Home page logo
/

bugtraq logo Bugtraq mailing list archives

Malformed DHCPv6 packets cause RPC to become unresponsive
From: tunterleitner () barracuda com
Date: Tue, 16 Aug 2011 12:43:10 GMT

Barracuda Networks AG Security Advisory 07/08/2011

Summary 
----------------------------- 
Malformed DHCPv6 packets cause RPC to become unresponsive.


Technical Details
----------------------------- 

There is a vulnerability in the part of RPC processing DHCPv6. The failure results 
because of incorrect handling of malformed messages. 

To exploit this vulnerability, an attacker would need to intercept DHCPv6 traffic. 
Once a DHCPv6 Request has been intercepted, the corresponding Reply would have to 
be modified to contain the malformed Domain Search List option. On reception of 
this malformed packet, RPC on the remote machine would fail. Exploiting this 
vulnerability would cause the RPC service to fail, losing any RPC-based services, 
as well as the potential loss of some COM functions.

Failing RPC calls might interfere with e.g. 
-       network connectivity (no IP address acquired, no IP address release/renew, …)
-       applications utilizing COM/DCOM interfaces
-       machine’s sound system

The error has been found to occur on reception of DHCPv6 Reply (message type 7) 
packets, containing the option “Domain Search List” (option type 24) with an empty domain.



Affected Systems 
----------------------------- 

Using the sample DHCPv6 it was possible to verify this issue on following operating systems and configurations: 
*       Microsoft Windows 7 Ultimate SP1 32 bit & 64 bit 

It is very likely that other versions of Windows 7 (and maybe earlier) are affected by this issue. 


Impact 
----------------------------- 
1.      Reception of a “malformed” DHCPv6 Reply packet, like the one seen in appendix A, 
causes critical error 0xc0000374 within rpcrt4, leaving the RPC server to become unavailable.

        a.) ipconfig /release <adapter_name> reporting:
                An error occurred while releasing interface <adapter_name>: The RPC server is unavailable.

This enables e.g. rouge DHCP servers to prevent other machines from connecting to a network. 

Remedy 
------------ 
No remedy available from vendor as of July 08, 2011. 

Reported 
------------ 
This vulnerability was first reported to Microsoft on, 8th July 2011 13:15 (GMT +2). 

Acknowledgements 
----------------------------- 
This vulnerability has been discovered by Michael Burgbacher and Thomas Unterleitner on behalf of Barracuda Networks 
AG. 

Contact Information 
----------------------------- 
  Barracuda Networks AG can be reached via: 
     http://www.barracudanetworks.com
          
     
http://www.barracudalabs.com/wordpress/index.php/2011/08/16/malformed-dhcpv6-packets-cause-rpc-to-become-unresponsive/

  Thomas Unterleitner can be reached via: 
     tunterleitner (at) barracuda (dot) com [email concealed]

References 
----------------------------- 
[1] Barracuda Networks AG - http://www.barracudanetworks.com

Exploit 
----------------------------- 
We can confirm that the vulnerability results in a Denial of Service in the RPC service.

Disclaimer 
----------------------------- 
There are NO warranties, implied or otherwise, with regard to this information or its use. 
Any use of this information is at the user's risk. In no event shall the author/distributor (Barracuda Networks AG) 
be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information. 




Appendix A - Sample DHCPv6 packet provoking the error
 
 
 ----------------------------------------------------------------
Malformed option somewhere in the option stack – error provoked.
----------------------------------------------------------------

No.     Time        Source                Destination           Protocol Info
      1 0.000000    fec0:0:beef:f00d::feed fe80::754f:6144:be9e:2ae7 DHCPv6   Reply

