API tools faq
paste
Advertisement
Guest User

Untitled

a guest
May 30th, 2013
286
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 6.96 KB | None | 0 0
raw download clone embed print report diff
  1. Vulnerable function
  2. 017449B0 /$ 81EC 0C010000 SUB ESP,10C
  3. 017449B6 |. A1 9400AC01 MOV EAX,DWORD PTR DS:[1AC0094]
  4. 017449BB |. 33C4 XOR EAX,ESP
  5. 017449BD |. 898424 080100 MOV DWORD PTR SS:[ESP+108],EAX ; Set stack Cookie
  6. 017449C4 |. 8B8424 180100 MOV EAX,DWORD PTR SS:[ESP+118]
  7. 017449CB |. 53 PUSH EBX
  8. 017449CC |. 8B9C24 140100 MOV EBX,DWORD PTR SS:[ESP+114]
  9. 017449D3 |. 55 PUSH EBP
  10. 017449D4 |. 56 PUSH ESI
  11. 017449D5 |. 8BB424 200100 MOV ESI,DWORD PTR SS:[ESP+120]
  12. 017449DC |. 57 PUSH EDI
  13. 017449DD |. 68 38709D01 PUSH OFFSET 019D7038
  14. 017449E2 |. 6A 03 PUSH 3
  15. 017449E4 |. 894424 18 MOV DWORD PTR SS:[ESP+18],EAX
  16. 017449E8 |. E8 43F9FEFF CALL 01734330 ; Ignore
  17. 017449ED |. 8B16 MOV EDX,DWORD PTR DS:[ESI]
  18. 017449EF |. 8B42 18 MOV EAX,DWORD PTR DS:[EDX+18]
  19. 017449F2 |. 83C4 08 ADD ESP,8
  20. 017449F5 |. 6A 04 PUSH 4
  21. 017449F7 |. 8BCE MOV ECX,ESI
  22. 017449F9 |. FFD0 CALL EAX ; Read 4 bytes from file
  23. 017449FB |. 8B16 MOV EDX,DWORD PTR DS:[ESI]
  24. 017449FD |. 8B42 18 MOV EAX,DWORD PTR DS:[EDX+18]
  25. 01744A00 |. 6A 02 PUSH 2
  26. 01744A02 |. 8BCE MOV ECX,ESI
  27. 01744A04 |. FFD0 CALL EAX ; Read 2 bytes from file
  28. 01744A06 |. 0FB608 MOVZX ECX,BYTE PTR DS:[EAX]
  29. 01744A09 |. 66:0FB650 01 MOVZX DX,BYTE PTR DS:[EAX+1]
  30. 01744A0E |. 8B06 MOV EAX,DWORD PTR DS:[ESI]
  31. 01744A10 |. 66:C1E1 08 SHL CX,8
  32. 01744A14 |. 66:03CA ADD CX,DX
  33. 01744A17 |. 8B50 18 MOV EDX,DWORD PTR DS:[EAX+18]
  34. 01744A1A |. 0FB7F9 MOVZX EDI,CX
  35. 01744A1D |. 6A 02 PUSH 2
  36. 01744A1F |. 8BCE MOV ECX,ESI
  37. 01744A21 |. FFD2 CALL EDX ; Read 2 bytes from file
  38. 01744A23 |. 66:0FB608 MOVZX CX,BYTE PTR DS:[EAX]
  39. 01744A27 |. 66:0FB640 01 MOVZX AX,BYTE PTR DS:[EAX+1]
  40. 01744A2C |. 66:C1E1 08 SHL CX,8
  41. 01744A30 |. 66:03C8 ADD CX,AX
  42. 01744A33 |. 66:83C1 01 ADD CX,1
  43. 01744A37 |. 66:890B MOV WORD PTR DS:[EBX],CX ; palette size in CX
  44. 01744A3A |. 0FB7C9 MOVZX ECX,CX
  45. 01744A3D |. 51 PUSH ECX
  46. 01744A3E |. 8D5424 1C LEA EDX,[ESP+1C]
  47. 01744A42 |. 68 24709D01 PUSH OFFSET 019D7024
  48. 01744A47 |. 52 PUSH EDX
  49. 01744A48 |. FF15 AC409701 CALL DWORD PTR DS:[<&MSVCR80.sprintf>]
  50. 01744A4E |. 8D4424 24 LEA EAX,[ESP+24]
  51. 01744A52 |. 50 PUSH EAX
  52. 01744A53 |. 6A 02 PUSH 2
  53. 01744A55 |. E8 D6F8FEFF CALL 01734330 ; Ignore
  54. 01744A5A |. 68 10709D01 PUSH OFFSET 019D7010
  55. 01744A5F |. 6A 03 PUSH 3
  56. 01744A61 |. E8 CAF8FEFF CALL 01734330 ; Ignore
  57. 01744A66 |. 33ED XOR EBP,EBP
  58. 01744A68 |. 83C4 1C ADD ESP,1C
  59. 01744A6B |. 66:392B CMP WORD PTR DS:[EBX],BP
  60. 01744A6E |. 0F86 B4000000 JBE 01744B28
  61. 01744A74 |. 81E7 00800000 AND EDI,00008000
  62. 01744A7A |. 897C24 14 MOV DWORD PTR SS:[ESP+14],EDI
  63. 01744A7E |. 8BFF MOV EDI,EDI
  64. 01744A80 |> 8B16 /MOV EDX,DWORD PTR DS:[ESI]
  65. 01744A82 |. 8B42 18 |MOV EAX,DWORD PTR DS:[EDX+18]
  66. 01744A85 |. 6A 02 |PUSH 2
  67. 01744A87 |. 8BCE |MOV ECX,ESI
  68. 01744A89 |. FFD0 |CALL EAX ; Read 2 bytes from file (index)
  69. 01744A8B |. 66:0FB608 |MOVZX CX,BYTE PTR DS:[EAX]
  70. 01744A8F |. 66:0FB650 01 |MOVZX DX,BYTE PTR DS:[EAX+1]
  71. 01744A94 |. 66:C1E1 08 |SHL CX,8
  72. 01744A98 |. 66:03CA |ADD CX,DX ; Index is in CX
  73. 01744A9B |. 66:837C24 14 |CMP WORD PTR SS:[ESP+14],0
  74. 01744AA1 |. 0FB7F9 |MOVZX EDI,CX
  75. 01744AA4 |. 74 03 |JE SHORT 01744AA9 ; Check if Size is Zero
  76. 01744AA6 |. 0FB7FD |MOVZX EDI,BP ; BP,EDI: counter
  77. 01744AA9 |> 66:3B3B |CMP DI,WORD PTR DS:[EBX] ; Check if counter is less than size
  78. 01744AAC |. 72 0F |JB SHORT 01744ABD
  79. 01744AAE |. 68 E46F9D01 |PUSH OFFSET 019D6FE4
  80. 01744AB3 |. 6A 02 |PUSH 2
  81. 01744AB5 |. E8 D6F9FEFF |CALL 01734490 ; Ignore
  82. 01744ABA |. 83C4 08 |ADD ESP,8
  83. 01744ABD |> 8B06 |MOV EAX,DWORD PTR DS:[ESI]
  84. 01744ABF |. 8B50 18 |MOV EDX,DWORD PTR DS:[EAX+18]
  85. 01744AC2 |. 6A 02 |PUSH 2
  86. 01744AC4 |. 8BCE |MOV ECX,ESI
  87. 01744AC6 |. FFD2 |CALL EDX ; Read 2 bytes from file (R)
  88. 01744AC8 |. 8B5424 10 |MOV EDX,DWORD PTR SS:[ESP+10]
  89. 01744ACC |. 0FB7CF |MOVZX ECX,DI
  90. 01744ACF |. 8D3C8A |LEA EDI,[ECX*4+EDX] ;Pointer in the palette where to write
  91. 01744AD2 |. 0FB608 |MOVZX ECX,BYTE PTR DS:[EAX]
  92. 01744AD5 |. 0FB650 01 |MOVZX EDX,BYTE PTR DS:[EAX+1]
  93. 01744AD9 |. 66:C1E1 08 |SHL CX,8
  94. 01744ADD |. 66:03CA |ADD CX,DX
  95. 01744AE0 |. 886F 02 |MOV BYTE PTR DS:[EDI+2],CH ; Write byte to pointer+2
  96. 01744AE3 |. 8B06 |MOV EAX,DWORD PTR DS:[ESI]
  97. 01744AE5 |. 8B50 18 |MOV EDX,DWORD PTR DS:[EAX+18]
  98. 01744AE8 |. 6A 02 |PUSH 2
  99. 01744AEA |. 8BCE |MOV ECX,ESI
  100. 01744AEC |. FFD2 |CALL EDX ; Read 2 bytes from file (G)
  101. 01744AEE |. 0FB608 |MOVZX ECX,BYTE PTR DS:[EAX]
  102. 01744AF1 |. 0FB650 01 |MOVZX EDX,BYTE PTR DS:[EAX+1]
  103. 01744AF5 |. 66:C1E1 08 |SHL CX,8
  104. 01744AF9 |. 66:03CA |ADD CX,DX
  105. 01744AFC |. 886F 01 |MOV BYTE PTR DS:[EDI+1],CH ; Write byte to pointer+1
  106. 01744AFF |. 8B06 |MOV EAX,DWORD PTR DS:[ESI]
  107. 01744B01 |. 8B50 18 |MOV EDX,DWORD PTR DS:[EAX+18]
  108. 01744B04 |. 6A 02 |PUSH 2
  109. 01744B06 |. 8BCE |MOV ECX,ESI
  110. 01744B08 |. FFD2 |CALL EDX ; Read 2 bytes from file (B)
  111. 01744B0A |. 0FB608 |MOVZX ECX,BYTE PTR DS:[EAX]
  112. 01744B0D |. 0FB650 01 |MOVZX EDX,BYTE PTR DS:[EAX+1]
  113. 01744B11 |. 66:C1E1 08 |SHL CX,8
  114. 01744B15 |. 66:03CA |ADD CX,DX
  115. 01744B18 |. 882F |MOV BYTE PTR DS:[EDI],CH ; Write byte to pointer
  116. 01744B1A |. 0FB703 |MOVZX EAX,WORD PTR DS:[EBX]
  117. 01744B1D |. 83C5 01 |ADD EBP,1 ; Increment counter
  118. 01744B20 |. 3BE8 |CMP EBP,EAX ; get out if counter > size
  119. 01744B22 |.^ 0F8C 58FFFFFF \JL 01744A80
  120. 01744B28 |> 8B8C24 180100 MOV ECX,DWORD PTR SS:[ESP+118]
  121. 01744B2F |. 5F POP EDI
  122. 01744B30 |. 5E POP ESI
  123. 01744B31 |. 5D POP EBP
  124. 01744B32 |. 5B POP EBX
  125. 01744B33 |. 33CC XOR ECX,ESP
  126. 01744B35 |. E8 C2CD1800 CALL 018D18FC ; Check stack cookie
  127. 01744B3A |. 81C4 0C010000 ADD ESP,10C
  128. 01744B40 \. C2 0C00 RETN 0C
  129. 01744B43 CC INT3
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!