Home > Cloud Computing > Cloud Security

Ms04-006 code reverse

Source: Internet
Author: User
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >

Yuan Ge

Due to the length calculation error in GetName, You can overwrite (0x3f + 1)/2 + 1 = 0x21 bytes to the buffer with the length limit of 0x101, resulting in buffer overflow. However, because of the buffer problem of calling the GetName code, it can cover a maximum of 0x101 + 0x21 = 0x122 bytes and cannot cover ebp and eip, So Microsoft does not think it can be used, see the description of the ms04-006.

I found this vulnerability when I studied other vulnerabilities in, but found that it has been repaired. I read the announcement that Microsoft cannot write and use it. After a little research, I successfully wrote a perfect and harmonious use.

Later I thought about writing "Advanced overwrite skills-what can you control?" Use ms04-006 and MS08-067 as a classic case. But I have never written these things before.

 

 

 

VOID GetName (in out lpbyte * pName,
In out lpbyte Name,
Out lpdword NameLen
)

{

Int Length;

Int MaxLen = 0x101;

Int nbtlen;


* NameLen = 0;

If (* pName & 0xc0 )! = 0) goto error;

Length = * pName & 0x3f;


PName ++;

Nbtlen = (Length + 1)/2;

While (nbtlen> 0)
{
 

Length-= 2;
* Name ++ = (* pName ++-A) <4) | (* pName ++-));
(* NameLen) ++;

Nbtlen --;


}

MaxLen-= Length;

/*

Bug!

Length = 0 or Length =-1?

MaxLen-= (* NameLen );

*/

 

While (TRUE)
{

...
}

If (-- MaxLen> = 0 ){
* Name ++ = 0;
} Else {
Goto error;
}

(* NameLen) ++;

Return;

Error:
WinsEvtLogEvt (...);

RaiseException (...);

Return;
}

 

 

 

0: 000> uf NmsMsgfProcNbtReq
Wins! NmsMsgfProcNbtReq:
01011abe 55 push ebp
01011abf 8bec mov ebp, esp
01011ac1 6aff push 0 FFFFFFFFh
01011ac3 6850210001 push offset wins! 'String + 0x7c (01002150)
01011ac8 6880280101 push offset wins! _ Effect_handler3 (01012880)
01011acd 64a00000000 mov eax, dword ptr fs: [00000000 h]
01011ad3 50 push eax
01011ad4 64892500000000 mov dword ptr fs: [0], esp
01011adb 51 push ecx
01011adc 51 push ecx
01011add 81ec74020000 sub esp, 274 h
01011ae3 53 push ebx
01011ae4 56 push esi
01011ae5 57 push edi
01011ae6 8965e8 mov dword ptr [ebp-18h], esp
01011ae9 c785bcfeffff0000000 mov dword ptr [ebp-144h], 1
01011af3 8365dc00 and dword ptr [ebp-24h], 0
01011af7 8b7d0c mov edi, dword ptr [ebp + 0Ch]
01011afa 897dd8 mov dword ptr [ebp-28h], edi
01011afd 8365fc00 and dword ptr [ebp-4], 0
01011b01 8a5f02 mov bl, byte ptr [edi + 2]
01011b04 c1eb03 shr ebx, 3
01011b07 83e30f and ebx, 0Fh
01011b0a 895de0 mov dword ptr [ebp-20h], ebx
01011b0d 8d470c lea eax, [edi + 0Ch]
01011b10 8945d8 mov dword ptr [ebp-28h], eax
01011b13 8945c4 mov dword ptr [ebp-3Ch], eax
01011f8 8d45c8 lea eax, [ebp-38h]
01011b19 50 push eax
01011b1a 8d85c0feffff lea eax, [ebp-140h]

/*

Buff, ebp-140

0x101 + 0x21 = 0x122

Can not rewrite eip?

*/
01011b20 50 push eax
01011b21 8d45d8 lea eax, [ebp-28h]
01011b24 50 push eax
01011b25 e815020000 call wins! GetName (01011d3f)

 

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More