API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Jun 26th, 2017
59
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 3.34 KB | None | 0 0
raw download clone embed print report
  1. #include <wchar.h>
  2.  
  3. // This is the decompiled function sub_5B86A51B in netapi32.dll on XP SP3
  4.  
  5. int ms08_067(wchar_t* path)
  6. {
  7. wchar_t* p;
  8. wchar_t* q;
  9. wchar_t* previous_slash = NULL;
  10. wchar_t* current_slash = NULL;
  11. wchar_t ch;
  12.  
  13. // If the path starts with a server name, skip it
  14.  
  15. if ((path[0] == L'\\' || path[0] == L'/') &&
  16. (path[1] == L'\\' || path[1] == L'/'))
  17. {
  18. p = path+2;
  19.  
  20. while (*p != L'\\' || *p != L'/') {
  21. if (*p == L'\0')
  22. return 0;
  23. p++;
  24. }
  25.  
  26. p++;
  27.  
  28. // make path point after the server name
  29.  
  30. path = p;
  31.  
  32. // make sure the server name is followed by a single slash
  33.  
  34. if (path[0] == L'\\' || path[0] == L'/')
  35. return 0;
  36. }
  37.  
  38. if (path[0] == L'\0') // return if the path is empty
  39. return 1;
  40.  
  41. // Iterate through the path and canonicalize ..\ and .\
  42.  
  43. p = path;
  44.  
  45. while (1) {
  46. if (*p == L'\\') {
  47. // we have a slash
  48.  
  49. if (current_slash == p-1) // don't allow consequtive slashes
  50. return 0;
  51.  
  52. // store the locations of the current and previous slashes
  53.  
  54. previous_slash = current_slash;
  55. current_slash = p;
  56. }
  57. else if (*p == L'.' && (current_slash == p-1 || p == path)) {
  58. // we have \. or ^.
  59.  
  60. if (p[1] == L'.' && (p[2] == L'\\' || p[2] == L'\0')) {
  61. // we have a \..\, \..$, ^..\ or ^..$ sequence
  62.  
  63. if (previous_slash == NULL)
  64. return 0;
  65.  
  66. // example: aaa\bbb\..\ccc
  67. // ^ ^ ^
  68. // | | &p[2]
  69. // | |
  70. // | current_slash
  71. // |
  72. // previous_slash
  73.  
  74. ch = p[2];
  75.  
  76. wcscpy(previous_slash, &p[2]);
  77.  
  78. if (ch == L'\0')
  79. return 1;
  80.  
  81. current_slash = previous_slash;
  82. p = previous_slash;
  83.  
  84. // find the slash before p
  85.  
  86. // BUG: if previous_slash points to the beginning of the
  87. // string, we'll go beyond the start of the buffer
  88. //
  89. // example string: \a\..\
  90.  
  91. q = p-1;
  92.  
  93. while (*q != L'\\' && q != path)
  94. q--;
  95.  
  96. if (*p == L'\\')
  97. previous_slash = q;
  98. else
  99. previous_slash = NULL;
  100. }
  101. else if (p[1] == L'\\') {
  102. // we have \.\ or ^.\
  103.  
  104. if (current_slash != NULL) {
  105. wcscpy(current_slash, &p[1]);
  106. goto end_of_loop;
  107. }
  108. else { // current_slash == NULL
  109. wcscpy(p, p+2);
  110. goto end_of_loop;
  111. }
  112. }
  113. else if (p[1] != L'\0') {
  114. // we have \. or ^. followed by some other char
  115.  
  116. if (current_slash != NULL) {
  117. p = current_slash;
  118. }
  119. *p = L'\0';
  120. return 1;
  121. }
  122. }
  123.  
  124. p++;
  125.  
  126. end_of_loop:
  127. if (*p == L'\0')
  128. return 1;
  129. }
  130. }
  131.  
  132. // Run this program to simulate the MS08-067 vulnerability
  133.  
  134. int main()
  135. {
  136. return ms08_067(L"\\a\\..\\");
  137. }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!