Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- хоть я сейчас и наслаждаюсь очаровательным Батлийски морем, но все равно руки доходят до дебаггера ;)
- А то!!! Когда видишь вот такое:http://infobez-expo.ru/conference/events/golosov/
- Ну и собственно всё началось вот с этого: https://twitter.com/NTarakanov/status/244013953649373184
- Поревёрсить захотелось мне и мой взор упал на продукты компании Infotecs. Какого-то злого умысла к Infotecs у меня нету, просто эта компания номинирована аж в двух(!!) номинациях:
- Размер имеет значение – за масштабируемость решений
- E=mc2 – за создание мощных приложений, технологий
- , и я подумал будет fun поревёрсить чо у них там да как!
- Продуктов у них несколько, но множество из них ставят драйвера и палят хэндлы даже Guest'у!
- хехе, заплесневелый баян ioctl живее живых!
- Я подумал надо посмотреть их флагманский продукт: Vipnet Client ну сооб-но вот что из этого вышло :)))) :
- ioctl:
- 0x222098: arbitrary memory overwrite
- kd> !analyze -v
- *******************************************************************************
- * *
- * Bugcheck Analysis *
- * *
- *******************************************************************************
- PAGE_FAULT_IN_NONPAGED_AREA (50)
- Invalid system memory was referenced. This cannot be protected by try-except,
- it must be protected by a Probe. Typically the address is just plain bad or it
- is pointing at freed memory.
- Arguments:
- Arg1: 90909090, memory referenced.
- Arg2: 00000001, value 0 = read operation, 1 = write operation.
- Arg3: 804f3b76, If non-zero, the instruction address which referenced the bad memory
- address.
- Arg4: 00000000, (reserved)
- Debugging Details:
- ------------------
- *************************************************************************
- *** ***
- *** ***
- *** Your debugger is not using the correct symbols ***
- *** ***
- *** In order for this command to work properly, your symbol path ***
- *** must point to .pdb files that have full type information. ***
- *** ***
- *** Certain .pdb files (such as the public OS symbols) do not ***
- *** contain the required information. Contact the group that ***
- *** provided you with these symbols if you need this command to ***
- *** work. ***
- *** ***
- *** Type referenced: kernel32!pNlsUserInfo ***
- *** ***
- *************************************************************************
- *************************************************************************
- *** ***
- *** ***
- *** Your debugger is not using the correct symbols ***
- *** ***
- *** In order for this command to work properly, your symbol path ***
- *** must point to .pdb files that have full type information. ***
- *** ***
- *** Certain .pdb files (such as the public OS symbols) do not ***
- *** contain the required information. Contact the group that ***
- *** provided you with these symbols if you need this command to ***
- *** work. ***
- *** ***
- *** Type referenced: kernel32!pNlsUserInfo ***
- *** ***
- *************************************************************************
- WRITE_ADDRESS: 90909090
- FAULTING_IP:
- nt!IopCompleteRequest+92
- 804f3b76 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
- MM_INTERNAL_CODE: 0
- DEFAULT_BUCKET_ID: DRIVER_FAULT
- BUGCHECK_STR: 0x50
- PROCESS_NAME: IpLir.exe
- IRP_ADDRESS: 81e90f68
