Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

0day analysis of the challenges 2
From: yuange <yuange1975 () hotmail com>
Date: Mon, 11 Oct 2010 00:02:29 +0000


 

1. lpc  0day  1 :

 

http://hi.baidu.com/yuange1975/blog/item/422c5807913701c37b894780.html#comment

     buf over ,you can get admin.

  

2. lpc  0day  2 :

    Memory leak , can you get cookie?

 

3. lpc  0day  3:

    findpass  ,you can get the password of login.

 

4. lpc  0day  4:

    buf over ,you can get admin.

 

5. lpc 0day 5 :

    you can write client'S Memory .

......
 


From: yuange1975 () hotmail com
To: full-disclosure () lists grok org uk
Subject: 0day analysis of the challenges
Date: Tue, 7 Sep 2010 12:38:27 +0000




 
0day analysis of the challenges 

2010-08-05 20:32 2010-08-05 20:32 








The following code has a buffer overflow, please write POC code analysis. Code please send to yuange1975 () 139 com . 
 
 

0:014> u RPCRT4!LRPC_SCALL::SendRequest 0:014> u RPCRT4! LRPC_SCALL:: SendRequest 
RPCRT4!LRPC_SCALL::SendRequest: RPCRT4! LRPC_SCALL:: SendRequest: 
77c4d4e6 8bff            mov     edi,edi 77c4d4e6 8bff mov edi, edi 
77c4d4e8 55              push    ebp 77c4d4e8 55 push ebp 
77c4d4e9 8bec            mov     ebp,esp 77c4d4e9 8bec mov ebp, esp 
77c4d4eb 81ec10010000    sub     esp,110h 77c4d4eb 81ec10010000 sub esp, 110h 
77c4d4f1 a16c86cb77      mov     eax,dword ptr [RPCRT4!__security_cookie (77cb86 77c4d4f1 a16c86cb77 mov eax, dword ptr 
[RPCRT4! __security_cookie (77cb86 
6c)] 6c)] 
77c4d4f6 53              push    ebx 77c4d4f6 53 push ebx 
77c4d4f7 56              push    esi 77c4d4f7 56 push esi 
77c4d4f8 8945fc          mov     dword ptr [ebp-4],eax 77c4d4f8 8945fc mov dword ptr [ebp-4], eax 
0:014> u 0:014> u 
RPCRT4!LRPC_SCALL::SendRequest+0x15: RPCRT4! LRPC_SCALL:: SendRequest +0 x15: 
77c4d4fb 8b450c          mov     eax,dword ptr [ebp+0Ch] 77c4d4fb 8b450c mov eax, dword ptr [ebp +0 Ch] 
77c4d4fe 8bf1            mov     esi,ecx 77c4d4fe 8bf1 mov esi, ecx 
77c4d500 33c9            xor     ecx,ecx 77c4d500 33c9 xor ecx, ecx 
77c4d502 57              push    edi 77c4d502 57 push edi 
77c4d503 8b7d08          mov     edi,dword ptr [ebp+8] 77c4d503 8b7d08 mov edi, dword ptr [ebp +8] 
77c4d506 bb00200000      mov     ebx,2000h 77c4d506 bb00200000 mov ebx, 2000h 
77c4d50b 8908            mov     dword ptr [eax],ecx 77c4d50b 8908 mov dword ptr [eax], ecx 
77c4d50d 855f28          test    dword ptr [edi+28h],ebx 77c4d50d 855f28 test dword ptr [edi +28 h], ebx 
0:014> u 0:014> u 
RPCRT4!LRPC_SCALL::SendRequest+0x2a: RPCRT4! LRPC_SCALL:: SendRequest +0 x2a: 
77c4d510 8985f0feffff    mov     dword ptr [ebp-110h],eax 77c4d510 8985f0feffff mov dword ptr [ebp-110h], eax 
77c4d516 898df8feffff    mov     dword ptr [ebp-108h],ecx 77c4d516 898df8feffff mov dword ptr [ebp-108h], ecx 
