1, using the existing Win2000 SP4 system Netapi32.dll found that most of the current system has been patched, with the patch of IDA code as follows:
Signed int __stdcall netpwpathcanonicalize (wchar_t *str, wchar_t *lpwidecharstr, int A3, wchar_t *Source, int a5, int a6)
{
wchar_t *v6; ebx@1
int V7; Esi@3
wchar_t *V8; Eax@5
signed int result; Eax@6
V6 = Source;
V7 =! Source | | !*source;
V8 = * (wchar_t * *) A5;
Source = * (wchar_t * *) A5;
if (A6 & 0x7ffffffe)
{
result = 87;
}
Else
{
if (V8 | | (Result = Netpwpathtype (STR, (int) &source, 0)) = = 0)
{
if (V7 | | (Result = Netpwpathtype (V6, (int) &a6, 0)) = = 0)
{
if (A3)
{
*LPWIDECHARSTR = 0;
result = Sub_7517fc68 (V6, STR, LPWIDECHARSTR, A3, 0);
if (!result)
result = Netpwpathtype (Lpwidecharstr, A5, 0);
}
Else
{
result = 2123;
}
}
}
}
return result;
}
2, Services.exe implementation will not interact with the graphical interface, so shellcode write should be careful not to use MessageBoxA and other user interface functions, so as to avoid the panic.
3, the use of OD can be the services and other processes attached to RPC overflow attack tracking, breakpoint set to BP netpwpathcanonicalize
4, when constructing shellcode, you can use methods such as JMP esp,jmp ebp,call ecx, which can write their own code, if installed Metasploit can perform msfpescan-f-j esp in the console c:/windows /system32/kernel32.dll (note Debug and attack PC system to be consistent)