Crack name: Windows Server serves the RPC request buffer overflow crack (MS08-067)
This security renewed has solved in the server service a confidential report crack.
If user in receives on the system which affects to receive specially made RPC to request, then this crack possibly allows long-distance to carry out the code. In Microsoft Windows 2000, Windows XP and Windows on the Server 2003 systems, the aggressor then has not possibly used this crack movement random code after the identification authentication. This crack possibly uses in carrying on the worm attack. The firewall makes the law and the standard default firewall disposition best is helpful in the protection network resource is exempt from the attack which initiates from the enterprise.
In the default situation can establish the spatial connection.
This crack's use is very complex, a here extension article, everybody may look at slightly!
below == is reprints content === detail =============================================================
This crack did not introduce, was already noisy.
First on milw0rm that exp translation question, the author small trick very easy fix which puts on inside, what main is troublesome after is midl translates the idl document, translates under the VC6 environment possibly presents the rcpt storehouse the mistake. Possibly is the SDK edition causes, cloud Shu Yongzui new SDK (is 2008 probably? ) translated is successful.
Next triggers the question, any jurisdiction does not need, after spatial connection, can trigger.
ncacn_np: \ \ \ the \ 192.168.152.101 [\ \ pipe \ \ srvsvc] the direct request might.
The question leaves in the NetpwPathCanonicalize() second parameter, this crack is unusual.
First this parameter's length cannot surpass 0x207(unicode)
71BB58F6 81FF 07020000 CMP EDI,207
71BB58FC ^ 0F87 F447FFFF JA NETAPI32.71BAA0F6 //, if were bigger than returned on the direct function
71BB5902 ^ E9 1247FFFF JMP NETAPI32.71BAA019
Will then arrive at wcscat the place, here will not have the question, because the space will be enough
71BAA019 8D85 E8FBFFFF LEA EAX, DWORD PTR SS:[EBP-418]
71BAA01F 53 PUSH EBX
71BAA020 50 PUSH EAX
71BAA021 FF15 9810BA71 CALL DWORD PTR DS: [<&msvcrt.wcscat>] ; msvcrt.wcscat
Will continue downward will be “\” here is also immaterial all “/” the replace
Then arrives at the function which has problems
71BAA05A 8D85 E8FBFFFF LEA EAX, DWORD PTR SS:[EBP-418]
71BAA060 50 PUSH EAX
71BAA061 E8 AB020000 CALL NETAPI32.71BAA311
After going in is very complex, may under the reference here false code
http://www.phreedom.org/blog/2008/decompiling-ms08-067/
It is estimated that many people circled in here have fainted, I have followed for one evening, did finally has understood a point.
Other pages: : 1 * 2 * 3 * 4 * Next>>
|