77c4d51c 0f85422f0100    jne     RPCRT4!LRPC_SCALL::SendRequest+0x38 (77c60464) 77c4d51c 0f85422f0100 jne RPCRT4! 
LRPC_SCALL:: SendRequest +0 x38 (77c60464) 
77c4d522 8d86d8000000    lea     eax,[esi+0D8h] 77c4d522 8d86d8000000 lea eax, [esi +0 D8h] 
77c4d528 3908            cmp     dword ptr [eax],ecx 77c4d528 3908 cmp dword ptr [eax], ecx 
77c4d52a 740e            je      RPCRT4!LRPC_SCALL::SendRequest+0xaf (77c4d53a) 77c4d52a 740e je RPCRT4! LRPC_SCALL:: 
SendRequest +0 xaf (77c4d53a) 
77c4d52c 398ef8000000    cmp     dword ptr [esi+0F8h],ecx 77c4d52c 398ef8000000 cmp dword ptr [esi +0 F8h], ecx 
77c4d532 8908            mov     dword ptr [eax],ecx 77c4d532 8908 mov dword ptr [eax], ecx 
0:014> u 0:014> u 
RPCRT4!LRPC_SCALL::SendRequest+0x75: RPCRT4! LRPC_SCALL:: SendRequest +0 x75: 
77c4d534 0f845a2f0100    je      RPCRT4!LRPC_SCALL::SendRequest+0x77 (77c60494) 77c4d534 0f845a2f0100 je RPCRT4! 
LRPC_SCALL:: SendRequest +0 x77 (77c60494) 
77c4d53a 8b86a4000000    mov     eax,dword ptr [esi+0A4h] 77c4d53a 8b86a4000000 mov eax, dword ptr [esi +0 A4h] 
77c4d540 f6401c04        test    byte ptr [eax+1Ch],4 77c4d540 f6401c04 test byte ptr [eax +1 Ch], 4 
77c4d544 0f84700f0000    je      RPCRT4!LRPC_SCALL::SendRequest+0x1d8 (77c4e4ba) 77c4d544 0f84700f0000 je RPCRT4! 
LRPC_SCALL:: SendRequest +0 x1d8 (77c4e4ba) 
77c4d54a 668b08          mov     cx,word ptr [eax] 77c4d54a 668b08 mov cx, word ptr [eax] 
77c4d54d 6683c118        add     cx,18h 77c4d54d 6683c118 add cx, 18h 
77c4d551 66894802        mov     word ptr [eax+2],cx 77c4d551 66894802 mov word ptr [eax +2], cx 
77c4d555 8b86a4000000    mov     eax,dword ptr [esi+0A4h] 77c4d555 8b86a4000000 mov eax, dword ptr [esi +0 A4h] 
0:014> u 0:014> u 
RPCRT4!LRPC_SCALL::SendRequest+0xd0: RPCRT4! LRPC_SCALL:: SendRequest +0 xd0: 
77c4d55b f6401d08        test    byte ptr [eax+1Dh],8 77c4d55b f6401d08 test byte ptr [eax +1 Dh], 8 
77c4d55f 0f856c2f0100    jne     RPCRT4!LRPC_SCALL::SendRequest+0xd6 (77c604d1) 77c4d55f 0f856c2f0100 jne RPCRT4! 
LRPC_SCALL:: SendRequest +0 xd6 (77c604d1) 
77c4d565 c6401802        mov     byte ptr [eax+18h],2 77c4d565 c6401802 mov byte ptr [eax +18 h], 2 
77c4d569 8b86a4000000    mov     eax,dword ptr [esi+0A4h] 77c4d569 8b86a4000000 mov eax, dword ptr [esi +0 A4h] 
77c4d56f 8b4f0c          mov     ecx,dword ptr [edi+0Ch] 77c4d56f 8b4f0c mov ecx, dword ptr [edi +0 Ch] 
77c4d572 894840          mov     dword ptr [eax+40h],ecx 77c4d572 894840 mov dword ptr [eax +40 h], ecx 
77c4d575 8b86a4000000    mov     eax,dword ptr [esi+0A4h] 77c4d575 8b86a4000000 mov eax, dword ptr [esi +0 A4h] 
77c4d57b 8b8eb0000000    mov     ecx,dword ptr [esi+0B0h] 77c4d57b 8b8eb0000000 mov ecx, dword ptr [esi +0 B0h] 
0:014> u 0:014> u 