Frame 1 (183 bytes on wire, 183 bytes captured)
Ethernet II, Src: 50:48:49:4f:4e:53 (50:48:49:4f:4e:53), Dst: 50:48:49:4f:4e:43 (50:48:49:4f:4e:43)
Internet Protocol Version 6
User Datagram Protocol, Src Port: 547 (547), Dst Port: 546 (546)
DHCPv6
    Message type: Reply (7)
    Transaction-ID: 0x007f1ea5
    Server Identifier
        option type: 2
        option length: 10
        DUID type: link-layer address (3)
        Hardware type: Ethernet (1)
        Link-layer address: 50:48:49:4f:4e:53
    Client Identifier
        option type: 1
        option length: 14
        DUID type: link-layer address plus time (1)
        Hardware type: Ethernet (1)
        Time: 304692361
        Link-layer address: 00:0c:29:2a:17:54
    Identity Association for Non-temporary Address
        option type: 3
        option length: 40
        IAID: 407914569
        T1: 5400
        T2: 8640
        IA Address
            option type: 5
            option length: 24
            IPv6 address: fec0:0:beef:f00d::bad:f00d
            Preferred lifetime: 10800
            Valid lifetime: 21600
    Domain Search List                                                                                                  
                                <<<--------------------------------------
        option type: 24
        option length: 1
        DNS Domain Search List
        Malformed option
    DNS recursive name server
        option type: 23
        option length: 32
        DNS servers address: fec0:0:beef:f00d::feed
        DNS servers address: fe80::2d42:5a6d:9472:a9fb



-----------------------------------------------------------------
Malformed option at the end of the option stack – error provoked.
-----------------------------------------------------------------

No.     Time        Source                Destination           Protocol Info
      1 0.000000    fec0:0:beef:f00d::feed fe80::754f:6144:be9e:2ae7 DHCPv6   Reply

Frame 1 (183 bytes on wire, 183 bytes captured)
Ethernet II, Src: 50:48:49:4f:4e:53 (50:48:49:4f:4e:53), Dst: 50:48:49:4f:4e:43 (50:48:49:4f:4e:43)
Internet Protocol Version 6
User Datagram Protocol, Src Port: 547 (547), Dst Port: 546 (546)
DHCPv6
    Message type: Reply (7)
    Transaction-ID: 0x0054c814
    Server Identifier
        option type: 2
        option length: 10
        DUID type: link-layer address (3)
        Hardware type: Ethernet (1)
        Link-layer address: 50:48:49:4f:4e:53
    Client Identifier
        option type: 1
        option length: 14
        DUID type: link-layer address plus time (1)
        Hardware type: Ethernet (1)
        Time: 304692361
        Link-layer address: 00:0c:29:2a:17:54
    Identity Association for Non-temporary Address
        option type: 3
        option length: 40
        IAID: 407914569
        T1: 5400
        T2: 8640
        IA Address
            option type: 5
            option length: 24
            IPv6 address: fec0:0:beef:f00d::bad:f00d
            Preferred lifetime: 10800
            Valid lifetime: 21600
    DNS recursive name server
        option type: 23
        option length: 32
        DNS servers address: fec0:0:beef:f00d::feed
        DNS servers address: fe80::2d42:5a6d:9472:a9fb
    Domain Search List                                                                                                  
                                        <<<--------------------------------------------
        option type: 24
        option length: 1
        DNS Domain Search List
        Malformed option





Appendix B – Stack trace of the error

STACK_TEXT:  
00000000`7701d1cd ntdll! ?? ::FNODOBFM::`string'+0x123b4
000007fe`fd171512 KERNELBASE!LocalFree+0x2e
000007fe`fe1fedb7 RPCRT4!Ndr64ConformantArrayFree+0x1e7
000007fe`fe20085a RPCRT4!Ndr64ComplexStructFree+0x121
000007fe`fe2bad24 RPCRT4!Ndr64pFreeParams+0xf8
000007fe`fe2bb749 RPCRT4!Ndr64StubWorker+0x83d
000007fe`fe204070 RPCRT4!NdrServerCallAll+0x40
000007fe`fe209c24 RPCRT4!DispatchToStubInCNoAvrf+0x14
000007fe`fe209d86 RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x146
000007fe`fe20a479 RPCRT4!LRPC_SCALL::DispatchRequest+0x149
000007fe`fe20a11d RPCRT4!LRPC_SCALL::HandleRequest+0x20d
000007fe`fe217ddf RPCRT4!LRPC_ADDRESS::ProcessIO+0x3bf
000007fe`fe217995 RPCRT4!LrpcIoComplete+0xa5
00000000`76fcb43b ntdll!TppAlpcpExecuteCallback+0x26b
00000000`76fc923f ntdll!TppWorkerThread+0x3f8
00000000`76daf56d kernel32!BaseThreadInitThunk+0xd
00000000`76fe3281 ntdll!RtlUserThreadStart+0x1d


Appendix C - Research results 
    
Critical error detected c0000374



FAULTING_IP: 
ntdll!RtlReportCriticalFailure+2f
0033:00000000`77076c9f cc              int     3

EXCEPTION_RECORD:  ffffffffffffffff -- (.exr 0xffffffffffffffff)
ExceptionAddress: 0000000077076c9f (ntdll!RtlReportCriticalFailure+0x000000000000002f)
   ExceptionCode: 80000003 (Break instruction exception)
  ExceptionFlags: 00000000
NumberParameters: 1
   Parameter[0]: 0000000000000000

DEFAULT_BUCKET_ID:  STATUS_BREAKPOINT

ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION}  Breakpoint  A breakpoint has been reached.

EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments are invalid

EXCEPTION_PARAMETER1:  0000000000000000

NTGLOBALFLAG:  0

LAST_CONTROL_TRANSFER:  from 0000000000000000 to 000000007701d1cd

FAULTING_THREAD:  ffffffffffffffff

PRIMARY_PROBLEM_CLASS:  STATUS_BREAKPOINT

BUGCHECK_STR:  APPLICATION_FAULT_STATUS_BREAKPOINT

STACK_TEXT:  
00000000`7701d1cd ntdll! ?? ::FNODOBFM::`string'+0x123b4
000007fe`fd171512 KERNELBASE!LocalFree+0x2e
000007fe`fe1fedb7 RPCRT4!Ndr64ConformantArrayFree+0x1e7
000007fe`fe20085a RPCRT4!Ndr64ComplexStructFree+0x121
000007fe`fe2bad24 RPCRT4!Ndr64pFreeParams+0xf8
000007fe`fe2bb749 RPCRT4!Ndr64StubWorker+0x83d
000007fe`fe204070 RPCRT4!NdrServerCallAll+0x40
000007fe`fe209c24 RPCRT4!DispatchToStubInCNoAvrf+0x14
000007fe`fe209d86 RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x146
000007fe`fe20a479 RPCRT4!LRPC_SCALL::DispatchRequest+0x149
000007fe`fe20a11d RPCRT4!LRPC_SCALL::HandleRequest+0x20d
000007fe`fe217ddf RPCRT4!LRPC_ADDRESS::ProcessIO+0x3bf
000007fe`fe217995 RPCRT4!LrpcIoComplete+0xa5
00000000`76fcb43b ntdll!TppAlpcpExecuteCallback+0x26b
00000000`76fc923f ntdll!TppWorkerThread+0x3f8
00000000`76daf56d kernel32!BaseThreadInitThunk+0xd
00000000`76fe3281 ntdll!RtlUserThreadStart+0x1d


FOLLOWUP_IP: 
RPCRT4!Ndr64pFreeParams+f8
0033:000007fe`fe2bad24 4c8d0dd552f2ff  lea     r9,[RPCRT4!COMMON_ResubmitListen <PERF> (RPCRT4+0x0) (000007fe`fe1e0000)]

SYMBOL_STACK_INDEX:  4

SYMBOL_NAME:  RPCRT4!Ndr64pFreeParams+f8

FOLLOWUP_NAME:  MachineOwner

MODULE_NAME: RPCRT4

IMAGE_NAME:  RPCRT4.dll

DEBUG_FLR_IMAGE_TIMESTAMP:  4a5be035

STACK_COMMAND:  dds 770ec458 ; kb

FAILURE_BUCKET_ID:  STATUS_BREAKPOINT_80000003_RPCRT4.dll!Ndr64pFreeParams

BUCKET_ID:  X64_APPLICATION_FAULT_STATUS_BREAKPOINT_RPCRT4!Ndr64pFreeParams+f8

Followup: MachineOwner
---------



lmvm RPCRT4
start             end                 module name
000007fe`fe1e0000 000007fe`fe30e000   RPCRT4     (pdb symbols)          
d:\localsymbols\rpcrt4.pdb\484A214596114DE7AA63AF63A748044D2\rpcrt4.pdb
    Loaded symbol image file: RPCRT4.dll
    Image path: C:\Windows\system32\RPCRT4.dll
    Image name: RPCRT4.dll
    Timestamp:        Tue Jul 14 03:32:37 2009 (4A5BE035)
    CheckSum:         001302FA
    ImageSize:        0012E000
    File version:     6.1.7600.16385
    Product version:  6.1.7600.16385
    File flags:       0 (Mask 3F)
    File OS:          40004 NT Win32
    File type:        2.0 Dll
    File date:        00000000.00000000
    Translations:     0409.04b0
    CompanyName:      Microsoft Corporation
    ProductName:      Microsoft® Windows® Operating System
    InternalName:     rpcrt4.dll
    OriginalFilename: rpcrt4.dll
    ProductVersion:   6.1.7600.16385
    FileVersion:      6.1.7600.16385 (win7_rtm.090713-1255)
    FileDescription:  Remote Procedure Call Runtime
    LegalCopyright:   © Microsoft Corporation. All rights reserved.


