15 lines
No EOL
920 B
Text
15 lines
No EOL
920 B
Text
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=764
|
|
|
|
Packman is an obscure opensource executable packer that Comodo Antivirus attempts to unpack during scanning. The code is available online here:
|
|
|
|
http://packmanpacker.sourceforge.net/
|
|
|
|
If the compression method is set to algorithm 1, compression parameters are read directly from the input executable without validation. Fuzzing this unpacker revealed a variety of crashes due to this, such as causing pointer arithmetic in CAEPACKManUnpack::DoUnpack_With_NormalPack to move pksDeCodeBuffer.ptr to an arbitrary address, which allows an attacker to free() an arbitrary pointer.
|
|
|
|
This issue is obviously exploitable to execute code as NT AUTHORITY\SYSTEM.
|
|
|
|
The attached testcase will attempt to free() an invalid pointer to demonstrate this.
|
|
|
|
|
|
Proof of Concept:
|
|
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/39601.zip |