マイクロソフトセキュリティ MS10-061 の解析
マイクロソフト セキュリティ情報 MS10-061 - 緊急 : 印刷スプーラー サービスの脆弱性により、リモートでコードが実行される (2347290)
の解析結果です。
| L010066CA: push [ebp+14h] call SUB_L01001180 test eax,eax jz L01006701 push [esi+04h] push [esi] push [ebp+08h] call jmp_SPOOLSS_DLL_DelayImport_StartDocPrinterW mov esi,[ebp+10h] mov [esi],eax cmp [ebp+14h],edi jz L010066F3 call [RPCRT4.dll!RpcRevertToSelf] L010066F3: cmp [esi],edi jz L01006701 xor eax,eax L010066F9: call SUB_L01002DF5 retn 0010h |
旧コード(XPSP3)
| L01006834: push [ebp+14h] call SUB_L010011A0 test eax,eax jnz L0100710B jmp L01006858 L01006846: push [esi+04h] push [esi] push [ebp+08h] call jmp_SPOOLSS_DLL_DelayImport_StartDocPrinterW jmp L01007162 L01006858: call [KERNEL32.dll!GetLastError] jmp L010066D7 ;--------------------------------------------------------------------- L010066C2: cmp [ebp+14h],ebx jz L010066CD call [RPCRT4.dll!RpcRevertToSelf] L010066CD: cmp [edi],ebx jz L01006858 xor eax,eax L010066D7: call SUB_L01002E15 retn 0010h ;--------------------------------------------------------------------- L01007162: mov edi,[ebp+10h] mov [edi],eax mov eax,[ebp-20h] cmp eax,ebx jz L010066C2 mov ecx,[esi+04h] mov [ecx+04h],eax jmp L010066C2 |
新コード1(XPSP3)
変更点は一か所だけです。が、『L0100710B』へのジャンプで膨大な修正コードが挿入されています。
| L0100710B: mov eax,[esi+04h] mov eax,[eax+04h] cmp eax,ebx jz L01006846 cmp [eax],bx jz L01006846 call SUB_L010080FB test eax,eax mov eax,[esi+04h] jnz L01007154 push [eax+04h] push [ebp+08h] call SUB_L01008269 test eax,eax jnz L01006846 cmp [ebp+14h],ebx jz L0100714C call [RPCRT4.dll!RpcRevertToSelf] L0100714C: push 00000005h pop eax jmp L010066D7 L01007154: mov ecx,[eax+04h] mov [ebp-20h],ecx mov [eax+04h],ebx jmp L01006846 ;------------------------------------ SUB_L010080FB: mov edi,edi push ebp mov ebp,esp sub esp,0000001Ch mov eax,[L0100D520] push ebx push esi push edi mov [ebp-04h],eax call [KERNEL32.dll!GetLastError] mov edi,eax lea eax,[ebp-18h] push eax xor ebx,ebx push ebx &nbs p; call [RPCRT4.dll!I_RpcBindingInqTransportType] cmp eax,ebx jz L01008149 cmp eax,000006BDh jz L010081F3 cmp eax,ebx jg L0100813D L01008136: mov esi,eax jmp L010081F5 L0100813D: and eax,0000FFFFh or eax,80070000h jmp L01008136 L01008149: cmp dword ptr [ebp-18h],00000004h jz L01008157 xor esi,esi inc esi jmp L010081F5 L01008157: lea eax,[ebp-14h] push eax push 00000001h push 00000008h call [KERNEL32.dll!GetCurrentThread] push eax call [ADVAPI32.dll!OpenThreadToken] test eax,eax jz L010081E4 lea eax,[ebp-10h] push eax push ebx push ebx push ebx push ebx push ebx push ebx push ebx push 00000002h push 00000001h lea eax,[ebp-0Ch] push eax mov [ebp-0Ch],bl mov [ebp-0Bh],bl mov [ebp-0Ah],bl mov [ebp-09h],bl mov [ebp-08h],bl mov byte ptr [ebp-07h],05h mov [ebp-10h],ebx call [ADVAPI32.dll!AllocateAndInitializeSid] test eax,eax jz L010081D2 lea eax,[ebp-1Ch] push eax push [ebp-10h] push [ebp-14h] call jmp_ADVAPI32.dll!CheckTokenMembership test eax,eax jz L010081C0 xor eax,eax cmp [ebp-1Ch],ebx setnz al jmp L010081C5 L010081C0: call SUB_L0100B917 L010081C5: push [ebp-10h] mov esi,eax call [ADVAPI32.dll!FreeSid] jmp L010081D9 L010081D2: call SUB_L0100B917 mov esi,eax L010081D9: push [ebp-14h] call [KERNEL32.dll!CloseHandle] jmp L010081F5 L010081E4: call SUB_L0100B917 mov esi,eax cmp esi,800703F0h jnz L010081F5 L010081F3: xor esi,esi L010081F5: push edi call [KERNEL32.dll!SetLastError] mov ecx,[ebp-04h] pop edi mov eax,esi pop esi pop ebx call SUB_L01004B8F leave retn ;------------------------------------ SUB_L01008269: mov edi,edi push ebp mov ebp,esp sub esp,0000000Ch push ebx push edi xor edi,edi inc edi xor ebx,ebx cmp [eb p+0Ch],ebx mov [ebp-08h],edi jz L010083B1 mov eax,00000400h push esi push eax mov [ebp-08h],ebx mov [ebp-04h],eax call jmp_SPOOLSS_DLL_DelayImport_DllAllocSplMem mov esi,eax cmp esi,ebx mov [ebp-0Ch],esi jz L010083B0 lea eax,[ebp-04h] push eax push [ebp-04h] push esi push 00000005h push [ebp+08h] call jmp_SPOOLSS_DLL_DelayImport_GetPrinterW cmp eax,ebx jnz L010082FB call [KERNEL32.dll!GetLastError] cmp eax,0000007Ah jnz L0100836B push esi call jmp_SPOOLSS_DLL_DelayImport_DllFreeSplMem add dword ptr [ebp-04h],00000064h push [ebp-04h] call jmp_SPOOLSS_DLL_DelayImport_DllAllocSplMem cmp eax,ebx mov [ebp-0Ch],eax jz L010083B0 lea ecx,[ebp-04h] push ecx push [ebp-04h] push eax push 00000005h push [ebp+08h] call jmp_SPOOLSS_DLL_DelayImport_GetPrinterW cmp eax,ebx jz L0100836B L010082FB: mov eax,[ebp-0Ch] mov esi,[KERNEL32.dll!CompareStringW] push FFFFFFFFh push [ebp+0Ch] push FFFFFFFFh push [eax+04h] push ebx push 0000007Fh call esi cmp eax,00000002h jz L010083A5 mov eax,[ebp-0Ch] mov edi,[eax+04h] jmp L01008347 L01008324: lea ecx,[eax+02h] cmp [ecx],bx mov [ebp+08h],ecx jz L01008356 push FFFFFFFFh push [ebp+0Ch] mov [eax],bx push FFFFFFFFh push edi push ebx push 0000007Fh call esi cmp eax,00000002h jz L01008391 mov edi,[ebp+08h] L01008347: push 0000002Ch push edi call [msvcrt.dll!wcschr] cmp eax,ebx pop ecx pop ecx jnz L01008324 L01008356: push FFFFFFFFh push [ebp+0Ch] push FFFFFFFFh push edi push ebx push 0000007Fh call esi cmp eax,00000002h jz L01008391 xor edi,edi inc edi L0100836B: push ebx push 08000180h push 00000004h push ebx push edi push 40000000h push [ebp+0Ch] call [K ERNEL32.dll!CreateFileW] cmp eax,FFFFFFFFh jz L0100839A push eax call [KERNEL32.dll!CloseHandle] jmp L010083A5 L01008391: mov dword ptr [ebp-08h],00000001h jmp L010083A8 L0100839A: call [KERNEL32.dll!GetLastError] cmp eax,00000005h jz L010083A8 L010083A5: mov [ebp-08h],edi L010083A8: push [ebp-0Ch] call jmp_SPOOLSS_DLL_DelayImport_DllFreeSplMem L010083B0: pop esi L010083B1: mov eax,[ebp-08h] pop edi pop ebx leave retn 0008h |
新コード2(XPSP3)
残念ながら、ちょっとした修正で直すと言う訳にはいかないようですね。
Translate
Comments