    


kv
Child-SP          RetAddr           : Args to Child                                                           : Call 
Site
00000000`00d5ec20 00000000`77077396 : 00000000`00000002 00000000`00000023 00000000`00000000 00000000`00000003 : 
ntdll!RtlReportCriticalFailure+0x2f
00000000`00d5ecf0 00000000`770786c2 : 00000000`00000000 00000000`00000058 0000022b`00740001 00000000`002b7c70 : 
ntdll!RtlpReportHeapFailure+0x26
00000000`00d5ed20 00000000`7707a0c4 : 00000000`002b0000 00000000`00000000 00000000`00000000 00000000`04000004 : 
ntdll!RtlpHeapHandleError+0x12
00000000`00d5ed50 00000000`7701d1cd : 00000000`025183b0 00000000`002b0000 00000000`025183c0 00000000`00000000 : 
ntdll!RtlpLogHeapFailure+0xa4
00000000`00d5ed80 000007fe`fd171512 : 00000000`01b91590 00000000`025183c0 000007fe`fa5c7a50 000007fe`fa5a83a2 : ntdll! 
?? ::FNODOBFM::`string'+0x123b4
00000000`00d5ee00 000007fe`fe1fedb7 : 00000000`025183c0 00000000`00d5f030 000007fe`fa5c8309 00000000`00338f20 : 
KERNELBASE!LocalFree+0x2e
00000000`00d5ee40 000007fe`fe20085a : 000007fe`fa5c8608 000007fe`fa5c7a00 00000000`00338f00 000007fe`fa5c8300 : 
RPCRT4!Ndr64ConformantArrayFree+0x1e7
00000000`00d5eec0 000007fe`fe2bad24 : 00000000`01b91590 00000000`00000000 00000000`00390d20 000007fe`fe1e0000 : 
RPCRT4!Ndr64ComplexStructFree+0x121
00000000`00d5ef20 000007fe`fe2bb749 : 00000000`00000000 00000000`01cca430 000007fe`fa5c8301 000007fe`fa5c8360 : 
RPCRT4!Ndr64pFreeParams+0xf8
00000000`00d5ef70 000007fe`fe204070 : 00000000`00338e90 00000000`00000010 00000000`00000008 000007fe`fe22bf87 : 
RPCRT4!Ndr64StubWorker+0x83d
00000000`00d5f530 000007fe`fe209c24 : 00000000`00000002 00000000`00000000 00000000`00000000 00000000`00000000 : 
RPCRT4!NdrServerCallAll+0x40
00000000`00d5f580 000007fe`fe209d86 : 00000000`00d5f630 000007fe`fe21ce76 00000000`00d5f730 00000000`00000000 : 
RPCRT4!DispatchToStubInCNoAvrf+0x14
00000000`00d5f5b0 000007fe`fe20a479 : 00000000`00000000 000007fe`fe20445d 00000000`01bf7900 00000000`01cca2e0 : 
RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x146
00000000`00d5f6d0 000007fe`fe20a11d : 00000000`0256b060 00000000`0235f650 000007fe`fe1e0000 00000000`01bf7a80 : 
RPCRT4!LRPC_SCALL::DispatchRequest+0x149
00000000`00d5f7b0 000007fe`fe217ddf : 00000000`00010000 00000000`0256b070 00000000`00000000 00000000`00000001 : 
RPCRT4!LRPC_SCALL::HandleRequest+0x20d
00000000`00d5f8e0 000007fe`fe217995 : 00000000`00000000 00000000`00000000 00000000`01b8c2a0 00000000`00000000 : 
RPCRT4!LRPC_ADDRESS::ProcessIO+0x3bf
00000000`00d5fa20 00000000`76fcb43b : 00000000`00d5fc48 00000000`00000000 00000000`002e83f8 00000000`0000ffff : 
RPCRT4!LrpcIoComplete+0xa5
00000000`00d5fab0 00000000`76fc923f : 00000000`00000000 00000000`00000000 00000000`0000ffff 00000000`00000000 : 
ntdll!TppAlpcpExecuteCallback+0x26b
00000000`00d5fb40 00000000`76daf56d : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 
ntdll!TppWorkerThread+0x3f8
00000000`00d5fe40 00000000`76fe3281 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : 
kernel32!BaseThreadInitThunk+0xd


