srvstamp.c (buffer overflow in SMB protcol 0day 2020) #XPLEAKS

1. /*++
2.  
3. Copyright (c) 1991  Microsoft Corporation
4.  
5. Module Name:
6.  
7.     srvstamp.c
8.  
9. Abstract:
10.  
11.     This module contains routines for supporting the SrvStamp functionality
12.    
13. Author:
14.  
15.     David Kruse (dkruse) 23-Oct-2000
16.  
17. Revision History:
18.  
19. --*/
20.  
21. #include "precomp.h"
22. #include "srvstamp.tmh"
23. #pragma hdrstop
24.                    
25. #ifdef SRVCATCH
26.  
27. //
28. //  Stupid compiler won't convert memcmp( data, constdata, 8 ) into
29. //  a single 64-bit compare, so we use 64-bit numeric constants here.
30. //
31.  
32. #define PVD_SIGNATURE 0x0001313030444301    // 0x01 "CD001" 0x01 0x00
33. #define TVD_SIGNATURE 0x00013130304443FF    // 0xFF "CD001" 0x01 0x00
34.  
35. #ifdef STATIC_CRC_TABLE
36.  
37. const unsigned long CrcTable32[ 256 ] = {
38.     0x00000000, 0x77073096, 0xEE0E612C, 0x990951BA, 0x076DC419, 0x706AF48F,
39.     0xE963A535, 0x9E6495A3, 0x0EDB8832, 0x79DCB8A4, 0xE0D5E91E, 0x97D2D988,
40.     0x09B64C2B, 0x7EB17CBD, 0xE7B82D07, 0x90BF1D91, 0x1DB71064, 0x6AB020F2,
41.     0xF3B97148, 0x84BE41DE, 0x1ADAD47D, 0x6DDDE4EB, 0xF4D4B551, 0x83D385C7,
42.     0x136C9856, 0x646BA8C0, 0xFD62F97A, 0x8A65C9EC, 0x14015C4F, 0x63066CD9,
43.     0xFA0F3D63, 0x8D080DF5, 0x3B6E20C8, 0x4C69105E, 0xD56041E4, 0xA2677172,
44.     0x3C03E4D1, 0x4B04D447, 0xD20D85FD, 0xA50AB56B, 0x35B5A8FA, 0x42B2986C,
45.     0xDBBBC9D6, 0xACBCF940, 0x32D86CE3, 0x45DF5C75, 0xDCD60DCF, 0xABD13D59,
46.     0x26D930AC, 0x51DE003A, 0xC8D75180, 0xBFD06116, 0x21B4F4B5, 0x56B3C423,
47.     0xCFBA9599, 0xB8BDA50F, 0x2802B89E, 0x5F058808, 0xC60CD9B2, 0xB10BE924,
48.     0x2F6F7C87, 0x58684C11, 0xC1611DAB, 0xB6662D3D, 0x76DC4190, 0x01DB7106,
49.     0x98D220BC, 0xEFD5102A, 0x71B18589, 0x06B6B51F, 0x9FBFE4A5, 0xE8B8D433,
50.     0x7807C9A2, 0x0F00F934, 0x9609A88E, 0xE10E9818, 0x7F6A0DBB, 0x086D3D2D,
51.     0x91646C97, 0xE6635C01, 0x6B6B51F4, 0x1C6C6162, 0x856530D8, 0xF262004E,
52.     0x6C0695ED, 0x1B01A57B, 0x8208F4C1, 0xF50FC457, 0x65B0D9C6, 0x12B7E950,
53.     0x8BBEB8EA, 0xFCB9887C, 0x62DD1DDF, 0x15DA2D49, 0x8CD37CF3, 0xFBD44C65,
54.     0x4DB26158, 0x3AB551CE, 0xA3BC0074, 0xD4BB30E2, 0x4ADFA541, 0x3DD895D7,
55.     0xA4D1C46D, 0xD3D6F4FB, 0x4369E96A, 0x346ED9FC, 0xAD678846, 0xDA60B8D0,
56.     0x44042D73, 0x33031DE5, 0xAA0A4C5F, 0xDD0D7CC9, 0x5005713C, 0x270241AA,
57.     0xBE0B1010, 0xC90C2086, 0x5768B525, 0x206F85B3, 0xB966D409, 0xCE61E49F,
58.     0x5EDEF90E, 0x29D9C998, 0xB0D09822, 0xC7D7A8B4, 0x59B33D17, 0x2EB40D81,
59.     0xB7BD5C3B, 0xC0BA6CAD, 0xEDB88320, 0x9ABFB3B6, 0x03B6E20C, 0x74B1D29A,
60.     0xEAD54739, 0x9DD277AF, 0x04DB2615, 0x73DC1683, 0xE3630B12, 0x94643B84,
61.     0x0D6D6A3E, 0x7A6A5AA8, 0xE40ECF0B, 0x9309FF9D, 0x0A00AE27, 0x7D079EB1,
62.     0xF00F9344, 0x8708A3D2, 0x1E01F268, 0x6906C2FE, 0xF762575D, 0x806567CB,
63.     0x196C3671, 0x6E6B06E7, 0xFED41B76, 0x89D32BE0, 0x10DA7A5A, 0x67DD4ACC,
64.     0xF9B9DF6F, 0x8EBEEFF9, 0x17B7BE43, 0x60B08ED5, 0xD6D6A3E8, 0xA1D1937E,
65.     0x38D8C2C4, 0x4FDFF252, 0xD1BB67F1, 0xA6BC5767, 0x3FB506DD, 0x48B2364B,
66.     0xD80D2BDA, 0xAF0A1B4C, 0x36034AF6, 0x41047A60, 0xDF60EFC3, 0xA867DF55,
67.     0x316E8EEF, 0x4669BE79, 0xCB61B38C, 0xBC66831A, 0x256FD2A0, 0x5268E236,
68.     0xCC0C7795, 0xBB0B4703, 0x220216B9, 0x5505262F, 0xC5BA3BBE, 0xB2BD0B28,
69.     0x2BB45A92, 0x5CB36A04, 0xC2D7FFA7, 0xB5D0CF31, 0x2CD99E8B, 0x5BDEAE1D,
70.     0x9B64C2B0, 0xEC63F226, 0x756AA39C, 0x026D930A, 0x9C0906A9, 0xEB0E363F,
71.     0x72076785, 0x05005713, 0x95BF4A82, 0xE2B87A14, 0x7BB12BAE, 0x0CB61B38,
72.     0x92D28E9B, 0xE5D5BE0D, 0x7CDCEFB7, 0x0BDBDF21, 0x86D3D2D4, 0xF1D4E242,
73.     0x68DDB3F8, 0x1FDA836E, 0x81BE16CD, 0xF6B9265B, 0x6FB077E1, 0x18B74777,
74.     0x88085AE6, 0xFF0F6A70, 0x66063BCA, 0x11010B5C, 0x8F659EFF, 0xF862AE69,
75.     0x616BFFD3, 0x166CCF45, 0xA00AE278, 0xD70DD2EE, 0x4E048354, 0x3903B3C2,
76.     0xA7672661, 0xD06016F7, 0x4969474D, 0x3E6E77DB, 0xAED16A4A, 0xD9D65ADC,
77.     0x40DF0B66, 0x37D83BF0, 0xA9BCAE53, 0xDEBB9EC5, 0x47B2CF7F, 0x30B5FFE9,
78.     0xBDBDF21C, 0xCABAC28A, 0x53B39330, 0x24B4A3A6, 0xBAD03605, 0xCDD70693,
79.     0x54DE5729, 0x23D967BF, 0xB3667A2E, 0xC4614AB8, 0x5D681B02, 0x2A6F2B94,
80.     0xB40BBE37, 0xC30C8EA1, 0x5A05DF1B, 0x2D02EF8D};
81.  
82. #else
83.  
84. unsigned long *CrcTable32 = NULL;
85.  
86. #endif
87.  
88. BOOLEAN GenerateCrcTable()
89. {
90. #ifndef STATIC_CRC_TABLE
91.  
92.     ULONG i, j, Value;
93.  
94.     if( !CrcTable32 )
95.     {
96.         CrcTable32 = ALLOCATE_NONPAGED_POOL( sizeof(ULONG)*256, BlockTypeMisc );
97.         if( !CrcTable32 )
98.             return FALSE;
99.     }
100.  
101.     for ( i = 0; i < 256; i++ )
102.     {
103.         for ( Value = i, j = 8; j > 0; j-- )
104.         {
105.             if ( Value & 1 )
106.             {
107.                 Value = ( Value >> 1 ) ^ 0xEDB88320;
108.             }
109.             else
110.             {
111.                 Value >>= 1;
112.             }
113.         }
114.  
115.         CrcTable32[ i ] = Value;
116.     }
117.  
118. #endif
119.  
120.     return TRUE;
121. }
122.  
123. BOOLEAN CleanupCrcTable()
124. {
125. #ifndef STATIC_CRC_TABLE
126.     if( CrcTable32 )
127.     {
128.         DEALLOCATE_NONPAGED_POOL( CrcTable32 );
129.         CrcTable32 = NULL;
130.     }
131. #endif
132.  
133.     return TRUE;
134. }
135.  
136. #pragma optimize( "t", on ) // following code should be fast versus small
137. // (crc loop 40000 times per corrected image)
138.  
139.  
140. ULONG
141. __forceinline               // called from only one location
142. Crc32(
143.      ULONG InitialCrc,
144.      const VOID *Buffer,
145.      ULONG Bytes
146.      )
147. {
148.  
149.     ULONG Crc = InitialCrc;
150.     const UCHAR *p = Buffer;
151.     ULONG Count = Bytes;
152.  
153.     while ( Count-- )
154.     {
155.         Crc = ( Crc >> 8 ) ^ CrcTable32[ (UCHAR)Crc ^ *p++ ];
156.     }
157.  
158.     return Crc;
159. }
160.  
161.  
