You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Hi! I'm super new to reverse engineering / exploit development, so I'm really not sure if this is important. I'm still digging through it and trying to understand, but thought I would post a report here. If you don't think this is a bug, please feel free to close this issue.
Below is the source code of a simple heap corruption PoC I am playing with:
I was experimenting with triaging using BugId I saw this. Notice the first two crashes behave as expected, and the final crash seems to crash cBugId itself?
C:\win7x64-vm\exploitdev_exp\BugId>C:\Python27\python.exe BugId.py "C:\heap-exploitable-1.exe" AAAAAAA
+ The debugger is starting the application...
Command line: C:\heap-exploitable-1.exe AAAAAAA
+ The application was started successfully and is running...
* T+0.0 The application is suspended...
* And resumed...
* T+0.0 The application is suspended...
* T+0.0 One of the main processes has terminated, stopping...
=== BugId report (https://github.com/SkyLined/BugId) =========================
Id: None
Description: The application terminated before a bug was detected.
Application time: 0.004 seconds
BugId overhead: 0.037 seconds
BugId version 2017.01.31.1531, cBugId version 2017.01.31.1525
This version of BugId is provided free of charge for non-commercial use only.
If you find it useful and would like to make a donation, you can send bitcoin
to 183yyxa9s1s1f7JBpPHPmzQ346y91Rx5DX. Please contact the author if you wish to
use BugId commercially. Contact and licensing information can be found at
https://github.com/SkyLined/BugId#license.
C:\win7x64-vm\exploitdev_exp\BugId>C:\Python27\python.exe BugId.py "C:\heap-exploitable-1.exe" AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+ The debugger is starting the application...
Command line: C:\heap-exploitable-1.exe AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+ The application was started successfully and is running...
* T+0.0 The application is suspended...
* And resumed...
* T+0.0 The application is suspended...
=== BugId report (https://github.com/SkyLined/BugId) =========================
Id: Breakpoint aca.501
Location: image00000000`00400000!ntdll32.dll!RtlpBreakPointHeap
Description: WOW64 breakpoint (code 0x4000001F)
Version: image00000000`00400000 Sun Dec 14 19:03:00 2014 (548E3344) (x86)
ntdll32.dll 6.1.7601.17514 (x86)
Security impact: Denial of Service
Application time: 0.0 seconds
BugId overhead: 1.099 seconds
Bug report: Breakpoint aca.501 @ image00000000`00400000!ntdll32.dll!RtlpBreakPointHeap.html
(33739 bytes)
BugId version 2017.01.31.1531, cBugId version 2017.01.31.1525
This version of BugId is provided free of charge for non-commercial use only.
If you find it useful and would like to make a donation, you can send bitcoin
to 183yyxa9s1s1f7JBpPHPmzQ346y91Rx5DX. Please contact the author if you wish to
use BugId commercially. Contact and licensing information can be found at
https://github.com/SkyLined/BugId#license.
C:\win7x64-vm\exploitdev_exp\BugId>C:\Python27\python.exe BugId.py "C:\heap-exploitable-1.exe" AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+ The debugger is starting the application...
Command line: C:\heap-exploitable-1.exe AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+ The application was started successfully and is running...
* T+0.0 The application is suspended...
* And resumed...
* T+0.0 The application is suspended...
--------------------------------------------------------------------------------
- An error has occured in cBugId, which cannot be handled:
AssertionError('Unexpected TEB info header:Wow64 TEB32 at 000000007efdd000\r\nWow64 TEB32 at 00000
0007efdd000\r\n*************************************************************************\r\n***
***\r\n***
***\r\n*** Your debugger is not using the correct symbols
***\r\n*** ***\r\n
*** In order for this command to work properly, your symbol path ***\r\n*** must point to .p
db files that have full type information. ***\r\n***
***\r\n*** Certain .pdb files (such as the public OS symbols) do not
***\r\n*** contain the required information. Contact the group that ***\r\n*** provided
you with these symbols if you need this command to ***\r\n*** work.
***\r\n***
***\r\n*** Type referenced: wow64!_TEB32 ***\r\n***
***\r\n******************************
*******************************************\r\nerror InitTypeRead( wow64!_TEB32 )...\r\n\r\n\r\nWow6
4 TEB at 000000007efdb000\r\n ExceptionList: 000000007efdd000\r\n StackBase:
000000000008fd20\r\n StackLimit: 000000000008c000\r\n SubSystemTib: 0000000
000000000\r\n FiberData: 0000000000001e00\r\n ArbitraryUserPointer: 000000000000000
0\r\n Self: 000000007efdb000\r\n EnvironmentPointer: 0000000000000000\r\n
ClientId: 000000000000079c . 000000000000090c\r\n RpcHandle: 000000000000
0000\r\n Tls Storage: 0000000000000000\r\n PEB Address: 000000007efdf000\r\n
LastErrorValue: 2\r\n LastStatusValue: 0\r\n Count Owned Locks: 0\r\n Har
dErrorMode: 0',)
BugId version 2017.01.31.1531, cBugId version 2017.01.31.1525
--------------------------------------------------------------------------------
Please report this issue at the below web-page so it can be addressed:
https://github.com/SkyLined/BugId/issues/new
If you do not have a github account, or you want to report this issue
privately, you can also send an email to:
BugId@skylined.nl
In your report, please copy all the information about the error reported
above, as well as the version information. This makes it easier to determine
the cause of this issue. I will try to address the issues as soon as
possible. Thank you in advance for helping to improve BugId!
BugId version 2017.01.31.1531, cBugId version 2017.01.31.1525
This version of BugId is provided free of charge for non-commercial use only.
If you find it useful and would like to make a donation, you can send bitcoin
to 183yyxa9s1s1f7JBpPHPmzQ346y91Rx5DX. Please contact the author if you wish to
use BugId commercially. Contact and licensing information can be found at
https://github.com/SkyLined/BugId#license.
Hope this helps. Anyway, as stated before:
Cheers!
The text was updated successfully, but these errors were encountered:
--isa=x86|x64
Use the x86 or x64 version of cdb to debug the application. The default is
to use the ISA of the OS. Applications build to run on x86 systems can be
debugged using the x64 version of cdb, but symbol resolution may fail and
results may vary. You are strongly encouraged to use the same ISA for the
debugger as the application. (ISA = Instruction Set Architecture)
Regardless of the work around, BugId should not have crashed. However, I do believe the current code handles this correctly, so I am closing this bug. If you can still crash BugId this way, please reopen!
Hi! I'm super new to reverse engineering / exploit development, so I'm really not sure if this is important. I'm still digging through it and trying to understand, but thought I would post a report here. If you don't think this is a bug, please feel free to close this issue.
Below is the source code of a simple heap corruption PoC I am playing with:
I was experimenting with triaging using BugId I saw this. Notice the first two crashes behave as expected, and the final crash seems to crash cBugId itself?
Hope this helps. Anyway, as stated before:
Cheers!
The text was updated successfully, but these errors were encountered: