You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Apr 20, 2023. It is now read-only.
The array offsets_to_Names is dynamically allocated on the stack using exp->NumberOfFunctions as its size (line 104). However, the loop starting at line 111 uses exp->NumberOfNames to iterate over it and set values at line 132. Therefore, this snippet assumes that exp->NumberOfFunctions is greater than ordinal at each iteration.
That condition may be followed by compilers, but not by hackers. What happens if I craft a PE file with ordinal greater than or equal to exp->NumberOfFunctions? Depending on the values, I am able to overwrite the return address of pe_exports function. On Windows 7 and Windows Server 2008 (systems on which I could produce higher impact), I may even use a ROP chain to get an arbitrary code execution.
Hello guys.
I have found a bug on
pe_exports
function fromexports.c
which allows me to exploitreadpe.exe
program frompev 0.81
(last release).The issue occurs on the following lines:
libpe/exports.c
Lines 104 to 132 in 07f90de
The array
offsets_to_Names
is dynamically allocated on the stack usingexp->NumberOfFunctions
as its size (line 104). However, the loop starting at line 111 usesexp->NumberOfNames
to iterate over it and set values at line 132. Therefore, this snippet assumes thatexp->NumberOfFunctions
is greater thanordinal
at each iteration.That condition may be followed by compilers, but not by hackers. What happens if I craft a PE file with
ordinal
greater than or equal toexp->NumberOfFunctions
? Depending on the values, I am able to overwrite the return address ofpe_exports
function. On Windows 7 and Windows Server 2008 (systems on which I could produce higher impact), I may even use a ROP chain to get an arbitrary code execution.I have recorded a PoC video to proof the exploitability of the bug on
readpe.exe
: https://drive.google.com/file/d/1zBH9ykgmHlnWQEBDIxwrYG8CTrHtUf26/view?usp=sharing.If you guys need any more details about the bug, I am at your disposal!
The text was updated successfully, but these errors were encountered: