INodeManager remote denial of service or arbitrary code execution vulnerability

It is difficult to complete the SSL data interaction process. When inode is installed, the client has all the certificates and keys required for the authentication process, so they must be constructed. The version of the program to be analyzed is H3C iNode PC 5.1 e0307. inodemngchecker.exe, which has loopholes, you can see that the program is bound to port 9090 listening connection. Call sub_41F730 (v8, v5) in the thread function int _ stdcall sub_420430 (SOCKET * a1) to receive and process data. The sub_415AE0 function receives data. The buffer zone v90 stores the received data. The v52 is the length function of the received data, and the sub_419600 function processes the data. Parameter 1 is the received data, parameter 2 is the Data Length sub_419600. Call the sub_41B950 (& v105, a1, a2) function to copy the data in a1 to the buffer zone starting with v105, initialize the sub_41BEE0 function to process v105. In the sub_41BEE0 function, first determine whether the first 4 bytes of received data are 0xA0BF007, and then obtain the v7 = * (_ DWORD *) pRecvData + 2) to determine whether it is less than 0x1000. Take v6 = * (_ DWORD *) pRecvData + 1) and judge whether it is equal to 0xC1. If the constructed data causes v6 = 0xC1, v7 = 0x90C, it can be executed in the while loop. First, determine v15 = (int) (char *) pRecvData + v8 (12 )) whether the value is 0, obviously not 0. Take v16 = * (_ DWORD *) (v15 + 4), which is equivalent to taking 4 bytes at pRecvData + 16, in this case, v25 = v7-0xC = 0x900. if the value of v16 in the constructed data is 0x8FF, the more if (v16> v25 | v16 <8, at the same time, v17 = v16-8 = 0x8F7; when the switch is reached, the value of v15 is 0x14. You can see that the program copies data memcpy (char *) pRecvData + 4108, v15 + 8, v17) to (char *) pRecvData + 4108, while pRecvData is the v105 buffer in sub_419600
The buffer zone v105 is 0x1340 away from the bottom of the stack, while the target address of memcpy is (char *) pRecvData + 4108, that is, v105 + 0x100C, the copied data length is v17, that is, the constructed 0x8F7, which obviously overwrites the return address of sub_419600. Therefore, if no exception occurs after sub_41BEE0 runs properly, it will eventually cause a Denial-of-Service attack. Otherwise, it will cause execution of arbitrary code to overflow into multiple memcpy after the location is clearly included.