MS08067补丁前后比较分析结果

MS08-067: Server 服务中的漏洞可能允许远程代码执行
http://www.microsoft.com/china/technet/security/bulletin/MS08-067.mspx
这条更新为重要,可以说与当年的冲击波类似。上午我对补丁前后分析,定位到微软修改过的函数结果如下:

发生缓冲区溢出的函数:
signed int __stdcall sub_5FDDA180(int a1, wchar_t *a2, int a3, int a4, int a5)
{
  wchar_t *v5; // ebx@1
  size_t v6; // edi@1
  int v7; // esi@1
  int v8; // edi@3
  signed int result; // eax@4
  wchar_t *v10; // eax@5
  unsigned int v11; // eax@10
  size_t v12; // eax@14
  __int16 v13; // ax@16
  size_t v14; // eax@3
  int v15; // [sp+428h] [bp-4h]@1
  wchar_t *v16; // [sp+10h] [bp-41Ch]@1
  int v17; // [sp+Ch] [bp-420h]@1
  wchar_t v18; // [sp+14h] [bp-418h]@2

  v5 = a2;
  v15 = dword_5FE1E18C;
  v7 = a1;
  v16 = (wchar_t *)a3;
  v6 = 0;
  v17 = a5;
  if ( a1 && *(_WORD *)a1 )
  {
    v12 = wcslen((const wchar_t *)a1);
    v6 = v12;
    if ( v12 )
    {
      if ( v12 > 0x208 )
        return 123;
      wcscpy(&v18, (const wchar_t *)v7);
      v13 = LOWORD((&v16)[v6 + 1]);
      if ( v13 != '\' )
      {
        if ( v13 != '/' )
        {
          wcscat(&v18, &word_5FDECBD4);
          ++v6;
        }
      }
      if ( *v5 == '\' || *v5 == '/' )
        ++v5;
    }
  }
  else
  {
    v18 = 0;
  }
  v14 = wcslen(v5);
  v8 = v14 + v6;
  if ( v8 < v14 )
    return 123;
  if ( (unsigned int)v8 > 0x207 )//wchar_t *a2这个参数的长度不能超过 0x207(unicode)
    return 123;
  wcscat(&v18, v5);
  v10 = &v18;
  if ( v18 )
  {
    do
    {
      if ( *v10 == '/' )
        *v10 = '\';
      ++v10;
    }
    while ( *v10 );
  }
  if ( !sub_5FDD9F7A(&v18) && !sub_5FDDA26B((int)&v18) )//这个函数修改过了
    return 123;
  v11 = 2 * wcslen(&v18) + 2;
  if ( v11 > a4 )
  {
    if ( v17 )
      *(_DWORD *)v17 = v11;
    result = 2123;
  }
  else
  {
    wcscpy(v16, &v18);//缓冲区溢出点
    result = 0;
  }
  return result;
}


被修改的函数:
//----- (5FDDA26B) --------------------------------------------------------
signed int __stdcall sub_5FDDA26B(int a1)
{
  wchar_t v1; // ax@1
  int v2; // ecx@1
  int v3; // ebx@1
  int v4; // edi@1
  int v5; // esi@3
  int v6; // eax@10
  __int16 v7; // dx@10
  __int16 v8; // bx@11
  __int16 v10; // dx@17
  int v11; // ecx@18
  __int16 v12; // ax@19
  int v13; // eax@34
  wchar_t *v14; // ecx@41
  char v15; // zf@1
  int v16; // [sp+Ch] [bp-4h]@1

  v2 = a1;
  v1 = *(_WORD *)a1;
  v3 = 0;
  v4 = 0;
  v15 = *(_WORD *)a1 == '\';
  v16 = 0;
  if ( v15 || v1 == '/' )
  {
    v10 = *(_WORD *)(a1 + 2);
    if ( v10 == '\' || v10 == '/' )
    {
      v11 = a1 + 4;
      while ( 1 )
      {
        v12 = *(_WORD *)v11;
        if ( *(_WORD *)v11 == '\' )
          break;
        if ( v12 == '/' )
          break;
        if ( !v12 )
          return 0;
        v11 += 2;
      }
      if ( !*(_WORD *)v11 || (v2 = v11 + 2, v1 = *(_WORD *)v2, a1 = v2, v1 == '\') || v1 == '/' )
        return 0;
    }
  }
  v5 = v2;
  if ( !v1 )
    return 1;
  while ( 1 )
  {
    if ( v1 == '\' )
    {
      if ( v3 == v5 - 2 )
        return 0;
      v4 = v3;
      v16 = v5;
      goto LABEL_6;
    }
    if ( v1 != 46 || v3 != v5 - 2 && v5 != v2 )
      goto LABEL_6;
    v6 = v5 + 2;
    v7 = *(_WORD *)(v5 + 2);
    if ( v7 == 46 )
    {
      v8 = *(_WORD *)(v5 + 4);
      if ( v8 == '\' || !v8 )
      {
        if ( !v4 )
          return 0;
        wcscpy((wchar_t *)v4, (const wchar_t *)(v5 + 4)); //可能会发生缓冲区溢出
        if ( !v8 )
          return 1;
        v16 = v4;
        v5 = v4;
        v13 = v4 - 2;
        while ( *(_WORD *)v13 != '\' && v13 != a1 )
          v13 -= 2;
        v2 = a1;
        v4 = v13 & -(*(_WORD *)v13 == '\');
      }
      goto LABEL_6;
    }
    if ( v7 != '\' )
      break;
    if ( v3 )
    {
      v14 = (wchar_t *)v3;
    }
    else
    {
      v6 = v5 + 4;
      v14 = (wchar_t *)v5;
    }
   wcscpy(v14, (const wchar_t *)v6);//可能会发生缓冲区溢出
    v2 = a1;
LABEL_7:
    v1 = *(_WORD *)v5;
    if ( !*(_WORD *)v5 )
      return 1;
    v3 = v16;
  }
  if ( v7 )
  {
LABEL_6:
    v5 += 2;
    goto LABEL_7;
  }
  if ( v3 )
    v5 = v3;
  *(_WORD *)v5 = 0;
  return 1;
}


[本日志由 friddy 于 2008-10-27 05:44 PM 编辑]
文章来自: 本站原创
引用通告: 查看所有引用 | 我要引用此文章
Tags:
评论: 5 | 引用: 0 | 查看次数: 8440
回复回复Ashleigh[2018-03-12 02:27 AM | del]
say thanks to so much for your web site it aids a lot.
回复回复flientking[2008-10-26 08:33 PM | del]
微软看了也要冒一身冷汗!
回复回复netxeyes[2008-10-26 08:23 PM | del]
速度真快!看来friddy大大已经写出Exploit了!私下里交流我吧!
回复回复偶的有符号咯[2008-10-24 05:03 PM | del]
signed int __stdcall CanonicalizePathName(int a1, wchar_t *a2, int a3, int a4, int a5)

我的有符号咯~~
回复回复sunwear[2008-10-24 12:46 AM | del]
F5?
发表评论
昵 称:
密 码: 游客发言不需要密码.
内 容:
验证码: 验证码
选 项:
虽然发表评论不用注册,但是为了保护您的发言权,建议您注册帐号.
字数限制 1000 字 | UBB代码 开启 | [img]标签 关闭