Zoom RCE from Pwn2Own 2021
undefined4 __fastcall AESDecode(undefined4 *param_1, undefined4 *param_2) { char cVar1; int iVar2; undefined4 uVar3; int iVar4; LogMessage *this; int extraout_EDX; int iVar5; LogMessage local_180 [176]; LogMessage local_d0 [176]; int local_20; undefined4 *local_1c; int local_18; int local_14; undefined4 local_8; undefined4 uStack4; uStack4 = 0x170; local_8 = 0x101ba696; iVar5 = 0; local_14 = 0; local_1c = param_2; cVar1 = FUN_101ba34a(); if (cVar1 == '\0') { return 1; } if ((*(uint *)(extraout_EDX + 4) < 0x20) || (*(uint *)(extraout_EDX + 0xc) < 0x10)) { iVar5 = logging::GetMinLogLevel(); if (iVar5 < 2) { logging::LogMessage::LogMessage (local_d0, "c:\\ZoomCode\\client_sdk_2019_kof\\Common\\include\\zoom_crypto_util.h", 0x1d6, 1); local_8 = 0; local_14 = 1; uVar3 = log_message(iVar5 + 8, "[AESDecode] Failed. Key len or IV len is incorrect.", " "); log_message(uVar3); logging::LogMessage::~LogMessage(local_d0); return 1; } return 1; } local_14 = param_1[2]; local_18 = 0; iVar2 = EVP_CIPHER_CTX_new(); if (iVar2 == 0) { return 0xc; } local_20 = iVar2; EVP_CIPHER_CTX_reset(iVar2); uVar3 = EVP_aes_256_cbc(0, *local_1c, local_1c[2], 0); iVar4 = EVP_CipherInit_ex(iVar2, uVar3); if (iVar4 < 1) { iVar2 = logging::GetMinLogLevel(); if (iVar2 < 2) { logging::LogMessage::LogMessage (local_d0,"c:\\ZoomCode\\client_sdk_2019_kof\\Common\\include\\zoom_crypto_util.h", 0x1e8, 1); iVar5 = 2; local_8 = 1; local_14 = 2; uVar3 = log_message(iVar2 + 8, "[AESDecode] EVP_CipherInit_ex Failed.", " "); log_message(uVar3); } LAB_101ba758: if (iVar5 == 0) goto LAB_101ba852; this = local_d0; } else { iVar4 = EVP_CipherUpdate(iVar2, local_14, &local_18, *param_1, param_1[1]); if (iVar4 < 1) { iVar2 = logging::GetMinLogLevel(); if (iVar2 < 2) { logging::LogMessage::LogMessage (local_d0,"c:\\ZoomCode\\client_sdk_2019_kof\\Common\\include\\zoom_crypto_util.h", 0x1f0, 1); iVar5 = 4; local_8 = 2; local_14 = 4; uVar3 = log_message(iVar2 + 8, "[AESDecode] EVP_CipherUpdate Failed.", " "); log_message(uVar3); } goto LAB_101ba758; } param_1[3] = local_18; iVar4 = EVP_CipherFinal_ex(iVar2, local_14 + local_18, &local_18); if (0 < iVar4) { param_1[3] = param_1[3] + local_18; EVP_CIPHER_CTX_free(iVar2); return 0; } iVar2 = logging::GetMinLogLevel(); if (iVar2 < 2) { logging::LogMessage::LogMessage (local_180,"c:\\ZoomCode\\client_sdk_2019_kof\\Common\\include\\zoom_crypto_util.h", 0x1fb, 1); iVar5 = 8; local_8 = 3; local_14 = 8; uVar3 = log_message(iVar2 + 8, "[AESDecode] EVP_CipherFinal_ex Failed.", " "); log_message(uVar3); } if (iVar5 == 0) goto LAB_101ba852; this = local_180; } logging::LogMessage::~LogMessage(this); LAB_101ba852: EVP_CIPHER_CTX_free(local_20); return 0xc; }
Read more
https://sector7.computest.nl/post/2021-08-zoom/
*Beware click the link!