ms08-067漏洞分析（Ms08-067 vulnerability analysis）.docVIP

ms08-067漏洞分析（Ms08-067 vulnerability analysis） MS08-067 vulnerability analysis Netapi32.dll! NetpwPathCanonicalize stack overflow in the analytical path name when vulnerabilities, an attacker can spread path parameters carefully constructed to overwrite the return address of a function, and remote code execution. The attacker can initiate a request by RPC to handle the request in svchost.exe, resulting in svchost.exe remote overflow. The following 5.1.2600.2180 version for the causes of the vulnerability analysis: .text:5B86A259 NetpwPathCanonicalize proc near ... .text:5B86A2AF push EDI; int .text:5B86A2B0 push [ebp+arg_8]; int .text:5B86A2B3 mov [esi], di .text:5B86A2B6 push ESI; int .text:5B86A2B7 push [ebp+pPolicyChain]; pathname .text:5B86A2BA push ebx; int .text:5B86A2BB call CanonicalizePathName .text:5B86A2C0 CMP eax, EDI .text:5B86A2C2 JNZ short @@Return ... .text:5B86A2D2 NetpwPathCanonicalize endp .text:5B86A2E0 CanonicalizePathName proc near ... .text:5B86A37D push eax; STR .text:5B86A37E call DoCanonicalizePathName .text:5B86A383 test eax, eax .text:5B86A385 JZ short @@Return_0x7B ... .text:5B86A3C7 CanonicalizePathName endp Netapi32.dll! NetpwPathCanonicalize path function through the CanonicalizePathName internal function to handle incoming. The function calls internal functions DoCanonicalizePathName to achieve the real process, the vulnerability of the overflow point is in the DoCanonicalizePathName function: This function first put in the path / all turn into a \, and then try to modify the path buffer incoming to get a relative path. For example: .\\abc\123\..\a\..\b\.\c Will be processed into: \abc\b\c The function in dealing with the relative paths, using two pointer stored before a slash (\ behind said \) and pointer to the current, as shown below: \abc\a\..\b ^ ^ | | The current | +--- \ pointer (hereafter denoted as CurrentSlash) A +----- \ pointer (hereafter denoted as PrevSlash) When the scan function to ,..\ will copy CurrentSlash to PrevS