program analysis, reversing & exploit writing

Fun With Info-Leaks

This article is about information leaks in form of memory disclosures created in Internet Explorer 10 32-bit on Windows 7 64-bit. They are used to bypass full ASLR/DEP to gain remote code execution. While the software containing the bug might not be that popular, it’s quite nice what can be done with the bug.

Reading this article requires some familiarity with WinDbg, heap spray , and info-leaks.

Hope you enjoy it.

The Bug

I discovered a vulnerability in an ActiveX Control with the rather oldscool tool COMRaider. The ActiveX Control is a video plugin from X360 Software. Let’s take a look with IDA Free 5.0 into it.

The vulnerability is a simple buffer overflow occuring in the data section of the VideoPlayer.ocx module when using the plugin’s exposed SetText method (sub_10002930). By supplying a string to that method, the code at .text:1000298A and .text:10002991 copies our string to a variable in the data section at .data:100916A8 without bound checks: