exploit-db-mirror/exploits/windows/dos/17931.txt

#######################################################################

                             Luigi Auriemma

Application:  GenStat
              http://www.vsni.co.uk/software/genstat/
Versions:     <= 14.1.0.5943
Platforms:    Windows
Bugs:         A] array overflow with write2
              B] heap overflow
Exploitation: file
Date:         01 Oct 2011
Author:       Luigi Auriemma
              e-mail: aluigi@autistici.org
              web:    aluigi.org


#######################################################################


1) Introduction
2) Bugs
3) The Code
4) Fix


#######################################################################

===============
1) Introduction
===============


From vendor's homepage:
"all embracing data analysis tool, offering ease of use via our
comprehensive menu system reinforced with the flexibility of a
sophisticated programming language."
"For over 30 years we have employed, and continue to work with, leading
statisticians and scientists who help to create a package that succeeds
for both novice and expert users in academia, research and industry."


#######################################################################

=======
2) Bugs
=======

-----------------------------
A] array overflow with write2
-----------------------------

Array overflow during the handling of the GWB (GenStat book) files with
possibility of placing a NULL word in an arbitrary memory location:

  00630399  |> 8B46 24        MOV EAX,DWORD PTR DS:[ESI+24] ; EAX controlled
  0063039C  |. 8B4E 08        MOV ECX,DWORD PTR DS:[ESI+8]
  0063039F  |. 8D0481         LEA EAX,DWORD PTR DS:[ECX+EAX*4]
  006303A2  |. 3938           CMP DWORD PTR DS:[EAX],EDI
  006303A4  |. 74 12          JE SHORT GenStat.006303B8
  006303A6  |. 8B00           MOV EAX,DWORD PTR DS:[EAX]
  006303A8  |. 05 A4040000    ADD EAX,4A4
  006303AD  |. 0FB708         MOVZX ECX,WORD PTR DS:[EAX]
  006303B0  |. 894D FC        MOV DWORD PTR SS:[EBP-4],ECX
  006303B3  |. 33C9           XOR ECX,ECX
  006303B5  |. 66:8908        MOV WORD PTR DS:[EAX],CX      ; write2


----------------
B] heap overflow
----------------

Through the text strings in the final part of the GSH (GenStat
SpreadSheet) files it's possible to cause a heap overflow with
consequent freeing of arbitrary memory (write4):

  0064D1C7  |> 3BBE 78040000 /CMP EDI,DWORD PTR DS:[ESI+478]
  0064D1CD  |. 7F 74         |JG SHORT GenStat.0064D243
  0064D1CF  |. FF75 08       |PUSH DWORD PTR SS:[EBP+8]
  0064D1D2  |. 8D45 F4       |LEA EAX,DWORD PTR SS:[EBP-C]
  0064D1D5  |. 6A 01         |PUSH 1
  0064D1D7  |. 6A 04         |PUSH 4
  0064D1D9  |. 50            |PUSH EAX
  0064D1DA  |. E8 2F3B2600   |CALL GenStat.008B0D0E             ; read 32bit
  0064D1DF  |. 83C4 10       |ADD ESP,10
  0064D1E2  |. 85C0          |TEST EAX,EAX
  0064D1E4  |.^0F84 06FFFFFF |JE GenStat.0064D0F0
  0064D1EA  |. 66:837D 0C 00 |CMP WORD PTR SS:[EBP+C],0
  0064D1EF  |. 74 0A         |JE SHORT GenStat.0064D1FB
  0064D1F1  |. 8D45 F4       |LEA EAX,DWORD PTR SS:[EBP-C]
  0064D1F4  |. 50            |PUSH EAX
  0064D1F5  |. E8 DD6AFFFF   |CALL GenStat.00643CD7
  0064D1FA  |. 59            |POP ECX
  0064D1FB  |> 837D F4 00    |CMP DWORD PTR SS:[EBP-C],0
  0064D1FF  |. 7E 1E         |JLE SHORT GenStat.0064D21F        ; I use the first one equal to -1
  0064D201  |. FF75 08       |PUSH DWORD PTR SS:[EBP+8]
  0064D204  |. 8B46 58       |MOV EAX,DWORD PTR DS:[ESI+58]
  0064D207  |. 6A 01         |PUSH 1
  0064D209  |. FF75 F4       |PUSH DWORD PTR SS:[EBP-C]         ; 0x61616161
  0064D20C  |. 03C7          |ADD EAX,EDI
  0064D20E  |. 50            |PUSH EAX
  0064D20F  |. E8 FA3A2600   |CALL GenStat.008B0D0E             ; overflow/corruption
  0064D214  |. 83C4 10       |ADD ESP,10
  0064D217  |. 85C0          |TEST EAX,EAX
  0064D219  |.^0F84 D1FEFFFF |JE GenStat.0064D0F0
  0064D21F  |> FF86 74040000 |INC DWORD PTR DS:[ESI+474]
  0064D225  |. 8B45 F4       |MOV EAX,DWORD PTR SS:[EBP-C]
  0064D228  |. 43            |INC EBX
  0064D229  |. 3B5D F8       |CMP EBX,DWORD PTR SS:[EBP-8]
  0064D22C  |. 8D7C07 01     |LEA EDI,DWORD PTR DS:[EDI+EAX+1]  ; 0 + -1 + 1 = 0
  0064D230  |.^7C 95         \JL SHORT GenStat.0064D1C7


#######################################################################

===========
3) The Code
===========


http://aluigi.org/poc/genstat_1.zip
https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/17931.zip

A] modified 32bit field at offset 0x46
B] modified 32bit field at offset 0x302 and added 'a's


#######################################################################

======
4) Fix
======


No fix.


#######################################################################