.frame 4
04 00000000`00d5ed80 000007fe`fd171512 ntdll! ?? ::FNODOBFM::`string'+0x123b4
-----------------------------------------------------------------------------

Disassembly:
0033:00000000`7701d121 314108          xor     dword ptr [rcx+8],eax
0033:00000000`7701d124 e97e56feff      jmp     ntdll!RtlpFreeHeap+0x1e13 (00000000`770027a7)
0033:00000000`7701d129 488bcf          mov     rcx,rdi
0033:00000000`7701d12c e8dfdc0400      call    ntdll!RtlpNotOwnerCriticalSection (00000000`7706ae10)
0033:00000000`7701d131 90              nop
0033:00000000`7701d132 e9c457feff      jmp     ntdll!RtlpFreeHeap+0x1ea2 (00000000`770028fb)
0033:00000000`7701d137 65488b042530000000 mov   rax,qword ptr gs:[30h]
0033:00000000`7701d140 488b4860        mov     rcx,qword ptr [rax+60h]
0033:00000000`7701d144 f6817803000001  test    byte ptr [rcx+378h],1
0033:00000000`7701d14b 0f846f56feff    je      ntdll!RtlpFreeHeap+0x1e28 (00000000`770027c0)
0033:00000000`7701d151 807c245000      cmp     byte ptr [rsp+50h],0
0033:00000000`7701d156 0f856456feff    jne     ntdll!RtlpFreeHeap+0x1e28 (00000000`770027c0)
0033:00000000`7701d15c 448b842498000000 mov     r8d,dword ptr [rsp+98h]
0033:00000000`7701d164 498bd5          mov     rdx,r13
0033:00000000`7701d167 488bcb          mov     rcx,rbx
0033:00000000`7701d16a e8c1ad0300      call    ntdll!RtlpLogHeapFreeEvent (00000000`77057f30)
0033:00000000`7701d16f 90              nop
0033:00000000`7701d170 e94b56feff      jmp     ntdll!RtlpFreeHeap+0x1e28 (00000000`770027c0)
0033:00000000`7701d175 488b942490000000 mov     rdx,qword ptr [rsp+90h]
0033:00000000`7701d17d 4885d2          test    rdx,rdx
0033:00000000`7701d180 0f844856feff    je      ntdll!RtlpFreeHeap+0x1e36 (00000000`770027ce)
0033:00000000`7701d186 4c8b442458      mov     r8,qword ptr [rsp+58h]
0033:00000000`7701d18b 488bcb          mov     rcx,rbx
0033:00000000`7701d18e e87dae0300      call    ntdll!RtlpHeapLogRangeRelease (00000000`77058010)
0033:00000000`7701d193 90              nop
0033:00000000`7701d194 e93556feff      jmp     ntdll!RtlpFreeHeap+0x1e36 (00000000`770027ce)
0033:00000000`7701d199 0fb6430e        movzx   eax,byte ptr [rbx+0Eh]
0033:00000000`7701d19d 48c1e004        shl     rax,4
0033:00000000`7701d1a1 482bd8          sub     rbx,rax
0033:00000000`7701d1a4 e97f4bfeff      jmp     ntdll!RtlFreeHeap+0x58 (00000000`77001d28)
0033:00000000`7701d1a9 4533c9          xor     r9d,r9d
0033:00000000`7701d1ac 488bd1          mov     rdx,rcx
0033:00000000`7701d1af 4c8bc3          mov     r8,rbx
0033:00000000`7701d1b2 418d4908        lea     ecx,[r9+8]
0033:00000000`7701d1b6 48c744242800000000 mov   qword ptr [rsp+28h],0
0033:00000000`7701d1bf 48c744242000000000 mov   qword ptr [rsp+20h],0
0033:00000000`7701d1c8 e853ce0500      call    ntdll!RtlpLogHeapFailure (00000000`7707a020)


.frame 5
05 00000000`00d5ee00 000007fe`fe1fedb7 KERNELBASE!LocalFree+0x2e
----------------------------------------------------------------

Disassembly:
KERNELBASE!LocalFree:
0033:000007fe`fd1714e0 48895c2410      mov     qword ptr [rsp+10h],rbx
0033:000007fe`fd1714e5 4889742418      mov     qword ptr [rsp+18h],rsi
0033:000007fe`fd1714ea 48894c2408      mov     qword ptr [rsp+8],rcx
0033:000007fe`fd1714ef 57              push    rdi
0033:000007fe`fd1714f0 4883ec30        sub     rsp,30h
0033:000007fe`fd1714f4 488bd9          mov     rbx,rcx
0033:000007fe`fd1714f7 f6c108          test    cl,8
0033:000007fe`fd1714fa 0f8573950100    jne     KERNELBASE!LocalFree+0x46 (000007fe`fd18aa73)
0033:000007fe`fd171500 4c8bc1          mov     r8,rcx
0033:000007fe`fd171503 33d2            xor     edx,edx
0033:000007fe`fd171505 488b0d9cf10500  mov     rcx,qword ptr [KERNELBASE!BaseHeap (000007fe`fd1d06a8)]
0033:000007fe`fd17150c ff15468b0400    call    qword ptr [KERNELBASE!_imp_RtlFreeHeap (000007fe`fd1ba058)]


.frame 6
06 00000000`00d5ee40 000007fe`fe20085a RPCRT4!Ndr64ConformantArrayFree+0x1e7
----------------------------------------------------------------------------

Disassembly:
0033:000007fe`fe1fed1b 8b46f7          mov     eax,dword ptr [rsi-9]
0033:000007fe`fe1fed1e 4c8b2c28        mov     r13,qword ptr [rax+rbp]
0033:000007fe`fe1fed22 4d85ed          test    r13,r13
0033:000007fe`fe1fed25 0f848c000000    je      RPCRT4!Ndr64ConformantArrayFree+0x1e7 (000007fe`fe1fedb7)
0033:000007fe`fe1fed2b 0fb646ff        movzx   eax,byte ptr [rsi-1]
0033:000007fe`fe1fed2f 3c24            cmp     al,24h
0033:000007fe`fe1fed31 0f84e55d0300    je      RPCRT4!Ndr64ConformantArrayFree+0x259 (000007fe`fe234b1c)
0033:000007fe`fe1fed37 498bcd          mov     rcx,r13
0033:000007fe`fe1fed3a 3c23            cmp     al,23h
0033:000007fe`fe1fed3c 0f84baad0300    je      RPCRT4!Invoke+0xd441 (000007fe`fe239afc)
0033:000007fe`fe1fed42 0fb606          movzx   eax,byte ptr [rsi]
0033:000007fe`fe1fed45 84c0            test    al,al
0033:000007fe`fe1fed47 0f85e15d0300    jne     RPCRT4!Ndr64ConformantArrayFree+0x26b (000007fe`fe234b2e)
0033:000007fe`fe1fed4d 0fb64361        movzx   eax,byte ptr [rbx+61h]
0033:000007fe`fe1fed51 4c8b4607        mov     r8,qword ptr [rsi+7]
0033:000007fe`fe1fed55 806361f8        and     byte ptr [rbx+61h],0F8h
0033:000007fe`fe1fed59 88842488000000  mov     byte ptr [rsp+88h],al
0033:000007fe`fe1fed60 488d442438      lea     rax,[rsp+38h]
0033:000007fe`fe1fed65 483b8318010000  cmp     rax,qword ptr [rbx+118h]
0033:000007fe`fe1fed6c 0f82c2ad0300    jb      RPCRT4!Invoke+0xd479 (000007fe`fe239b34)
0033:000007fe`fe1fed72 410fb600        movzx   eax,byte ptr [r8]
0033:000007fe`fe1fed76 488bd1          mov     rdx,rcx
0033:000007fe`fe1fed79 488bcb          mov     rcx,rbx
0033:000007fe`fe1fed7c 41ff14c6        call    qword ptr [r14+rax*8]
0033:000007fe`fe1fed80 448a9c2488000000 mov     r11b,byte ptr [rsp+88h]
0033:000007fe`fe1fed88 44885b61        mov     byte ptr [rbx+61h],r11b
0033:000007fe`fe1fed8c 4c3b6b10        cmp     r13,qword ptr [rbx+10h]
0033:000007fe`fe1fed90 7206            jb      RPCRT4!Ndr64ConformantArrayFree+0x1c8 (000007fe`fe1fed98)
0033:000007fe`fe1fed92 4c3b6b18        cmp     r13,qword ptr [rbx+18h]
0033:000007fe`fe1fed96 761f            jbe     RPCRT4!Ndr64ConformantArrayFree+0x1e7 (000007fe`fe1fedb7)
0033:000007fe`fe1fed98 f60604          test    byte ptr [rsi],4
0033:000007fe`fe1fed9b 0f85afad0300    jne     RPCRT4!Invoke+0xd495 (000007fe`fe239b50)
0033:000007fe`fe1feda1 488b4b48        mov     rcx,qword ptr [rbx+48h]
0033:000007fe`fe1feda5 4885c9          test    rcx,rcx
0033:000007fe`fe1feda8 0f85b1ad0300    jne     RPCRT4!Invoke+0xd4a4 (000007fe`fe239b5f)
0033:000007fe`fe1fedae 498bcd          mov     rcx,r13
0033:000007fe`fe1fedb1 ff9380000000    call    qword ptr [rbx+80h]



