MS12-054 の解析 その3
MS12-054 の解析と Windows 2000用セキュリティ更新プログラム
魔改造版 Windows 2000 の netapi32.dll での障害について
というわけで解析しなおしました
| L592671E1: mov ecx,[ebp-30h] lea eax,[edi-01h] imul eax,[ebp-38h] push [eax+ecx+04h] lea eax,[ebp-24h] push eax call [msvcrt.dll!wcscpy] mov eax,[ebp-34h] add eax,esi ;************************************** cmp eax,[ebp+18h] pop ecx pop ecx mov byte ptr [ebp-44h],01h jc L5925B838 mov dword ptr [ebp-28h],000000EAh L59267214: cmp [ebp-28h],ebx jnz L592657ED jmp L5925B8BC |
旧コード1
| L5926711A: mov ecx,[ebp-30h] lea eax,[edi-01h] imul eax,[ebp-38h] push 0000000Fh push [eax+ecx+04h] lea eax,[ebp-24h] push eax call [msvcrt.dll!wcsncpy] mov eax,[ebp-34h] add eax,esi add esp,0000000Ch cmp eax,[ebp+18h] mov [ebp-06h],bx mov byte ptr [ebp-44h],01h jc L5925BB3B mov dword ptr [ebp-28h],000000EAh L59267154: cmp [ebp-28h],ebx jnz L5925D63D jmp L5925BBBF |
修正版
| RxRemoteApi: mov edi,edi push ebp mov ebp,esp sub esp,00000198h mov eax,[L5929F18C] mov [ebp-04h],eax movzx eax,[ebp+08h] ; push edi xor edi,edi ; cmp eax,[ebp+08h] mov [ebp-00000190h],edi jnz L592676BC push [ebp+0Ch] call NetpIsUncComputerNameValid test eax,eax jz L592676C4 push esi lea eax,[ebp-0000016Ch] mov [ebp-00000184h],eax lea eax,[ebp-00000194h] push eax push edi lea eax,[ebp-00000178h] push eax lea eax,[ebp-00000184h] push eax push [ebp+1Ch] mov esi,00000168h push [ebp+10h] lea eax,[ebp-0000016Ch] push [ebp+08h] mov [ebp-00000174h],edi push esi push eax mov [ebp-00000188h],edi mov [ebp-00000178h],edi mov dword ptr [ebp-0000018Ch],00000004h call SUB_L5925C8C7 cmp eax,edi jnz L5925BD73 test byte ptr [ebp+2Fh],80h lea eax,[ebp+30h] mov [ebp-00000170h],eax jz L5925BC2B lea eax,[ebp+34h] mov [ebp-00000170h],eax mov eax,[ebp+30h] mov [ebp-00000190h],eax L5925BC2B: push [ebp+2Ch] lea eax,[ebp-00000188h] push eax lea eax,[ebp-00000174h] push eax lea eax,[ebp-0000017Ch] push eax lea eax,[ebp-00000198h] push eax lea eax,[ebp-00000170h] push eax lea eax,[ebp-00000184h] push eax lea eax,[ebp-00000178h] push eax lea eax,[ebp-0000018Ch] push eax push esi push esi push [ebp+28h] push [ebp+24h] push [ebp+20h] push [ebp+1Ch] push [ebp+18h] push [ebp+14h] push [ebp-00000194h] call SUB_L5925CADB cmp eax,edi mov [ebp-00000170h],edi jnz L5925BD73 mov eax,[ebp-00000174h] cmp eax,edi push ebx jz L5925BD7F push eax mov [ebp-00000180h],eax call SUB_L59258FB7 mov ebx,eax cmp ebx,edi jz L592676CE L5925BCB8: mov eax,[ebp+2Ch] and eax,00000001h push eax lea eax,[ebp-00000180h] push eax push ebx push [ebp-0000018Ch] &n bsp; lea eax,[ebp-0000016Ch] push eax push [ebp-00000198h] push [ebp-0000017Ch] push [ebp-00000178h] push eax push [ebp-00000190h] push [ebp+0Ch] call SUB_L5925BD91 mov esi,eax cmp esi,edi jnz L592676D6
