The Analysis of RPC Long Filename Heap Overflow AND a Way to Write Universal Heap Overflow of Windows

[conanjung]

[hide=10]

1,Analysis
The RPC DCOM long file name heap overflow is similar to LSD's stack overflow,they all exist in CoGetInstanceFromFile API ,which was discoveried by Yuange@NSfocus ,And MS has Fixed the vulnerability on the 10th,SEP.Now let's discuss the detail.
In the article of "The Analysis of LSD's Buffer Overrun in Windows RPC Interface",We had discussed the CoGetInstanceFromFile API,which can use UNC format ,and RPC DCOM program chekcks the servername of UNC,if the servername is NetBios name or IP of localhost(include "localhost" and "127.0.0.1"),then RPC DCOM will process the filename in UNC.

Here is the code:

.text:76151469 push 20Ah
.text:7615146E push edi
.text:7615146F push hHeap
.text:76151475 call AllocHeap <------------------Only allocate heap of 0X20A
.text:7615147B mov edi, eax
.text:7615147D test edi, edi
.text:7615147F jnz short loc_76151491
.text:76151481 push [ebp+hMem] ; hMem
.text:76151484 call ds:LocalFree
.text:7615148A
.text:7615148A loc_7615148A: ; CODE XREF: sub_761513C5+4Bj
.text:7615148A mov eax, 8007000Eh
.text:7615148F jmp short loc_761514B9
.text:76151491 ;