.frame 7
07 00000000`00d5eec0 000007fe`fe2bad24 RPCRT4!Ndr64ComplexStructFree+0x121
--------------------------------------------------------------------------

Disassembly:
0033:000007fe`fe2007c0 488d4f60        lea     rcx,[rdi+60h]
0033:000007fe`fe2007c4 488d542430      lea     rdx,[rsp+30h]
0033:000007fe`fe2007c9 895f7c          mov     dword ptr [rdi+7Ch],ebx
0033:000007fe`fe2007cc e8ef870000      call    RPCRT4!RpcpfAttachListToEmptyHead (000007fe`fe208fc0)
0033:000007fe`fe2007d1 488d4f30        lea     rcx,[rdi+30h]
0033:000007fe`fe2007d5 ff15152b0c00    call    qword ptr [RPCRT4!_imp_RtlLeaveCriticalSection (000007fe`fe2c32f0)]
0033:000007fe`fe2007db 488b5c2430      mov     rbx,qword ptr [rsp+30h]
0033:000007fe`fe2007e0 4c8b6c2470      mov     r13,qword ptr [rsp+70h]
0033:000007fe`fe2007e5 4c8b642468      mov     r12,qword ptr [rsp+68h]
0033:000007fe`fe2007ea 488b742460      mov     rsi,qword ptr [rsp+60h]
0033:000007fe`fe2007ef 488d442430      lea     rax,[rsp+30h]
0033:000007fe`fe2007f4 483bd8          cmp     rbx,rax
0033:000007fe`fe2007f7 0f8598840500    jne     RPCRT4!Invoke+0x15495 (000007fe`fe258c95)
0033:000007fe`fe2007fd 4883c440        add     rsp,40h
0033:000007fe`fe200801 5f              pop     rdi
0033:000007fe`fe200802 5d              pop     rbp
0033:000007fe`fe200803 5b              pop     rbx
0033:000007fe`fe200804 c3              ret
0033:000007fe`fe200805 410fb606        movzx   eax,byte ptr [r14]
0033:000007fe`fe200809 3c24            cmp     al,24h
0033:000007fe`fe20080b 0f84dac30000    je      RPCRT4!Ndr64ComplexStructFree+0x253 (000007fe`fe20cbeb)
0033:000007fe`fe200811 4c8be6          mov     r12,rsi
0033:000007fe`fe200814 3c23            cmp     al,23h
0033:000007fe`fe200816 0f84a1820500    je      RPCRT4!Invoke+0x14aed (000007fe`fe258abd)
0033:000007fe`fe20081c 410fb64601      movzx   eax,byte ptr [r14+1]
0033:000007fe`fe200821 84c0            test    al,al
0033:000007fe`fe200823 0f85d26fffff    jne     RPCRT4!Ndr64ComplexStructFree+0x213 (000007fe`fe1f77fb)
0033:000007fe`fe200829 4d8b4608        mov     r8,qword ptr [r14+8]
0033:000007fe`fe20082d 440fb66d61      movzx   r13d,byte ptr [rbp+61h]
0033:000007fe`fe200832 806561f8        and     byte ptr [rbp+61h],0F8h
0033:000007fe`fe200836 488d442478      lea     rax,[rsp+78h]
0033:000007fe`fe20083b 483b8518010000  cmp     rax,qword ptr [rbp+118h]
0033:000007fe`fe200842 0f8294820500    jb      RPCRT4!Invoke+0x14b10 (000007fe`fe258adc)
0033:000007fe`fe200848 410fb600        movzx   eax,byte ptr [r8]
0033:000007fe`fe20084c 498bd4          mov     rdx,r12
0033:000007fe`fe20084f 488bcd          mov     rcx,rbp
0033:000007fe`fe200852 41ff94c140040f00 call    qword ptr [r9+rax*8+0F0440h]