|
旧コード2
| RxRemoteApi: mov edi,edi push ebp mov ebp,esp sub esp,00000198h mov eax,[L5929F18C] mov [ebp-04h],eax movzx eax,[ebp+08h] push ebx push edi xor edi,edi xor ebx,ebx cmp eax,[ebp+08h] jnz L592675FC L5926C893_: L5926C873: |
修正版
| SUB_L5925A51B: mov edi,edi push ebp mov ebp,esp push ecx mov ecx,[ebp+08h] mov ax,[ecx] push ebx push esi push edi xor ebx,ebx xor edi,edi cmp ax,005Ch push 0000002Fh mov [ebp-04h],ebx pop esi jz L5925D83D cmp ax,si jz L5925D83D L5925A547: test ax,ax mov esi,ecx jz L5925A5B4 L5925A54E: cmp ax,005Ch jz L59261A8F cmp ax,002Eh jz L5925A56D L5925A55E: inc esi inc esi L5925A560: mov ax,[esi] test ax,ax jz L5925A5B4 mov ebx,[ebp-04h] jmp L5925A54E L5925A56D: lea eax,[esi-02h] cmp ebx,eax jnz L59261AAE L5925A578: lea eax,[esi+02h] mov dx,[eax] cmp dx,002Eh jnz L59268AFF lea eax,[esi+04h] mov bx,[eax] cmp bx,005Ch jz L5925A599 test bx,bx jnz L5925A55E L5925A599: test edi,edi jz L59261ABB push eax push edi call [msvcrt.dll!wcscpy] test bx,bx pop ecx pop ecx jnz L59268AD0 L5925A5B4: xor eax,eax inc eax L5925A5B7: pop edi pop esi pop ebx leave retn 0004h L59268AD0: mov [ebp-04h],edi mov esi,edi lea eax,[edi-02h] jmp L59268AE1 L59261A8F: lea eax,[esi-02h] cmp ebx,eax jz L59261ABB mov edi,ebx mov [ebp-04h],esi jmp L5925A55E L59261AAE: L59268AFF: |
旧コード3
| SUB_L5925A51A: mov edi,edi push ebp mov ebp,esp sub esp,0000000Ch push ebx push esi mov esi,eax push edi push esi call [msvcrt.dll!wcslen] jmp L59268A3C L59268A3C: pop ecx push 0000002Fh pop edx lea eax,[esi+eax*2+02h] push 0000005Ch mov [ebp-08h],eax mov ax,[esi] xor ebx,ebx pop edi cmp ax,di mov [ebp-04h],ebx jz L59268A5C cmp ax,dx jnz L59268AAD L59268A5C: mov cx,[esi+02h] cmp cx,di jz L59268A6A cmp cx,dx jnz L59268AAD L59268A6A: add esi,00000004h jmp L59268A82 L59268A6F: cmp ax,dx jz L59268A8A test ax,ax jnz L5925A561 jmp L5925A591 L59268A82: mov ax,[esi] cmp ax,di jnz L59268A6F L59268A8A: cmp word ptr [esi],0000h jz L5925A591 inc esi inc esi xor eax,eax mov ax,[esi] cmp ax,di jz L5925A591 cmp ax,dx jz L5925A591 L59268AAD: mov edi,esi jmp L5925A58A L59268AB4: cmp edi,esi jz L5925A54F jmp L5925A583 L59268AC1: xor ecx,ecx lea eax,[edi+04h] mov cx,[eax] cmp cx,005Ch mov [ebp-0Ch],ecx jz L59268ADB test cx,cx jnz &nbs p;L5925A583 L59268ADB: test ebx,ebx jz L5925A591 cmp ebx,[ebp-08h] jnc L5925A591 push eax mov eax,[ebp-08h] sub eax,ebx sar eax,1 push eax push ebx call SUB_L592810BD cmp word ptr [ebp-0Ch],0000h jz L5925A595 cmp esi,ebx mov [ebp-04h],ebx mov edi,ebx jz L5925A591 lea eax,[ebx-02h] jmp L59268B1E L59268B18: cmp eax,esi jz L59268B24 dec eax dec eax L59268B1E: cmp word ptr [eax],005Ch jnz L59268B18 L59268B24: mov bx,[eax] sub bx,005Ch neg bx sbb ebx,ebx not ebx and ebx,eax jmp L5925A583 L5925A583: L59268B39: L5925A533: L59268B58: L59268B6B: L5925A58A: |
