4 F5 z8 h( u+ y5 B5 H2 _7 ?. w: S
function at 0x10024C20 is responsible for dispatching ioctl codes: : t4 P- C; w" a" L: G 0 F q, U ~/ Q5 e0 P' F.text:10024C20 ; int __thiscall ioctl_handler_deep(int this, int ioctl, PVOID inbuff, unsigned int inbuff_size, unsigned int outbuff_size, PDWORD bytes_to_return) ! C6 I7 ] G, t5 C$ T.text:10024C20 ioctl_handler_deep proc near ; CODE XREF: sub_10007520+6Ap3 y! ^; `; {# k' @
.text:10024C20& b, Q5 R2 n9 |3 Q- {
.text:10024C20 DestinationString= UNICODE_STRING ptr -3Ch / _+ @& j9 `2 X8 o. @.text:10024C20 var_31 = byte ptr -31h ' \; y; v$ p4 G+ Y! O1 d& v.text:10024C20 var_30 = dword ptr -30h2 ]0 j u( F) _6 b4 L
.text:10024C20 some_var = dword ptr -2Ch ( b, h0 b2 Y6 J( F+ H, [8 n3 y.text:10024C20 var_28 = dword ptr -28h 5 \) u4 n- O4 I& k.text:10024C20 var_24 = byte ptr -24h$ B' g9 U* b' w) z
.text:10024C20 var_5 = byte ptr -5 . I n8 q) U$ \# ^1 J! R' f.text:10024C20 var_4 = dword ptr -49 u, B( i, i6 y3 ~/ k
.text:10024C20 ioctl = dword ptr 8 ) L' @: T: O, n/ l3 A3 D.text:10024C20 inbuff = dword ptr 0Ch 5 N' N* X! F' e9 l9 c% S9 \.text:10024C20 inbuff_size = dword ptr 10h9 T5 O; Y) l9 ?- {, R0 @$ N* `' X
.text:10024C20 outbuff_size = dword ptr 14h* E" g7 m8 E% @' Z. C7 Y0 S
.text:10024C20 bytes_to_return = dword ptr 18h : y3 l9 I1 i. }% Z6 M1 W* Z.text:10024C20 6 J' B6 m0 Y* E; x1 o.text:10024C20 push ebp - n' @$ M5 L. e m- u$ h( T) l$ D( R.text:10024C21 mov ebp, esp - C9 d" b$ `5 s( a. _, N.text:10024C23 sub esp, 3Ch8 M5 C4 Q6 ]& g8 o; p
.text:10024C26 mov eax, BugCheckParameter27 {$ J- J$ n4 U! C5 y0 X
.text:10024C2B xor eax, ebp * I9 s7 J& a ~- H$ Q.text:10024C2D mov [ebp+var_4], eax 0 ], A, Z# {1 Y. e3 X.text:10024C30 mov eax, [ebp+ioctl]. }) j( V; ^; b# C' W4 W3 u/ y# [
.text:10024C33 push ebx/ ^& i+ h# A, G5 y
.text:10024C34 mov ebx, [ebp+inbuff] # ^% p. x+ Y( a' j% C# N; W+ C.text:10024C37 push esi) a4 n0 k6 Q% V; L q# w3 \$ I
.text:10024C38 mov esi, [ebp+bytes_to_return]8 z- f, c3 r5 M6 U3 q( ]
.text:10024C3B add eax, 7FFDDFD8h 3 a' `, k7 u. D+ n9 }.text:10024C40 push edi; X1 i# h9 ~ l: |! M* {" t
.text:10024C41 mov edi, ecx " q5 X; z( s. h# T$ \0 w" L' u! s c.text:10024C43 mov [ebp+some_var], esi 3 p% Q) @- i- i5 E+ S5 z& x- w7 R2 W.text:10024C46 mov [ebp+var_28], 0* o: @) ]3 Z9 I' {4 f
.text:10024C4D cmp eax, 0A4h ; switch 165 cases # r& E' E* J0 {; ?, E! W/ G.text:10024C52 ja loc_10025B18 ; jumptable 10024C5F default case 0 M0 i9 T0 N) c.text:10024C58 movzx eax, ds:byte_10025BF0[eax]% @) M- C1 N4 l% z4 @# t" t. u" \
.text:10024C5F jmp dsff_10025B50[eax*4] ; switch jump : R' f) p6 Y0 i9 W) |9 _& N" O3 d' y& D2 q9 C% K
[..]. M" q+ i% O& U" Q2 S
3 b8 R* A/ g% n+ |5 R# ^9 O" J- m5 F9 b
0x80022058 case: no check for outbuff_size == 0! <--- FLAW!$ m! z, M5 ?2 v6 o3 w. W
, ^% B1 b6 t% S, w- r ?
.text:10024F5A lea ecx, [edi+958h]4 I8 ~3 v1 z" c9 t$ i
.text:10024F60 call sub_100237B0 ) q2 P- \# b4 _, E7 P* Y7 f' Z.text:10024F65 mov [ebp+some_var], eax, v [5 R0 Z2 k4 \0 h4 Q9 V
.text:10024F68 test eax, eax0 d3 P: ^ @) L0 G3 r
.text:10024F6A jnz short loc_10024F7D ! L V7 _. k# [ N! G% z) a.text:10024F6C mov dword ptr [ebx], 0FFFFCFFAh ! I6 S$ G2 z' ^9 M5 V.text:10024F72 mov dword ptr [esi], 10h <--- bytes to copy to output buffer, q- g3 o) S. B+ t2 {
0 l: \* n0 j- V0 g) ]+ T0 O2 Gnext in IofComplete request will be rep movsd at pointer, that is under attacker's control 2 h$ w+ _0 Q4 }0 M/ a & C- E& |# F- T bDue the type of vulnerability (METHO_BUFFERED with output_size == 0) exploit works only on Winows XP/2k3, cause in later Windows OS I/O manager doesn't craft IRP if ioctl is METHOD_BUFFERED and output_size == 0. 5 {8 `; R! M9 R) s& G