Weird cBugId Crash - Heap Corruption Related

[decidedlygray]

Hi! I'm super new to reverse engineering / exploit development, so I'm really not sure if this is important. I'm still digging through it and trying to understand, but thought I would post a report here. If you don't think this is a bug, please feel free to close this issue.

Below is the source code of a simple heap corruption PoC I am playing with:

#include <stdio.h>
#include <stdlib.h>
#include <windows.h>

int main(int argc, char *argv[])
{
  long* hHeap = HeapCreate(0x00040000, 0 , 0);
  char *buff1, *buff2, *buff3;
  
  buff1 = HeapAlloc(hHeap, 0, 0x10);
  buff2 = HeapAlloc(hHeap, 0, 0x10);
  HeapFree(hHeap, 0, buff2);
  
  strcpy(buff1, argv[1]);
  buff2 = HeapAlloc(hHeap, 0, 0x10);
  
  HeapFree(hHeap, 0, buff2); // could seg fault
  HeapFree(hHeap, 0, buff1);
  
  return 0;
}

I was experimenting with triaging using BugId I saw this. Notice the first two crashes behave as expected, and the final crash seems to crash cBugId itself?

C:\win7x64-vm\exploitdev_exp\BugId>C:\Python27\python.exe BugId.py "C:\heap-exploitable-1.exe" AAAAAAA
+ The debugger is starting the application...
  Command line: C:\heap-exploitable-1.exe AAAAAAA
+ The application was started successfully and is running...
  * T+0.0 The application is suspended...
    * And resumed...
  * T+0.0 The application is suspended...
  * T+0.0 One of the main processes has terminated, stopping...

  === BugId report (https://github.com/SkyLined/BugId) =========================
  Id:               None
  Description:      The application terminated before a bug was detected.
  Application time: 0.004 seconds
  BugId overhead:   0.037 seconds

BugId version 2017.01.31.1531, cBugId version 2017.01.31.1525
This version of BugId is provided free of charge for non-commercial use only.
If you find it useful and would like to make a donation, you can send bitcoin
to 183yyxa9s1s1f7JBpPHPmzQ346y91Rx5DX. Please contact the author if you wish to
use BugId commercially. Contact and licensing information can be found at
https://github.com/SkyLined/BugId#license.

C:\win7x64-vm\exploitdev_exp\BugId>C:\Python27\python.exe BugId.py "C:\heap-exploitable-1.exe" AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+ The debugger is starting the application...
  Command line: C:\heap-exploitable-1.exe AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+ The application was started successfully and is running...
  * T+0.0 The application is suspended...
    * And resumed...
  * T+0.0 The application is suspended...

  === BugId report (https://github.com/SkyLined/BugId) =========================
  Id:               Breakpoint aca.501
  Location:         image00000000`00400000!ntdll32.dll!RtlpBreakPointHeap
  Description:      WOW64 breakpoint (code 0x4000001F)
  Version:          image00000000`00400000 Sun Dec 14 19:03:00 2014 (548E3344) (x86)
                    ntdll32.dll 6.1.7601.17514 (x86)
  Security impact:  Denial of Service
  Application time: 0.0 seconds
  BugId overhead:   1.099 seconds
  Bug report:       Breakpoint aca.501 @ image00000000`00400000!ntdll32.dll!RtlpBreakPointHeap.html
(33739 bytes)

BugId version 2017.01.31.1531, cBugId version 2017.01.31.1525
This version of BugId is provided free of charge for non-commercial use only.
If you find it useful and would like to make a donation, you can send bitcoin
to 183yyxa9s1s1f7JBpPHPmzQ346y91Rx5DX. Please contact the author if you wish to
use BugId commercially. Contact and licensing information can be found at
https://github.com/SkyLined/BugId#license.

C:\win7x64-vm\exploitdev_exp\BugId>C:\Python27\python.exe BugId.py "C:\heap-exploitable-1.exe" AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+ The debugger is starting the application...
  Command line: C:\heap-exploitable-1.exe AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+ The application was started successfully and is running...
  * T+0.0 The application is suspended...
    * And resumed...
  * T+0.0 The application is suspended...
--------------------------------------------------------------------------------
- An error has occured in cBugId, which cannot be handled:
  AssertionError('Unexpected TEB info header:Wow64 TEB32 at 000000007efdd000\r\nWow64 TEB32 at 00000
0007efdd000\r\n*************************************************************************\r\n***
                                                              ***\r\n***
                                       ***\r\n***    Your debugger is not using the correct symbols
                ***\r\n***                                                                   ***\r\n
***    In order for this command to work properly, your symbol path   ***\r\n***    must point to .p
db files that have full type information.      ***\r\n***
                        ***\r\n***    Certain .pdb files (such as the public OS symbols) do not
 ***\r\n***    contain the required information.  Contact the group that      ***\r\n***    provided
 you with these symbols if you need this command to    ***\r\n***    work.
                                ***\r\n***
         ***\r\n***    Type referenced: wow64!_TEB32                                  ***\r\n***
                                                               ***\r\n******************************
*******************************************\r\nerror InitTypeRead( wow64!_TEB32 )...\r\n\r\n\r\nWow6
4 TEB at 000000007efdb000\r\n    ExceptionList:        000000007efdd000\r\n    StackBase:
 000000000008fd20\r\n    StackLimit:           000000000008c000\r\n    SubSystemTib:         0000000
000000000\r\n    FiberData:            0000000000001e00\r\n    ArbitraryUserPointer: 000000000000000
0\r\n    Self:                 000000007efdb000\r\n    EnvironmentPointer:   0000000000000000\r\n
 ClientId:             000000000000079c . 000000000000090c\r\n    RpcHandle:            000000000000
0000\r\n    Tls Storage:          0000000000000000\r\n    PEB Address:          000000007efdf000\r\n
    LastErrorValue:       2\r\n    LastStatusValue:      0\r\n    Count Owned Locks:    0\r\n    Har
dErrorMode:        0',)
  BugId version 2017.01.31.1531, cBugId version 2017.01.31.1525
--------------------------------------------------------------------------------

  Please report this issue at the below web-page so it can be addressed:
      https://github.com/SkyLined/BugId/issues/new
  If you do not have a github account, or you want to report this issue
  privately, you can also send an email to:
      BugId@skylined.nl

  In your report, please copy all the information about the error reported
  above, as well as the version information. This makes it easier to determine
  the cause of this issue. I will try to address the issues as soon as
  possible. Thank you in advance for helping to improve BugId!

BugId version 2017.01.31.1531, cBugId version 2017.01.31.1525
This version of BugId is provided free of charge for non-commercial use only.
If you find it useful and would like to make a donation, you can send bitcoin
to 183yyxa9s1s1f7JBpPHPmzQ346y91Rx5DX. Please contact the author if you wish to
use BugId commercially. Contact and licensing information can be found at
https://github.com/SkyLined/BugId#license.

Hope this helps. Anyway, as stated before:

Cheers!

[soiax]

From the usage :

--isa=x86|x64
Use the x86 or x64 version of cdb to debug the application. The default is
to use the ISA of the OS. Applications build to run on x86 systems can be
debugged using the x64 version of cdb, but symbol resolution may fail and
results may vary. You are strongly encouraged to use the same ISA for the
debugger as the application. (ISA = Instruction Set Architecture)

So, just set --isa=x86

[SkyLined]

Thanks soiax,

Regardless of the work around, BugId should not have crashed. However, I do believe the current code handles this correctly, so I am closing this bug. If you can still crash BugId this way, please reopen!