.frame 8
08 00000000`00d5ef20 000007fe`fe2bb749 RPCRT4!Ndr64pFreeParams+0xf8
-------------------------------------------------------------------

Disassembly:
0033:000007fe`fe2bac9d f6c102          test    cl,2
0033:000007fe`fe2baca0 0f8402010000    je      RPCRT4!Ndr64pFreeParams+0x147 (000007fe`fe2bada8)
0033:000007fe`fe2baca6 8b7304          mov     esi,dword ptr [rbx+4]
0033:000007fe`fe2baca9 4903f4          add     rsi,r12
0033:000007fe`fe2bacac 664185cd        test    r13w,cx
0033:000007fe`fe2bacb0 0f85c52a0000    jne     RPCRT4!Ndr64ServerInitializeCommon+0x84c (000007fe`fe2bd77b)
0033:000007fe`fe2bacb6 84c9            test    cl,cl
0033:000007fe`fe2bacb8 7803            js      RPCRT4!Ndr64pFreeParams+0x91 (000007fe`fe2bacbd)
0033:000007fe`fe2bacba 488b36          mov     rsi,qword ptr [rsi]
0033:000007fe`fe2bacbd 0fb7c1          movzx   eax,cx
0033:000007fe`fe2bacc0 c1e803          shr     eax,3
0033:000007fe`fe2bacc3 c1e006          shl     eax,6
0033:000007fe`fe2bacc6 3387c0000000    xor     eax,dword ptr [rdi+0C0h]
0033:000007fe`fe2baccc 83e040          and     eax,40h
0033:000007fe`fe2baccf 3187c0000000    xor     dword ptr [rdi+0C0h],eax
0033:000007fe`fe2bacd5 8b87c0000000    mov     eax,dword ptr [rdi+0C0h]
0033:000007fe`fe2bacdb 0fb70b          movzx   ecx,word ptr [rbx]
0033:000007fe`fe2bacde c1e904          shr     ecx,4
0033:000007fe`fe2bace1 c1e107          shl     ecx,7
0033:000007fe`fe2bace4 33c8            xor     ecx,eax
0033:000007fe`fe2bace6 81e180000000    and     ecx,80h
0033:000007fe`fe2bacec 33c8            xor     ecx,eax
0033:000007fe`fe2bacee 898fc0000000    mov     dword ptr [rdi+0C0h],ecx
0033:000007fe`fe2bacf4 4885f6          test    rsi,rsi
0033:000007fe`fe2bacf7 7432            je      RPCRT4!Ndr64pFreeParams+0xff (000007fe`fe2bad2b)
0033:000007fe`fe2bacf9 0fb703          movzx   eax,word ptr [rbx]
0033:000007fe`fe2bacfc 488bd6          mov     rdx,rsi
0033:000007fe`fe2bacff c1e809          shr     eax,9
0033:000007fe`fe2bad02 03c0            add     eax,eax
0033:000007fe`fe2bad04 33c1            xor     eax,ecx
0033:000007fe`fe2bad06 83e002          and     eax,2
0033:000007fe`fe2bad09 33c1            xor     eax,ecx
0033:000007fe`fe2bad0b 488bcf          mov     rcx,rdi
0033:000007fe`fe2bad0e 8987c0000000    mov     dword ptr [rdi+0C0h],eax
0033:000007fe`fe2bad14 4c8b43f8        mov     r8,qword ptr [rbx-8]
0033:000007fe`fe2bad18 410fb600        movzx   eax,byte ptr [r8]
0033:000007fe`fe2bad1c 41ff94c140040f00 call    qword ptr [r9+rax*8+0F0440h]


  By Date           By Thread  

Current thread:
  • Malformed DHCPv6 packets cause RPC to become unresponsive tunterleitner (Aug 16)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault