken verbatim from the input:
50 BC C7 00 39 F9 0F B6 47 FB F7 D8 01 04 24 39
C7 83 EF F1 8D 7F F2 80 7F FB 0A 89 E4 8B C9 8D
00 58 FC 90 8D 3F 77 D2 8D 36 8D 00 B8 54 C8 B4
F6 31 44 24 FC 8B 44 24 04 31 44 24 FC 75 A3 90
90 FC 90 FC 89 DB 9B FC 9B FC 83 E9 ED 83 C4 08
And the value being added is from here:
00 00 00 00 82 51 33 4D 00 00 A3 02 02 00 03 00
D8 01 00 80 38 00 00 80 EE 01 00 80 78 00 00 80
03 00 00 00 B8 00 00 80 0E 00 00 00 58 01 00 80
10 00 00 00 98 01 00 80 00 00 00 00 00 00 00 00
The bug is that the index is not verified, resulting in an arbitrary write. This is obviously exploitable for arbitrary code execution.
Proof of Concept:
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/38286.zip