bozhihouc/MS17-010
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Correct BUG.txt

Browse Source
This commit is contained in:
worawit
2017-06-27 07:14:32 +07:00
parent 1e4f55e5b5
commit 9dbe746860
1 changed files with 10 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
BUG.txt
View File

@@ -75,8 +75,8 @@ Now, we go through some implementaion detail on Windows SMB transaction.
+---------------+------------------------------------------------------------------------------+ +---------------+------------------------------------------------------------------------------+
| InSetup | InParameters | InData | OutParameters | OutData | | InSetup | InParameters | InData | OutParameters | OutData |
+------------------------------------------------------------------------------+ +------------------------------------------------------------------------------+
- memory layout for SMB_COM_NT_TRANS is shown below. All buffers are not overlapped. InParameters and OutParameters are - memory layout for SMB_COM_NT_TRANS is shown below. InParameters and OutParameters are overlapped.
overlapped. InData and OutData are overlapped. InData and OutData are overlapped.
+---------------+-----------------------------------------------------------+ +---------------+-----------------------------------------------------------+
| TRANSACTION | transaction data buffer | | TRANSACTION | transaction data buffer |
+---------------+-----------------------------------------------------------+ +---------------+-----------------------------------------------------------+
@@ -90,7 +90,8 @@ Now, we go through some implementaion detail on Windows SMB transaction.
- After transaction is executed, ParameterCount and DataCount (is normally set in called transaction function) are used - After transaction is executed, ParameterCount and DataCount (is normally set in called transaction function) are used
for determining the reply size of OutParameters and OutData respectively. for determining the reply size of OutParameters and OutData respectively.
- A transaction displacement in SMB_COM_*_SECONDARY request can be pointed to sent displacement data - A SMB_COM_*_SECONDARY request can be used to overwrite a sent transaction parameters and data with displacement.
ParameterCount and DataCount is added no matter what (valid) displacement value is.
- assume TotalParameterCount is 0 and TotalDataCount is 16 - assume TotalParameterCount is 0 and TotalDataCount is 16
- first transaction request has 8 bytes of data - first transaction request has 8 bytes of data
- secondary transaction request can have 8 bytes of data with displacement 0 - secondary transaction request can have 8 bytes of data with displacement 0
@@ -102,7 +103,7 @@ Now, we go through some implementaion detail on Windows SMB transaction.
- if last command is SMB_COM_TRANSACTION2_SECONDARY, a server executes subcommand as TRANS2_*. - if last command is SMB_COM_TRANSACTION2_SECONDARY, a server executes subcommand as TRANS2_*.
- if last command is SMB_COM_NT_TRANSACT_SECONDARY, a server executes subcommand as NT_TRANSACT_*. - if last command is SMB_COM_NT_TRANSACT_SECONDARY, a server executes subcommand as NT_TRANSACT_*.
- A transaction is also used in SMB_COM_WRITE_ANDX command (https://msdn.microsoft.com/en-us/library/ee441954.aspx) - A transaction is also used in SMB_COM_WRITE_ANDX command (https://msdn.microsoft.com/en-us/library/ee441954.aspx)
when WriteMode is RAW_MODE. This transaction use FID in parameters instead of MID in SMB header for when WriteMode is RAW_MODE. The transaction uses FID in parameters instead of MID in SMB header for
matching transaction. matching transaction.
That should be enough for SMB transaction. It's time to start bug details. That should be enough for SMB transaction. It's time to start bug details.
@@ -138,7 +139,7 @@ But, as mentioned above, transaction InData and OutData are overlapped. Without
transaction *Parameter* and *Data*, a server returns InData (like echo). transaction *Parameter* and *Data*, a server returns InData (like echo).
An only REQUIREMENT for using NT_TRANSACT_RENAME command is valid fid. So we need to get fid by opening An only REQUIREMENT for using NT_TRANSACT_RENAME command is valid fid. So we need to get fid by opening
any piped name or share first. any named pipe or share first.
This bug is not helpful for exploitation because leaked info is from freed buffer. It is difficult to get This bug is not helpful for exploitation because leaked info is from freed buffer. It is difficult to get
exact information because a transaction size is always >=0x5000. exact information because a transaction size is always >=0x5000.
@@ -175,7 +176,7 @@ an error code 0xC0000205 (STATUS_INSUFF_SERVER_RESOURCES).
When sending a large MaxParameterCount and MaxDataCount (sum of them is >0x10400), we will got an error code 0xC0000205. When sending a large MaxParameterCount and MaxDataCount (sum of them is >0x10400), we will got an error code 0xC0000205.
Because MS17-010 patch changes MaxParameterCount to 16 if transaction subcommand is TRANS_PEEK_NMPIPE before calling Because MS17-010 patch changes MaxParameterCount to 16 if transaction subcommand is TRANS_PEEK_NMPIPE before calling
SrvAllocationTransaction(), SrvPeekNamedPipe() will be called even sum of MaxParameterCount and MaxDataCount is >0x10400. SrvAllocationTransaction(), SrvPeekNamedPipe() will be called even sum of MaxParameterCount and MaxDataCount is >0x10400.
The response from SrvPeekNamedPipe() is depended on our InParameters. The response from SrvPeekNamedPipe() is depended on our InSetup.
@@ -364,10 +365,9 @@ SrvOs2FeaListSizeToNt(feaList)
return outputLen; return outputLen;
} }
From pseudocode above, if we send feaList.SizeOfListInBytes=0x10000 while valid FEA entries in list is less than From above pseudocode, if we send feaList.SizeOfListInBytes=0x10000 while valid FEA entries in list is less than
0x10000 bytes (assume 0x4000), the feaList.SizeOfListInBytes will be 0x14000 because HIDWORD is not modified and 0x10000 bytes (assume 0x4000), the feaList.SizeOfListInBytes will be modified to 0x14000 because HIDWORD is not modified and
outputLen is only for FEA entries size 0x4000. Then the output buffer will be overflown while copy FEA data to outputLen is only 0x4000. Then the output buffer will be overflowed while copying FEA data to output buffer.
output buffer.
As mentioned above, we need to send a transaction data that larger than 0x10000 bytes. But the FEA_LIST data is used As mentioned above, we need to send a transaction data that larger than 0x10000 bytes. But the FEA_LIST data is used
only in SMB_COM_TRANSACTION2 which TotalDataCount is USHORT (max is 0xffff). So we need to Bug6 to send a FEA_LIST only in SMB_COM_TRANSACTION2 which TotalDataCount is USHORT (max is 0xffff). So we need to Bug6 to send a FEA_LIST