Windows WorkStation Remote BufferOverflow(0day)-vulnerability warning-the black bar safety net

2009-01-05T00:00:00
ID MYHACK58:62200921810
Type myhack58
Reporter 佚名
Modified 2009-01-05T00:00:00

Description

Microsoft Windows WorkStation service(windows xp sp3)there is a stack overflow vulnerability. a5 this parameter,since the implementation of wcscpy string copy before, did not check the length of the string, and therefore will induce a stack buffer overflow, Stack Overflow, and successfully exploited to remotely execute arbitrary code.

The presence of vulnerabilities the DLL file: driver or wkssvc.dll DLL name: Network Workstation service library Description: driver. dll is the local system to the Remote File Print-related service files.

Belongs to: Windows The system DLL files:

Analyze the following pseudo-code: The / Found by Friddy 12.25 Email:qianyang@ssyeah.com http://www.friddy.cn / DWORD __userpurge sub_76854A96<eax>(int a1<eax>, HLOCAL a2<esi>, int a3, wchar_t a4,wchar_t a5,int a6, int a7, int a8) { int v8; // eax@1 int v9; // ebx@1 HLOCAL v10; // eax@3 HLOCAL v11; // eax@4 HLOCAL v12; // eax@7 HLOCAL v13; // edi@7 int v15; // ecx@4 int v16; // edx@4 int v17; // eax@4 char v18; // zf@4 wchar_t v19; // ST0C_4@5

v9 = a1; v8 = 0; if ( a4 ) v8 = (_WORD )(a7 + 2); v10 = LocalAlloc(0x40u, v8 + ((2 * v9 + 3 9) & 0xFFFFFFFE)); a2 = v10; if ( v10 ) { (_DWORD )v10 = 0; v15 = a3; v16 = a8; ((_DWORD )a2 + 3) = v9; ((_DWORD )a2 + 4) = 1; ((_DWORD )a2 + 5) = v15; v17 = dword_7686F588; ((_DWORD )a2 + 6) = dword_7686F588; v18 = a4 == 0; ((_DWORD )a2 + 8) = v16; dword_7686F588 = (v17 + 1) & 0x7FFFFFFF; v11 = a2; if ( v18 ) { ((_DWORD )v11 + 2) = 0; ((_DWORD )a2 + 7) = 0; } else { v19 = a4; ((_DWORD )v11 + 2) = (char )v11 + 3 6; wcscpy(((wchar_t )a2 + 2), v19); ((_DWORD )a2 + 7) = (unsigned int)(a2 + 2 * v9 + 3 9) & 0xFFFFFFFE; wcscpy(((wchar_t )a2 + 7), (const wchar_t )(a7 + 4)); } if ( ! a5 ) return 0; v12 = LocalAlloc(0x40u, 2 * a6 + 1 2); v13 = v12; if ( v12 ) { wcscpy((wchar_t )v12 + 4, a5);//stack overflow happens here ((_DWORD )v13 + 1) = a6; (_DWORD )v13 = 1; ((_DWORD )a2 + 1) = v13; return 0; } LocalFree(*a2); } return GetLastError(); }

################################################################################################################## #######################################################################################

/ / ----- (7685499D) -------------------------------------------------------- signed int __stdcall sub_7685499D(int a1, int a2, wchar_t a3, int a4, wchar_t a5, int a6, int a7, int a8) { signed int v8; // edi@1 DWORD v9; // eax@2 wchar_t *v10; // ecx@7 int v12; // eax@2 1 int v13; // [sp+14h] [bp-4h]@1 int v14; // [sp+10h] [bp-8h]@1 int v15; // [sp+Ch] [bp-Ch]@2

v8 = 0; v13 = 0; v14 = 0; if ( ! (unsigned __int8)RtlAcquireResourceExclusive(&unk_7686F3E4, 1) ) { v8 = 2 1 4 0; goto LABEL_18; } v9 = sub_76852B71((int)&dword_7686F3E0, a1, (int)&v15, 1); if ( v9 ) goto LABEL_13; if ( (_DWORD )(dword_7686F3E0 + 1 2 * v15) ) sub_76854B88((_DWORD )(dword_7686F3E0 + 1 2 * v15), a5, (int)&v13, (int)&v14); if ( v13 ) { if ( ! a3 && ! (_DWORD )(v13 + 8) ) { ++(_DWORD )(v13 + 1 6); ++(_DWORD )(v13 + 4); goto LABEL_17; } v9 = sub_76854A96(a4, (HLOCAL )&a3, a2, a3, 0, 0, a7, a8); if ( ! v9 ) { v12 = (_DWORD )(v13 + 4); v10 = a3; ((_DWORD )a3 + 1) = (_DWORD )(v13 + 4); ++(_DWORD )v12; goto LABEL_8; } LABEL_13: v8 = v9; LABEL_17: RtlReleaseResource(&unk_7686F3E4); LABEL_18: NtClose(a2); return v8; } v9 = sub_76854A96(a4, (HLOCAL )&a3, a2, a3, a5, a6, a7, a8);//here call a vulnerability, thereby triggering the if ( v9 ) goto LABEL_13; v10 = a3; LABEL_8: if ( v14 ) (_DWORD )v14 = v10; else (_DWORD )(dword_7686F3E0 + 1 2 * v15) = v10; RtlReleaseResource(&unk_7686F3E4); return 0;

from:http://www. friddy. cn/article. asp? id=6 6