RPCRT4!LRPC_SCALL::SendRequest+0xf8: RPCRT4! LRPC_SCALL:: SendRequest +0 xf8: 
77c4d581 894834          mov     dword ptr [eax+34h],ecx 77c4d581 894834 mov dword ptr [eax +34 h], ecx 
77c4d584 8b86a4000000    mov     eax,dword ptr [esi+0A4h] 77c4d584 8b86a4000000 mov eax, dword ptr [esi +0 A4h] 
77c4d58a c6401900        mov     byte ptr [eax+19h],0 77c4d58a c6401900 mov byte ptr [eax +19 h], 0 
77c4d58e 8b86a4000000    mov     eax,dword ptr [esi+0A4h] 77c4d58e 8b86a4000000 mov eax, dword ptr [esi +0 A4h] 
77c4d594 80480540        or      byte ptr [eax+5],40h 77c4d594 80480540 or byte ptr [eax +5], 40h 
77c4d598 8d85fcfeffff    lea     eax,[ebp-104h] 77c4d598 8d85fcfeffff lea eax, [ebp-104h] 
77c4d59e 50              push    eax 77c4d59e 50 push eax 
77c4d59f ffb6a4000000    push    dword ptr [esi+0A4h] 77c4d59f ffb6a4000000 push dword ptr [esi +0 A4h] 
0:014> u 0:014> u 
RPCRT4!LRPC_SCALL::SendRequest+0x11c: RPCRT4! LRPC_SCALL:: SendRequest +0 x11c: 
77c4d5a5 8b869c000000    mov     eax,dword ptr [esi+9Ch] 77c4d5a5 8b869c000000 mov eax, dword ptr [esi +9 Ch] 
77c4d5ab ff7024          push    dword ptr [eax+24h] 77c4d5ab ff7024 push dword ptr [eax +24 h] 
77c4d5ae ff15b410c277    call    dword ptr [RPCRT4!_imp__NtRequestWaitReplyPort 77c4d5ae ff15b410c277 call dword ptr 
[RPCRT4! _imp__NtRequestWaitReplyPort 
(77c210b4)] (77c210b4)] 
77c4d5b4 8bc8            mov     ecx,eax 77c4d5b4 8bc8 mov ecx, eax 
77c4d5b6 b8000000c0      mov     eax,0C0000000h 77c4d5b6 b8000000c0 mov eax, 0C0000000h 
77c4d5bb 23c8            and     ecx,eax 77c4d5bb 23c8 and ecx, eax 
77c4d5bd 3bc8            cmp     ecx,eax 77c4d5bd 3bc8 cmp ecx, eax 
77c4d5bf 0f84152f0100    je      RPCRT4!LRPC_SCALL::SendRequest+0x138 (77c604da) 77c4d5bf 0f84152f0100 je RPCRT4! 
LRPC_SCALL:: SendRequest +0 x138 (77c604da) 
0:014> u 0:014> u 
RPCRT4!LRPC_SCALL::SendRequest+0x16d: RPCRT4! LRPC_SCALL:: SendRequest +0 x16d: 
77c4d5c5 855f28          test    dword ptr [edi+28h],ebx 77c4d5c5 855f28 test dword ptr [edi +28 h], ebx 
77c4d5c8 751f            jne     RPCRT4!LRPC_SCALL::SendRequest+0x191 (77c4d5e9) 77c4d5c8 751f jne RPCRT4! LRPC_SCALL:: 
SendRequest +0 x191 (77c4d5e9) 
77c4d5ca 8b86a4000000    mov     eax,dword ptr [esi+0A4h] 77c4d5ca 8b86a4000000 mov eax, dword ptr [esi +0 A4h] 
77c4d5d0 8a4018          mov     al,byte ptr [eax+18h] 77c4d5d0 8a4018 mov al, byte ptr [eax +18 h] 
77c4d5d3 3c10            cmp     al,10h 77c4d5d3 3c10 cmp al, 10h 
77c4d5d5 7412            je      RPCRT4!LRPC_SCALL::SendRequest+0x191 (77c4d5e9) 77c4d5d5 7412 je RPCRT4! LRPC_SCALL:: 
SendRequest +0 x191 (77c4d5e9) 
77c4d5d7 3c04            cmp     al,4 77c4d5d7 3c04 cmp al, 4 
77c4d5d9 740e            je      RPCRT4!LRPC_SCALL::SendRequest+0x191 (77c4d5e9) 77c4d5d9 740e je RPCRT4! LRPC_SCALL:: 
