1, using the existing Win2000 SP4 system Netapi32.dll found that most of the current system has been patched, with the patch of IDA code as follows:
Signed int __stdcall netpwpathcanonicalize (wchar_t *str, wchar_t *lpwidecharstr, int A3, wchar_t *Source, int a5, int a6)
{
wchar_t *v6; ebx@1
int V7; Esi@3
wchar_t *V8; Eax@5
signed int result; Eax@6
V6 = Source;
V7 =! Source | | !*source;
V8 = * (wchar_t * *) A5;
Source = * (wchar_t * *) A5;
if (A6 & 0x7ffffffe)
{
result = 87;
}
Else
{
if (V8 | | (Result = Netpwpathtype (STR, (int) &source, 0)) = = 0)
{
if (V7 | | (Result = Netpwpathtype (V6, (int) &a6, 0)) = = 0)
{
if (A3)
{
*LPWIDECHARSTR = 0;
result = Sub_7517fc68 (V6, STR, LPWIDECHARSTR, A3, 0);
if (!result)
result = Netpwpathtype (Lpwidecharstr, A5, 0);
}
Else
{
result = 2123;
}
}
}
}
return result;
}
2, Services.exe implementation will not interact with the graphical interface, so shellcode write should be careful not to use MessageBoxA and other user interface functions, so as to avoid the panic.
3, the use of OD can be the services and other processes attached to RPC overflow attack tracking, breakpoint set to BP netpwpathcanonicalize
4, when constructing shellcode, you can use methods such as JMP esp,jmp ebp,call ecx, which can write their own code, if installed Metasploit can perform msfpescan-f-j esp in the console c:/windows /system32/kernel32.dll (note Debug and attack PC system to be consistent)
Start building with 50+ products and up to 12 months usage for Elastic Compute Service
1 on 1 presale consultation
24/7 Technical Support 6 Free Tickets per Quarter Faster Response
Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.
A comprehensive suite of global cloud computing services to power your business
Payment Methods We Support
