One LPC analysis (0-day analysis challenge of Yuan Ge)

LPC see http://bbs.2cto.com/read.php? Tid = 306764

Since it is a buffer overflow, search for the buffer-related code, and the buffer generation is sub esp, xx form.

Generally, they are in the [ebp-xx] format.

The search result is as follows:
77c4d4f8 8945fc mov dword ptr [ebp-4], eax
77c4d510 8985f0feffff mov dword ptr [ebp-110h], eax
77c4d516 898df8feffff mov dword ptr [ebp-108h], ecx
77c4d598 8d85fcfeffff lea eax, [ebp-104h] <--- buffer address for this line
77c4d5e9 80bd14ffffff06 cmp byte ptr [ebp-0ECh], 6
77c4d5f6 0fbf8516ffffff movsx eax, word ptr [ebp-0EAh]
77c4d5fd 8b8df0feffff mov ecx, dword ptr [ebp-110h]
77c4d605 8bb5f8feffff mov esi, dword ptr [ebp-108h]
77c4d615 8b4dfc mov ecx, dword ptr [ebp-4]

From the above we can see that it is most likely to get the address,

Local variable Layout

Ebp-110h
Ebp-108h
Ebp-104h <--- overflow started here and will be overwritten later
Ebp-0ECh
Ebp-0EAh
Ebp-4

Code nearby
77c4d598 8d85fcfeffff lea eax, [ebp-104h]
77c4d59e 50 push eax
77c4d59f ffb6a4000000 push dword ptr [esi + 0A4h]
77c4d5a5 8b869c000000 mov eax, dword ptr [esi + 9Ch]
77c4d5ab ff7024 push dword ptr [eax + 24 h]
77c4d5ae ff15b415c277 call dword ptr [RPCRT4! _ Imp _ NtRequestWaitReplyPort

 

In this statement, the data is waiting to be received after being sent, but the data size is not limited.

 

If too long data is overwritten, the cookie value will be overwritten, resulting in exit.

Therefore, only

Ebp-0ECh
Ebp-0EAh
These two values.

These two values lead to subsequent process changes.

 

All of the above are guesses, and I don't understand LPC.