_g_
August 19th, 2008, 08:50
can be used as an "anti" trick ;p
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - Orange Bat advisory -
Name : PEiD v0.94 exe File Parsing DoS
Class : DoS
Published : 2008-08-18
Credit : g_ (g_ # orange-bat # com)
- - Details -
When parsing .exe files, PEiD will allocate memory to hold the
file content. Size of this memory chunk will be divisible by
0x1000 (4KB). If the file size is a multiple of 4KB and if
the import table is located at the end of the file, import parsing
procedure could try to read data off the heap -- to check if
there are more valid import descriptors, memory pointer is advanced
without bounds checking and this leads to access violation:
.text:0043958B loc_43958B:
.text:0043958B mov eax, [esi+10h] ;Oooops!
.text:0043958E add esi, 14h
.text:00439591 cmp eax, ebx
.text:00439593 mov [esp+60h+var_4C], esi
.text:00439597 jnz loc_4393FE
Exe file can still run normally after modifing the IAT btw, see POC.
- - Proof of concept -
http://www.orange-bat.com/adv/2008/poc.08.18.peid.rar
- - PGP -
All advisories from Orange Bat are signed. You can find our public
key here: http://www.orange-bat.com/g_.asc
- - Disclaimer -
This document and all the information it contains is provided "as is",
without any warranty. Orange Bat is not responsible for the
misuse of the information provided in this advisory. The advisory is
provided for educational purposes only.
Permission is hereby granted to redistribute this advisory, providing
that no changes are made and that the copyright notices and
disclaimers remain intact.
(c) 2008 www.orange-bat.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32) - GPGshell v3.70
iEYEARECAAYFAkiokJkACgkQIUHRVUfOLgUCcgCgxI1B4xeCqOV8prG6CisbRcTV
ZZ8An1HSq/W4+Gx6gI9UeNCPqgwmo6jU
=Ddln
-----END PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - Orange Bat advisory -
Name : PEiD v0.94 exe File Parsing DoS
Class : DoS
Published : 2008-08-18
Credit : g_ (g_ # orange-bat # com)
- - Details -
When parsing .exe files, PEiD will allocate memory to hold the
file content. Size of this memory chunk will be divisible by
0x1000 (4KB). If the file size is a multiple of 4KB and if
the import table is located at the end of the file, import parsing
procedure could try to read data off the heap -- to check if
there are more valid import descriptors, memory pointer is advanced
without bounds checking and this leads to access violation:
.text:0043958B loc_43958B:
.text:0043958B mov eax, [esi+10h] ;Oooops!
.text:0043958E add esi, 14h
.text:00439591 cmp eax, ebx
.text:00439593 mov [esp+60h+var_4C], esi
.text:00439597 jnz loc_4393FE
Exe file can still run normally after modifing the IAT btw, see POC.
- - Proof of concept -
http://www.orange-bat.com/adv/2008/poc.08.18.peid.rar
- - PGP -
All advisories from Orange Bat are signed. You can find our public
key here: http://www.orange-bat.com/g_.asc
- - Disclaimer -
This document and all the information it contains is provided "as is",
without any warranty. Orange Bat is not responsible for the
misuse of the information provided in this advisory. The advisory is
provided for educational purposes only.
Permission is hereby granted to redistribute this advisory, providing
that no changes are made and that the copyright notices and
disclaimers remain intact.
(c) 2008 www.orange-bat.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32) - GPGshell v3.70
iEYEARECAAYFAkiokJkACgkQIUHRVUfOLgUCcgCgxI1B4xeCqOV8prG6CisbRcTV
ZZ8An1HSq/W4+Gx6gI9UeNCPqgwmo6jU
=Ddln
-----END PGP SIGNATURE-----