162. ULONG
163. __fastcall
164. LocateTvdSectorInIsoFileHeader(
165.                               PVOID FileHeader,       // should be at least 20 * 2048 (40,960) bytes, but
166.                               ULONG SizeOfHeader      //  won't search past 24 * 2048 (49,152) bytes
167.                               )
168. {
169.     PBYTE p;
170.     PBYTE z;
171.  
172.     if ( SizeOfHeader >= ( 20 * 2048 ))
173.     {   // big enough for ISO-9660 headers
174.  
175.         if ( SizeOfHeader > ( 24 * 2048 ))
176.         {    // don't bother searching
177.             SizeOfHeader = ( 24 * 2048 );      // beyond sector 23
178.         }
179.  
180.         p = (PBYTE)FileHeader + ( 16 * 2048 );  // point at PVD sector
181.         z = (PBYTE)FileHeader + SizeOfHeader;   // search until p >= z
182.  
183.         //
184.         //  If FileHeader buffer is guaranteed to be 8-byte aligned, can remove
185.         //  the UNALIGNED keywords below.
186.         //
187.  
188.         if ( *(UNALIGNED UINT64 *)p == PVD_SIGNATURE )
189.         {    // ISO-9660 image
190.  
191.             p += 2048;                          // skip PVD and scan for TVD
192.  
193.             do
194.             {
195.  
196.                 if ( *(UNALIGNED UINT64 *)p == TVD_SIGNATURE )
197.                 {
198.  
199.                     return(ULONG)( p - (PBYTE)FileHeader );   // return offset to TVD
200.                 }
201.  
202.                 p += 2048;
203.             }
204.  
205.             while ( p < z );
206.  
207.         }
208.     }
209.  
210.     return 0;                               // no TVD, not valid ISO-9660 image
211. }
212.  
213.  
214. VOID
215. __fastcall
216. EmbedDataInIsoTvdAndCorrectCrc(
217.                               PVOID IsoFileHeader,
218.                               ULONG TvdSectorOffset,
219.                               PVOID DataToEmbed,
220.                               ULONG SizeOfData
221.                               )
222. {
223.     //
224.     //  If IsoFileHeader is 4-byte aligned, can remove UNALIGNED keyword.
225.     //
226.  
227.     UNALIGNED ULONG *pCrcCorrection;
228.  
229.     ASSERT( SizeOfData <= 1020 );
230.  
231.     memcpy( (PBYTE)IsoFileHeader + TvdSectorOffset + 1024, DataToEmbed, SizeOfData );
232.  
233.     //
234.     //  We only perform CRC correction if the TVD has been predisposed to
235.     //  CRC correction (cdimage -xx).  In other words, if the last four
236.     //  bytes of the TVD already contain a non-zero CRC correction.
237.     //
238.  
239.     pCrcCorrection = (PULONG)( (PBYTE)IsoFileHeader + TvdSectorOffset + 2048 - 4 );
240.  
241.     if ( *pCrcCorrection )
242.     {
243.         *pCrcCorrection = Crc32( 0xFFFFFFFF, IsoFileHeader, TvdSectorOffset + 2048 - 4 );
244.     }
245. }
246.  
247. ULONG
248. SrvFindCatchOffset(
249.     IN OUT PVOID pBuffer,
250.     IN ULONG BufferSize
251.     )
252. {
253.     ULONG offset;
254.     offset = LocateTvdSectorInIsoFileHeader( pBuffer, BufferSize );
255.     if( offset )
256.     {
257.         offset += 1024;
258.     }
259.    
260.     return offset;
261. }
262.  
263. void
264. SrvCorrectCatchBuffer(
265.     IN PVOID pBuffer,
266.     IN ULONG CatchOffset
267.     )
268. {
269.     UNALIGNED ULONG *pCrcCorrection;
270.  
271.     CatchOffset -= 1024;
272.  
273.     //
274.     //  We only perform CRC correction if the TVD has been predisposed to
275.     //  CRC correction (cdimage -xx).  In other words, if the last four
276.     //  bytes of the TVD already contain a non-zero CRC correction.
277.     //
278.  
279.     pCrcCorrection = (PULONG)( (PBYTE)pBuffer + CatchOffset + 2048 - 4 );
280.  
281.     if ( *pCrcCorrection )
282.     {
283.         *pCrcCorrection = Crc32( 0xFFFFFFFF, pBuffer, CatchOffset + 2048 - 4 );
284.     }
285. }
286.  
287. void
288. SrvIsMonitoredShare(
289.     IN OUT PSHARE Share
290.     )
291. {
292.     int i;
293.     UNICODE_STRING watchShare;
294.  
295.     if( SrvCatchShares > 0 )
296.     {
297.         for( i=0; SrvCatchShareNames[i]; i++ )
298.         {
299.             watchShare.Buffer = SrvCatchShareNames[i];
300.             watchShare.Length = (USHORT)STRLEN( SrvCatchShareNames[i] )*sizeof(WCHAR);
301.             if( RtlCompareUnicodeString( &watchShare, &Share->ShareName, TRUE ) == 0 )
302.             {
303.                 Share->IsCatchShare = TRUE;
304.                 break;
305.             }
306.         }
307.     }
308. }
309.  
310. #endif // SRVCATCH
311.