修正版…ほとんど変更。
| L5926C86B: cmp dword ptr [ebp+0Ch],000003F2h jz L5926C8C5 cmp dword ptr [ebp+0Ch],00000065h mov eax,[ebx] mov [esi+10h],eax jc L5926C8C5 mov eax,[ebx+08h] mov [esi+14h],eax mov eax,[ebx+0Ch] mov [esi+18h],eax mov eax,[ebx+10h] mov [esi+1Ch],eax lea eax,[esi+40h] push eax call jmp_msvcrt.dll!wcslen ;* mov ecx,7FFFFFFFh sub ecx,eax shl ecx,1 add [edi+08h],ecx push [ebx+14h] lea eax,[esi+40h] ;******** push eax call jmp_msvcrt.dll!wcscpy lea eax,[esi+40h] push eax call jmp_msvcrt.dll!wcslen lea eax,[eax+eax+02h] add esp,00000010h add [edi+08h],eax ;******* L5926C8C5: push 00000000h push [ebp+0Ch] push esi jmp L59265E14 SUB_L59265CF7: mov edi,edi push ebp mov ebp,esp push ebx push esi push 000000A4h call SUB_L59257A30 mov esi,eax xor ebx,ebx cmp esi,ebx jz L5926C796 push edi mov edi,[ebp+08h] mov [esi+0Ch],ebx mov [esi+08h],ebx mov eax,[edi] mov [esi+10h],eax push [edi+04h] lea eax,[esi+20h] ;*************** push eax call jmp_msvcrt.dll!wcscpy cmp dword ptr [ebp+0Ch],00000064h pop ecx pop ecx jz L5926C79D mov eax,[edi+08h] mov [esi+14h],eax mov eax,[edi+0Ch] mov [esi+18h],eax mov eax,[edi+10h] mov [esi+1Ch],eax push 00000030h push [edi+14h] lea eax,[esi+40h] ;**************** push eax call jmp_msvcrt.dll!wcsncpy push [edi+14h] call jmp_msvcrt.dll!wcslen add esp,00000010h cmp eax,00000030h ;********* jnc L59265D82 push [edi+14h] call jmp_msvcrt.dll!wcslen pop ecx mov [esi+eax*2+40h],bx L59265D79: mov eax,esi pop edi L59265D7C: pop esi pop ebx pop ebp retn 0008h |
旧コード4
| SUB_L59271832: mov edi,edi push ebp mov ebp,esp push [ebp+10h] push 00000002h push [ebp+0Ch] push [ebp+08h] call jmp_NETRAP_dll_DelayImport_RapParmNumDescriptor test eax,eax jz L59271858 cmp byte ptr [eax],55h jnz L59271858 push eax call SUB_L592579E0 xor eax,eax L59271858: pop ebp retn 000Ch SUB_L59297AB5: mov edi,edi push ebp mov ebp,esp push edi mov edi,[ebp+0Ch] xor eax,eax test edi,edi jnz L59297ACB mov eax,80070057h jmp L59297AFF L59297ACB: mov edx,[ebp+08h] push esi mov esi,[ebp+10h] L59297AD2: cmp dword ptr [ebp+14h],00000000h jz L59297AEF mov cx,[esi] test cx,cx jz L59297AEF mov [edx],cx inc edx inc edx inc esi inc esi dec edi dec [ebp+14h] test edi,edi jnz L59297AD2 L59297AEF: test edi,edi pop esi jnz L59297AFB dec edx dec edx mov eax,8007007Ah L59297AFB: and word ptr [edx],0000h L59297AFF: pop edi pop ebp retn 0010h SUB_L592810BD: SUB_L59280FFE: L5926C8E0: SUB_L5925D885: SUB_L5925A430: |
修正版と追加のバッファーチェックコード
結構な分量がありますね…パッチはしばしお待ちを
Translate
Comments