Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- #include <wchar.h>
- // This is the decompiled function sub_5B86A51B in netapi32.dll on XP SP3
- int ms08_067(wchar_t* path)
- {
- wchar_t* p;
- wchar_t* q;
- wchar_t* previous_slash = NULL;
- wchar_t* current_slash = NULL;
- wchar_t ch;
- // If the path starts with a server name, skip it
- if ((path[0] == L'\\' || path[0] == L'/') &&
- (path[1] == L'\\' || path[1] == L'/'))
- {
- p = path+2;
- while (*p != L'\\' || *p != L'/') {
- if (*p == L'\0')
- return 0;
- p++;
- }
- p++;
- // make path point after the server name
- path = p;
- // make sure the server name is followed by a single slash
- if (path[0] == L'\\' || path[0] == L'/')
- return 0;
- }
- if (path[0] == L'\0') // return if the path is empty
- return 1;
- // Iterate through the path and canonicalize ..\ and .\
- p = path;
- while (1) {
- if (*p == L'\\') {
- // we have a slash
- if (current_slash == p-1) // don't allow consequtive slashes
- return 0;
- // store the locations of the current and previous slashes
- previous_slash = current_slash;
- current_slash = p;
- }
- else if (*p == L'.' && (current_slash == p-1 || p == path)) {
- // we have \. or ^.
- if (p[1] == L'.' && (p[2] == L'\\' || p[2] == L'\0')) {
- // we have a \..\, \..$, ^..\ or ^..$ sequence
- if (previous_slash == NULL)
- return 0;
- // example: aaa\bbb\..\ccc
- // ^ ^ ^
- // | | &p[2]
- // | |
- // | current_slash
- // |
- // previous_slash
- ch = p[2];
- wcscpy(previous_slash, &p[2]);
- if (ch == L'\0')
- return 1;
- current_slash = previous_slash;
- p = previous_slash;
- // find the slash before p
- // BUG: if previous_slash points to the beginning of the
- // string, we'll go beyond the start of the buffer
- //
- // example string: \a\..\
- q = p-1;
- while (*q != L'\\' && q != path)
- q--;
- if (*p == L'\\')
- previous_slash = q;
- else
- previous_slash = NULL;
- }
- else if (p[1] == L'\\') {
- // we have \.\ or ^.\
- if (current_slash != NULL) {
- wcscpy(current_slash, &p[1]);
- goto end_of_loop;
- }
- else { // current_slash == NULL
- wcscpy(p, p+2);
- goto end_of_loop;
- }
- }
- else if (p[1] != L'\0') {
- // we have \. or ^. followed by some other char
- if (current_slash != NULL) {
- p = current_slash;
- }
- *p = L'\0';
- return 1;
- }
- }
- p++;
- end_of_loop:
- if (*p == L'\0')
- return 1;
- }
- }
- // Run this program to simulate the MS08-067 vulnerability
- int main()
- {
- return ms08_067(L"\\a\\..\\");
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement