WinHeX Heap overflow.
d145e6f98fc6be00761888279dbfb33e1e7f5d2217d27cb1a5e8e772029e1297
WinHex 12.05 SR-14 (maybe others)
author: Darkeagle
date : 14.04.05
vendor: http://www.x-ways.net/
overview:
WinHex is a powerfully hex editor in win32 systems.
details:
I'mma found heap corruption bug in latest version of WinHex (12.05).
When WinHex opens very long filename in 1st argument, it's crashed.
Look at below code:
...
XOR EAX,EAX
MOV BL,BYTE PTR DS:[EDX+EAX]
MOV BYTE PTR DS:[ECX+EAX],BL
INC EAX
CMP BYTE PTR DS:[EDX+EAX-1],0
...
PUSH EDX ; argv2 <-- put arguments in stack registers ----|
PUSH EAX ; argv1 <----------------------------------------
CALL <JMP.&kernel32.lstrcpynA> ; lstrcpynA <---- using strcpy() without checking...
There is bug. After crash in debugger you can notice that following registers were overwrote:
DS = 0x61616161?
ECX = 0x61616161?
ESI = 0x61616161?
EIP now point to: 0x004EF55B ( WinXP SP0 RUS )
004EF55B |. 881C01 |MOV BYTE PTR DS:[ECX+EAX],BL
Ok! This is means that 0x004EF55B trying to read instruction on 0x61616161 address and then crash.
(c) Darkeagle