- DEVICE_OBJECT: 8211eb90
- DRIVER_OBJECT: 820614b0
- IMAGE_NAME: IPLIR.sys
- DEBUG_FLR_IMAGE_TIMESTAMP: 4f81e2b7
- MODULE_NAME: IPLIR
- FAULTING_MODULE: f82fb000 IPLIR
- TRAP_FRAME: b20f8a34 -- (.trap 0xffffffffb20f8a34)
- ErrCode = 00000002
- eax=00000008 ebx=81e90f68 ecx=00000002 edx=00000001 esi=81fe3d78 edi=90909090
- eip=804f3b76 esp=b20f8aa8 ebp=b20f8aec iopl=0 nv up ei pl nz na po nc
- cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010202
- nt!IopCompleteRequest+0x92:
- 804f3b76 f3a5 rep movs dword ptr es:[edi],dword ptr [esi]
- Resetting default scope
- LAST_CONTROL_TRANSFER: from 804f7bad to 80527bec
- STACK_TEXT:
- b20f8570 804f7bad 00000003 90909090 00000000 nt!RtlpBreakWithStatusInstruction
- b20f85bc 804f879a 00000003 00000000 c0484848 nt!KiBugCheckDebugBreak+0x19
- b20f899c 804f8cc5 00000050 90909090 00000001 nt!KeBugCheck2+0x574
- b20f89bc 8051cc5f 00000050 90909090 00000001 nt!KeBugCheckEx+0x1b
- b20f8a1c 8054052c 00000001 90909090 00000000 nt!MmAccessFault+0x8e7
- b20f8a1c 804f3b76 00000001 90909090 00000000 nt!KiTrap0E+0xcc
- b20f8aec 804fdaf1 81e90fa8 b20f8b38 b20f8b2c nt!IopCompleteRequest+0x92
- b20f8b3c 806d2c35 00000000 00000000 b20f8b54 nt!KiDeliverApc+0xb3
- b20f8b3c 806d2861 00000000 00000000 b20f8b54 hal!HalpApcInterrupt+0xc5
- b20f8bc4 804fab03 81e90fa8 81e90f68 00000000 hal!KeReleaseInStackQueuedSpinLock+0x11
- b20f8be4 804f07e4 81e90fa8 81adcdd8 00000000 nt!KeInsertQueueApc+0x4b
- b20f8c18 f836e574 81adcdd8 820614b0 b20f8c58 nt!IopfCompleteRequest+0x1d8
- WARNING: Stack unwind information not available. Following frames may be wrong.
- 00000000 00000000 00000000 00000000 00000000 IPLIR+0x73574
- STACK_COMMAND: kb
- FOLLOWUP_IP:
- IPLIR+73574
- f836e574 8b442410 mov eax,dword ptr [esp+10h]
- SYMBOL_STACK_INDEX: c
- SYMBOL_NAME: IPLIR+73574
- FOLLOWUP_NAME: MachineOwner
- FAILURE_BUCKET_ID: 0x50_IPLIR+73574
- BUCKET_ID: 0x50_IPLIR+73574
- Followup: MachineOwner
- ---------
- kd> dd 81fe3d78
- 81fe3d78 41414141 00000000 41414141 41414141 <--- controlled values == 0dayz LPE!
- 81fe3d88 41414141 c4000001 00040004 63426343
- 81fe3d98 81ed2a18 81a022a8 00c80000 00000000
- 81fe3da8 820c1fe8 81ae9858 0a0d0004 61436d4d
- 81fe3db8 e236e908 805586a8 81ed33e4 00000000
- 81fe3dc8 00000001 00000000 00000002 00000000
- 81fe3dd8 09008080 81ebcb40 00000000 00000000
- 81fe3de8 81fe3db8 00000060 00000000 00000040
- and many many more buggy code!
- 0x222070: NPD useless?
- kd> !analyze -v
- *******************************************************************************
- * *
- * Bugcheck Analysis *
- * *
- *******************************************************************************
- KERNEL_MODE_EXCEPTION_NOT_HANDLED (8e)
- This is a very common bugcheck. Usually the exception address pinpoints
- the driver/function that caused the problem. Always note this address
- as well as the link date of the driver/image that contains this address.
- Some common problems are exception code 0x80000003. This means a hard
- coded breakpoint or assertion was hit, but this system was booted
- /NODEBUG. This is not supposed to happen as developers should never have
- hardcoded breakpoints in retail code, but ...
- If this happens, make sure a debugger gets connected, and the
- system is booted /DEBUG. This will let us see why this breakpoint is
- happening.
- Arguments:
- Arg1: c0000005, The exception code that was not handled
- Arg2: f83250bb, The address that the exception occurred at
- Arg3: b29d4b50, Trap Frame
- Arg4: 00000000
- Debugging Details:
- ------------------
- *************************************************************************
- *** ***
- *** ***
- *** Your debugger is not using the correct symbols ***
- *** ***
- *** In order for this command to work properly, your symbol path ***
- *** must point to .pdb files that have full type information. ***
- *** ***
- *** Certain .pdb files (such as the public OS symbols) do not ***
- *** contain the required information. Contact the group that ***
- *** provided you with these symbols if you need this command to ***
- *** work. ***
- *** ***
- *** Type referenced: kernel32!pNlsUserInfo ***
- *** ***
- *************************************************************************
- *************************************************************************
- *** ***
- *** ***
- *** Your debugger is not using the correct symbols ***
- *** ***
- *** In order for this command to work properly, your symbol path ***
- *** must point to .pdb files that have full type information. ***
- *** ***
- *** Certain .pdb files (such as the public OS symbols) do not ***
- *** contain the required information. Contact the group that ***
- *** provided you with these symbols if you need this command to ***
- *** work. ***
- *** ***
- *** Type referenced: kernel32!pNlsUserInfo ***
- *** ***
- *************************************************************************
- EXCEPTION_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%08lx referenced memory at 0x%08lx. The memory could not be %s.
- FAULTING_IP:
- IPLIR+2a0bb
- f83250bb 8b10 mov edx,dword ptr [eax]
- TRAP_FRAME: b29d4b50 -- (.trap 0xffffffffb29d4b50)
- ErrCode = 00000000
- eax=00000004 ebx=b29d4c30 ecx=81ca27b9 edx=fffffffc esi=00000000 edi=81ca2550
- eip=f83250bb esp=b29d4bc4 ebp=00000000 iopl=0 nv up ei ng nz na pe nc
- cs=0008 ss=0010 ds=0023 es=0023 fs=0030 gs=0000 efl=00010286
- IPLIR+0x2a0bb:
- f83250bb 8b10 mov edx,dword ptr [eax] ds:0023:00000004=????????
- Resetting default scope
- DEFAULT_BUCKET_ID: DRIVER_FAULT
- BUGCHECK_STR: 0x8E
- PROCESS_NAME: IpLir.exe
- LAST_CONTROL_TRANSFER: from 804f7bad to 80527bec
- STACK_TEXT:
- b29d42cc 804f7bad 00000003 b29d4628 00000000 nt!RtlpBreakWithStatusInstruction
- b29d4318 804f879a 00000003 00000000 b29d4afc nt!KiBugCheckDebugBreak+0x19
- b29d46f8 804f8cc5 0000008e c0000005 f83250bb nt!KeBugCheck2+0x574
- b29d4718 804fccff 0000008e c0000005 f83250bb nt!KeBugCheckEx+0x1b
- b29d4ae0 8053e091 b29d4afc 00000000 b29d4b50 nt!KiDispatchException+0x3b1
- b29d4b48 8053e042 00000000 f83250bb badb0d00 nt!CommonDispatchException+0x4d
- b29d4b60 806d2ca4 00000000 ffdff980 80541086 nt!KiExceptionExit+0x18a
- b29d4b6c 80541086 82079d00 000000d1 b29d4c44 hal!HalEndSystemInterrupt+0x54
- b29d4b6c 00000000 82079d00 000000d1 b29d4c44 nt!KeUpdateSystemTime+0x13e
- STACK_COMMAND: kb
- FOLLOWUP_IP:
- IPLIR+2a0bb
- f83250bb 8b10 mov edx,dword ptr [eax]
- SYMBOL_STACK_INDEX: 0
- SYMBOL_NAME: IPLIR+2a0bb
- FOLLOWUP_NAME: MachineOwner
- MODULE_NAME: IPLIR
- IMAGE_NAME: IPLIR.sys
- DEBUG_FLR_IMAGE_TIMESTAMP: 4f81e2b7
- FAILURE_BUCKET_ID: 0x8E_IPLIR+2a0bb
- BUCKET_ID: 0x8E_IPLIR+2a0bb
- Followup: MachineOwner
- ---------
- К чему я это всё?
- Да к тому, что имхо не нужны нам такие "конференции"!
- Нам нужны PHD,ZN!
- Почему не создать третью???
- Вообще хорошего пятничного вечера!
- Если хотите у меня нульдеи и для других продуктов Infotecs ;)
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement