Windows lsasrv.dll远程溢出分析

来源:岁月联盟 编辑:zhuzhu 时间:2007-05-19
Windows lsasrv.dll远程溢出分析内容简介:  eEye的文档里已经分析的比较清楚了.这里贴一下相关的代码和exp.eEye提出重现这个漏洞最简单的方法是:改变DsRoleUpgradeDownlevelServer API中的指令,使传给DsRolepEncryptPasswordStart的第一个实参变为DsRoleUpgradeDownlevelServer的第九个型参,及将

  .text:751AD5F7     lea  eax, [ebp+var_34]

  .text:751AD5FA     push eax

  .text:751AD5FB     push 0

  .text:751AD5FD     call _DsRolepEncryptPasswordStart@24

  改为

  .text:751AD5F7     push eax

          mov  eax, [ebp+var_34]

          push eax

          nop

          call _DsRolepEncryptPasswordStart@24

  然后调用DsRoleUpgradeDownlevelServer就可以了.自己动手改一下吧,(靠,怎么有了破解的感觉 :)

  最后感谢oyxin,本来已经不打算调这个东东了. :)

  下面是有漏洞的代码部分:

  LSASRV!DsRolerUpgradeDownlevelServer

   │

   ----_DsRolepLogPrintRoutine

    │

    ----_DsRolepDebugDumpRoutine

     │

     ----__imp__vsprintf

  .text:7859B6D6 ; __stdcall DsRolerUpgradeDownlevelServer(x,x,x,x,x,x,x,x,x,x,x,x,x)

  .text:7859B6D6 _DsRolerUpgradeDownlevelServer@52 proc near ; DATA XREF: .text:7855B93Co

  .text:7859B6D6

  .text:7859B6D6 var_40   = byte ptr -40h

  .text:7859B6D6 var_28   = byte ptr -28h

  .text:7859B6D6 var_20   = byte ptr -20h

  .text:7859B6D6 var_18   = dword ptr -18h

  .text:7859B6D6 var_14   = dword ptr -14h

  .text:7859B6D6 Data   = byte ptr -10h

  .text:7859B6D6 var_C   = dword ptr -0Ch

  .text:7859B6D6 var_8   = dword ptr -8

  .text:7859B6D6 var_4   = dword ptr -4

  .text:7859B6D6 arg_0   = dword ptr 8

  .text:7859B6D6 arg_4   = dword ptr 0Ch

  .text:7859B6D6 arg_8   = dword ptr 10h

  .text:7859B6D6 arg_C   = dword ptr 14h

  .text:7859B6D6 arg_10   = dword ptr 18h

  .text:7859B6D6 arg_14   = dword ptr 1Ch

  .text:7859B6D6 arg_18   = dword ptr 20h

  .text:7859B6D6 arg_1C   = dword ptr 24h

  .text:7859B6D6 arg_20   = dword ptr 28h

  .text:7859B6D6 arg_24   = dword ptr 2Ch

  .text:7859B6D6 arg_28   = dword ptr 30h

  .text:7859B6D6 arg_2C   = dword ptr 34h

  .text:7859B6D6 arg_30   = dword ptr 38h

  .text:7859B6D6

  .text:7859B6D6     push ebp

  .text:7859B6D7     mov  ebp, esp

  .text:7859B6D9     sub  esp, 40h

  .text:7859B6DC     mov  eax, [ebp+arg_24]

  .text:7859B6DF     push ebx

  .text:7859B6E0     mov  [ebp+var_18], eax

  .text:7859B6E3     mov  eax, [ebp+arg_28]

  .text:7859B6E6     push esi

  .text:7859B6E7     push edi

  .text:7859B6E8     mov  [ebp+var_14], eax

  .text:7859B6EB     xor  eax, eax

  .text:7859B6ED     lea  edi, [ebp+var_28]

  .text:7859B6F0     xor  ebx, ebx
 .text:7859B6F2     stosd

  .text:7859B6F3     stosd

  .text:7859B6F4     and  byte ptr [ebp+var_C], bl

  .text:7859B6F7     cmp  [ebp+arg_4], ebx

  .text:7859B6FA     stosd

  .text:7859B6FB     stosd

  .text:7859B6FC     mov  eax, [ebp+arg_30]

  .text:7859B6FF     mov  [ebp+var_4], ebx

  .text:7859B702     mov  [ebp+var_8], ebx

  .text:7859B705     mov  [eax], ebx

  .text:7859B707     jz  loc_7859B93F

  .text:7859B70D     cmp  [ebp+arg_C], ebx

  .text:7859B710     jz  loc_7859B93F

  .text:7859B716     cmp  [ebp+arg_10], ebx

  .text:7859B719     jz  loc_7859B93F

  .text:7859B71F     cmp  [ebp+arg_14], ebx

  .text:7859B722     jz  loc_7859B93F

  .text:7859B728     call _DsRolepInitializeLog@0 ; DsRolepInitializeLog()

  .text:7859B72D     push [ebp+arg_4]

  .text:7859B730     push offset aDsrolerdcasdcD ; "DsRolerDcAsDc: DnsDomainName %ws/n"

  .text:7859B735     push 4

  .text:7859B737     pop  esi

  .text:7859B738     push esi

  .text:7859B739     call _DsRolepLogPrintRoutine

  .text:7859B73E     mov  eax, [ebp+arg_8]

  .text:7859B741     add  esp, 0Ch

  .text:7859B744     cmp  eax, ebx

  .text:7859B746     jnz  short loc_7859B74D

  .text:7859B748     mov  eax, offset aNull ; "(NULL)"

  .text:785A059D _DsRolepLogPrintRoutine proc near  ; CODE XREF: DsRolerDcAsDc(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+ADp

  .text:785A059D           ; DsRolerDcAsDc(x,x,x,x,x,x,x,x,x,x,x,x,x,x,x)+BDp ...

  .text:785A059D

  .text:785A059D NumberOfBytesWritten= dword ptr 4

  .text:785A059D arg_4   = dword ptr 8

  .text:785A059D arg_8   = dword ptr 0Ch

  .text:785A059D

  .text:785A059D     lea  eax, [esp+arg_8]

  .text:785A05A1     push eax    ; int

  .text:785A05A2     push [esp+4+arg_4] ; int

  .text:785A05A6     push [esp+8+NumberOfBytesWritten] ; NumberOfBytesWritten

  .text:785A05AA     call _DsRolepDebugDumpRoutine@12 ; DsRolepDebugDumpRoutine(x,x,x)

  .text:785A05AF     retn

  .text:785A05AF _DsRolepLogPrintRoutine endp

  .text:785A047E ; ??????????????? S U B R O U T I N E ???????????????????????????????????????

  .text:785A047E

  .text:785A047E ; Attributes: bp-based frame

  .text:785A047E

  .text:785A047E ; int __stdcall DsRolepDebugDumpRoutine(DWORD NumberOfBytesWritten,int,int)

  .text:785A047E _DsRolepDebugDumpRoutine@12 proc near ; CODE XREF: _DsRolepLogPrintRoutine+Dp

  .text:785A047E

  .text:785A047E var_816   = byte ptr -816h

  .text:785A047E var_815   = byte ptr -815h

  .text:785A047E Buffer   = byte ptr -814h

  .text:785A047E var_813   = byte ptr -813h

  .text:785A047E SystemTime  = _SYSTEMTIME ptr -10h
 .text:785A047E NumberOfBytesWritten= dword ptr 8

  .text:785A047E arg_4   = dword ptr 0Ch

  .text:785A047E arg_8   = dword ptr 10h

  .text:785A047E

  .text:785A047E     push ebp

  .text:785A047F     mov  ebp, esp

  .text:785A0481     sub  esp, 814h

  .text:785A0487     push ebx

  .text:785A0488     xor  ebx, ebx

  .text:785A048A     cmp  _DsRolepLogFile, ebx

  .text:785A0490     jz  loc_785A056F

  .text:785A0496     push edi

  .text:785A0497     push esi

  .text:785A0498     xor  esi, esi

  .text:785A049A     cmp  dword_785B35B8, ebx

  .text:785A04A0     jz  short loc_785A04EC

  .text:785A04A2     test byte ptr [ebp+NumberOfBytesWritten], 1

  .text:785A04A6     jz  loc_785A0574

  .text:785A04AC     mov  esi, offset dword_78564F90

  .text:785A04B1

  .text:785A04B1 loc_785A04B1:       ; CODE XREF: DsRolepDebugDumpRoutine(x,x,x)+101j

  .text:785A04B1           ; DsRolepDebugDumpRoutine(x,x,x)+10Fj ...

  .text:785A04B1     lea  eax, [ebp+SystemTime]

  .text:785A04B4     push eax    ; lpSystemTime

  .text:785A04B5     call ds:__imp__GetLocalTime@4 ; __declspec(dllimport) GetLocalTime(x)

  .text:785A04BB     movzx eax, [ebp+SystemTime.wSecond]

  .text:785A04BF     push esi

  .text:785A04C0     push eax

  .text:785A04C1     movzx eax, [ebp+SystemTime.wMinute]

  .text:785A04C5     push eax

  .text:785A04C6     movzx eax, [ebp+SystemTime.wHour]

  .text:785A04CA     push eax

  .text:785A04CB     movzx eax, [ebp+SystemTime.wDay]

  .text:785A04CF     push eax
上一篇:lsasrv - lsasrv.dll - DLL文件信息
下一篇:rundll32.exe

图片内容

最近更新

随机推荐