SendRequest +0 x191 (77c4d5e9) 
0:014> u 0:014> u 
RPCRT4!LRPC_SCALL::SendRequest+0x183: RPCRT4! LRPC_SCALL:: SendRequest +0 x183: 
77c4d5db 8b4708          mov     eax,dword ptr [edi+8] 77c4d5db 8b4708 mov eax, dword ptr [edi +8] 
77c4d5de 85c0            test    eax,eax 77c4d5de 85c0 test eax, eax 
77c4d5e0 7407            je      RPCRT4!LRPC_SCALL::SendRequest+0x191 (77c4d5e9) 77c4d5e0 7407 je RPCRT4! LRPC_SCALL:: 
SendRequest +0 x191 (77c4d5e9) 
77c4d5e2 50              push    eax 77c4d5e2 50 push eax 
77c4d5e3 e80da40000      call    RPCRT4!operator delete (77c579f5) 77c4d5e3 e80da40000 call RPCRT4! Operator delete 
(77c579f5) 
77c4d5e8 59              pop     ecx 77c4d5e8 59 pop ecx 
77c4d5e9 80bd14ffffff06 cmp     byte ptr [ebp-0ECh],6 77c4d5e9 80bd14ffffff06 cmp byte ptr [ebp-0ECh], 6 
77c4d5f0 0f85f60e0000    jne     RPCRT4!LRPC_SCALL::SendRequest+0x1d0 (77c4e4ec) 77c4d5f0 0f85f60e0000 jne RPCRT4! 
LRPC_SCALL:: SendRequest +0 x1d0 (77c4e4ec) 
0:014> u 0:014> u 
RPCRT4!LRPC_SCALL::SendRequest+0x19a: RPCRT4! LRPC_SCALL:: SendRequest +0 x19a: 
77c4d5f6 0fbf8516ffffff movsx   eax,word ptr [ebp-0EAh] 77c4d5f6 0fbf8516ffffff movsx eax, word ptr [ebp-0EAh] 
77c4d5fd 8b8df0feffff    mov     ecx,dword ptr [ebp-110h] 77c4d5fd 8b8df0feffff mov ecx, dword ptr [ebp-110h] 
77c4d603 8901            mov     dword ptr [ecx],eax 77c4d603 8901 mov dword ptr [ecx], eax 
77c4d605 8bb5f8feffff    mov     esi,dword ptr [ebp-108h] 77c4d605 8bb5f8feffff mov esi, dword ptr [ebp-108h] 
77c4d60b 85f6            test    esi,esi 77c4d60b 85f6 test esi, esi 
77c4d60d 0f85ed2e0100    jne     RPCRT4!LRPC_SCALL::SendRequest+0x1b3 (77c60500) 77c4d60d 0f85ed2e0100 jne RPCRT4! 
LRPC_SCALL:: SendRequest +0 x1b3 (77c60500) 
77c4d613 33c0            xor     eax,eax 77c4d613 33c0 xor eax, eax 
77c4d615 8b4dfc          mov     ecx,dword ptr [ebp-4] 77c4d615 8b4dfc mov ecx, dword ptr [ebp-4] 
0:014> u 0:014> u 
RPCRT4!LRPC_SCALL::SendRequest+0x214: RPCRT4! LRPC_SCALL:: SendRequest +0 x214: 
77c4d618 5f              pop     edi 77c4d618 5f pop edi 
77c4d619 5e              pop     esi 77c4d619 5e pop esi 
77c4d61a 5b              pop     ebx 77c4d61a 5b pop ebx 
77c4d61b e810110000      call    RPCRT4!__security_check_cookie (77c4e730) 77c4d61b e810110000 call RPCRT4! 
__security_check_cookie (77c4e730) 
77c4d620 c9              leave 77c4d620 c9 leave 
77c4d621 c20800          ret     8 77c4d621 c20800 ret 8 
77c4d624 90              nop 77c4d624 90 nop 
77c4d625 90              nop 77c4d625 90 nop 




 
http://hi.baidu.com/yuange1975/blog/item/022dec5901af02272834f0fc.html
 
                                          
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • 0day analysis of the challenges 2 yuange (Oct 11)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault