Jump to content

WildBill

Patron
 View Profile  See their activity

  • Posts

    706

  • Joined

  • Last visited

  • Donations

    0.00 USD 

  • Country

    United States

 Content Type 

Everything posted by WildBill

  1. WildBill
    I followed the link but there doesn't seem to be a way to download a version for Win2k
  2. WildBill
    A new version of my PE Tool is now up: please see the top post for an updated download link. By the way, has anyone tried making any patches from it yet? I've also posted a patch to MS10-083. This one really has me scratching my head -- it works just fine, but I'm not entirely sure that it even applies to Win2k. Still, there are other benefits (see the beginning of my notes for details). ;========================================================================== ; MS10-083 patches ported to Windows 2000 SP4 ; ; The patches to WordPad looked nasty enough that I decided to try getting ; the XP WordPad to run as-is on 2k. This meant having to enhance ; shlwapi.dll a little (see below). The patch also involves ole32.dll, and ; the differences between 2k and XP are so huge that I opted to patch the ; 2k version of ole32.dll instead. ; ; The XP WordPad looks for a newer version of the richedit control, which ; is in msftedit.dll, so that's included. ; ; Making all these changes gets the XP WordPad running on 2k as-is, and ; according to Dependency Walker there shouldn't be any surprises. ; ; All this said, now that I've crawled through all this and made the ; changes, I'm not sure that this security update even applies to 2k. ; Everything seems to revolve around registry settings that tell an app ; if a DLL is safe to load, and the update.inf part of the patch installs ; a handful of new registry settings. It would be nice if someone who ; understands COM on XP can explain what this is supposed to fix. Still, ; the enhancement to shlwapi and the fact that we're now synchronized with ; XP's WordPad should provide some value nonetheless. ; ; The patch says to include xpsp4res.dll, though I have no idea what it does. ; I think it supplies a popup dialog. I'd be lying if I said I understood ; what's going on here from a big-picture perspective. ;========================================================================== ;========================================================================== ; shlwapi.dll ; ; The XP WordPad requires SHRegGetValueW from shlwapi.dll, which 2k doesn't ; have. Managed to add it with the subroutines that it requires and added ; it to the export list. Since I had to add all this, decided to also ; add (and export) SHRegGetValueA for good measure. ;========================================================================== ; ------------------------------------------------------------------------- ; RestrictBootMode ; ; Copied mostly as-is, though rearranged to eliminate fragmentation ; ------------------------------------------------------------------------- $70ACEC80: ; ------------------------------------------------------------------------- ; RestrictRegType ; ; Copied mostly as-is, though condensed to use all "short" jumps ; ------------------------------------------------------------------------- $70ACECD4: ; ------------------------------------------------------------------------- ; FixRegDataW ; ------------------------------------------------------------------------- $70ACE47C: ; ------------------------------------------------------------------------- ; NullTerminateRegSzStringW ; ------------------------------------------------------------------------- $70ACED78: ; ------------------------------------------------------------------------- ; NullTerminateRegExpandSzStringW ; ------------------------------------------------------------------------- $70ACE000: ; ------------------------------------------------------------------------- ; NullTerminateRegMultiSzStringW ; ------------------------------------------------------------------------- $70ACE330: ; ------------------------------------------------------------------------- ; SHRegQueryValueW ; ------------------------------------------------------------------------- $70ACE7BC: ; ------------------------------------------------------------------------- ; SHRegQueryValueA ; ------------------------------------------------------------------------- $70ACE900: ; ------------------------------------------------------------------------- ; ___report_gsfailure ; ------------------------------------------------------------------------- $70ACE674: $70ACE5F4: ___security_cookie $70ACE5F8: ___security_cookie_complement $70A7D3E0: aKernel32_dll_0 $70ACE604: aSetUnhandledExceptionFilter $70ACE620: aUnhandledExceptionFilter $70ACE639: aTerminateProcess ; ------------------------------------------------------------------------- ; __security_check_cookie ; ------------------------------------------------------------------------- $70ACE7A0: ; ------------------------------------------------------------------------- ; FixRegDataA ; ------------------------------------------------------------------------- $70ACE53C: ; ------------------------------------------------------------------------- ; NullTerminateRegSzStringA ; ------------------------------------------------------------------------- $70ACEDE8: ; ------------------------------------------------------------------------- ; NullTerminateRegExpandSzStringA ; ------------------------------------------------------------------------- $70ACE1C0: ; ------------------------------------------------------------------------- ; NullTerminateRegMultiSzStringA ; ------------------------------------------------------------------------- $70ACE3E8: ; ------------------------------------------------------------------------- ; SHRegGetValueW ; ; Exported entry 743 in XP ; ------------------------------------------------------------------------- $70ACE9FC: $70ACEB78: aShreggetvaluew ; ------------------------------------------------------------------------- ; SHRegGetValueA ; ; Exported entry 742 in XP ; ------------------------------------------------------------------------- $70ACEBB8: $70ACEB98: aShreggetvaluea ; ------------------------------------------------------------------------- ; ZeroDataOnFailure ; ------------------------------------------------------------------------- $70ACE9C4: ; ------------------------------------------------------------------------- ; RestrictArguments ; ------------------------------------------------------------------------- $70ACE980: ; ------------------------------------------------------------------------- ; GetProcPtrA ; ; My own routine for getting a proc address ; ------------------------------------------------------------------------- $70ACE650: 8BFF mov edi, edi 55 push ebp 8BEC mov ebp, esp FF7508 push dword ptr [ebp+8] ; Module name FF156412A770 call [$70A71264] ; GetModuleHandleA 85C0 test eax, eax 740A jz $yy FF750C push dword ptr [ebp+$C] ; Proc name 50 push eax ; Module handle FF151814A770 call [$70A71418] ; GetProcAddress $yy: 89EC mov esp, ebp 5D pop ebp C3 ret ;========================================================================== ; ole32.dll ;========================================================================== $7CF02000: ___security_cookie $7CF02004: ___security_cookie_complement $7CF0202C: aSetUnhandledExceptionFilter $7CF0204C: wKernel32_dll ; ------------------------------------------------------------------------- ; __security_check_cookie ; ------------------------------------------------------------------------- $7CF02010: ; ------------------------------------------------------------------------- ; GetProcPtrW ; ; My own routine for getting a proc address ; ------------------------------------------------------------------------- $7CF0206C: 8BFF mov edi, edi 55 push ebp 8BEC mov ebp, esp FF7508 push dword ptr [ebp+8] ; Module name FF159C12E27C call [$7CE2129C] ; GetModuleHandleW -- ole32 doesn't import GetModuleHandleA 85C0 test eax, eax 740A jz $7CF02088 FF750C push dword ptr [ebp+$C] ; Proc name 50 push eax ; Module handle FF153012E27C call [$7CE21230] ; GetProcAddress $yy: 89EC mov esp, ebp 5D pop ebp C3 ret ; ------------------------------------------------------------------------- ; ___report_gsfailure ; ; Adapted it slightly because we need to use GetProcPtrW to get the address ; to SetUnhandledExceptionFilter ; ------------------------------------------------------------------------- $7CF02090: ; ------------------------------------------------------------------------- ; CComRegCatalog::GetProcessInfo ; ------------------------------------------------------------------------- $7CE94E15: 6A72 push 72h ; Allocating room for one more member variable ; ------------------------------------------------------------------------- ; CComProcessInfo::CComProcessInfo ; ------------------------------------------------------------------------- $7CE97928: E98BA80600 jmp $7CF021B8 90 nop $7CF0219C: unicode <AppIDFlags>, 0 $7CF021B8: C7450C04000000 mov [ebp+$C], 4 ; cbData 33C0 xor eax, eax 894368 mov [ebx+$68], eax ; Initialize our new member variable to 0 8D450C lea eax, [ebp+$C] ; cbData 50 push eax 8D85F0FDFFFF lea eax, [ebp-$210] ; Src 50 push eax 8938 mov [eax], edi 8D45F8 lea eax, [ebp-8] ; Type 50 push eax 57 push edi ; 0 689C21F07C push $7CF0219C ; Offset of unicode AppIDFlags string -- needs reloc FF152810E27C call [$7CE21028] ; RegQueryValueExW -- needs reloc 85C0 test eax, eax 7515 jnz $vv 837DF804 cmp [ebp-8], 4 ; Type 750F jnz $vv 837D0C04 cmp [ebp+$C], 4 ; cbData 7509 jnz $vv 8B85F0FDFFFF mov eax, [ebp-$210] ; Src 894368 mov [ebx+68h], eax $vv: 8D4350 lea eax, [ebx+50h] 50 push eax 6A01 push 1 E92957F9FF jmp $7CE9792E ; ------------------------------------------------------------------------- ; wCreateObject ; ; Copied new one as-is; only had to fix jumps and addresses and add relocs ; (verified that it's compatible except for the extra parameter that it takes) ; ------------------------------------------------------------------------- $7CF02208: ; ------------------------------------------------------------------------- ; Change the original to act as a wrapper that pushes an extra 0 on the stack ; and calls the new one above $7CEA59FE: 8BFF mov edi, edi 55 push ebp 8BEC mov ebp. esp 6A00 push 0 ; Extra argument FF752C push [ebp+$2C] FF7528 push [ebp+$28] FF7524 push [ebp+$24] FF7520 push [ebp+$20] FF751C push [ebp+$1C] FF7518 push [ebp+$18] FF7514 push [ebp+$14] FF7510 push [ebp+$10] FF750C push [ebp+$C] FF7508 push [ebp+$8] E8E0C70500 call $7CF02208 ; See above C9 leave C22800 ret $28 ; ------------------------------------------------------------------------- ; OleLoadWithoutBinding ; ; Making a copy of the original (from Win2k) and modifying it to accept an ; extra parameter which it will pass to our new wCreateObject. Like above, ; we'll then convert the original to a wrapper that will pass 0 as the ; extra argument. ; ------------------------------------------------------------------------- $7CF024E4: ; Modified copy goes here $7CEA5540: ; The original was here 8BFF mov edi, edi 55 push ebp 8BEC mov ebp. esp 6A00 push 0 ; Extra argument FF7518 push [ebp+$18] FF7514 push [ebp+$14] FF7510 push [ebp+$10] FF750C push [ebp+$C] FF7508 push [ebp+$8] E889CF0500 call $7CF024E4 ; See above C9 leave C21400 ret $14 $7CF02570: aDllVerifyCLSIDIsSafeToLoad ; ------------------------------------------------------------------------- ; OleLoad ; ; A little extra code that gets a proc pointer which we push as an extra argument ; to a call to our new OleLoadWithoutBinding ; ------------------------------------------------------------------------- $7CE58F36: jmp $7CF02590 ; Jump to our new version $7CF02590: ; New one is here, copied as-is with addresses fixed up ; ------------------------------------------------------------------------- ; CComProcessInfo::GetSaferTrustLevel ; ------------------------------------------------------------------------- $7CF025E4: B805400080 mov eax, $80004005 ; Signals that it's untrusted C20800 ret 8 ; ------------------------------------------------------------------------- ; CComProcessInfo::GetAppIDFlags ; ------------------------------------------------------------------------- $7CF025F0: 8BFF mov edi, edi 55 push ebp 8BEC mov ebp. esp 8B4508 mov eax, [ebp+8] ; arg_0 8B4068 mov eax, [eax+$68] ; We put the AppID flags here 8B4D0C mov ecx, [ebp+$C] ; arg_4 8901 mov [ecx], eax 33C0 xor eax, eax 5D pop ebp C20800 ret 8 $7CF0260C: _IID_IComProcessInfo2 $7CF0261C: _IID_IComProcessInfo3 ; Moving a Unicode string to make roon for more entries in the IComProcessInfo ; VMT array. This will let us support IComProcessInfo3, which can return AppID ; flags. $7CF02634: aRegistryMach_0 $7CE97E69: mov [ebp-4], $7CF02634 ; New string location $7CE25DA0: 0DAFE77C dd $7CE7AF0D ; Offset CServerSecurity::Cancel E425F07C dd $7CF025E4 ; Offset CComProcessInfo::GetSaferTrustLevel F025F07C dd $7CF025F0 ; Offset CComProcessInfo::GetAppIDFlags ; ------------------------------------------------------------------------- ; CComProcessInfo::QueryInterface ; ; The new code to retrieve the AppID flags won't ever get invoked unless ; we signal that it's available. This means responding that we implement ; IID_IComProcessInfo3 (and IID_IComProcessInfo2 by inclusion). The easiest ; way to do this is to just copy the entire QueryInterface routine and ; redirect the old one to this one and fix up addresses, etc. ; ------------------------------------------------------------------------- $7CF02660: ; New one goes here $7CE97A02: ; Original was here E959AC0600 jmp $7CF02660 90 nop ; ------------------------------------------------------------------------- ; OleLoadFromStream ; ; Extra code that does a similar check to the patches above ; ------------------------------------------------------------------------- $7CE60C25: sub esp, $24 ; Add room for a GUID $7CE60C5B: E9981A0A00 jmp $7CF026F8 90 nop $7CF026F8: 8BF0 mov esi, eax 85F6 test esi, esi 7465 jz $nn6 50 push eax FF159C12E27C call [$7CE2129C] ; GetModuleHandleW 85C0 test eax, eax 745A jz $nn6 687025F07C push $7CF02570 ; offset aDllVerifyCLSIDIsSafeToLoad 50 push eax FF153012E27C call [$7CE21230] ; GetProcAddress 85C0 test eax, eax 744A jz $nn6 33C9 xor ecx, ecx ; Zero out our new GUID 894DDC mov [ebp-$24], ecx 894DE0 mov [ebp-$20], ecx 894DE4 mov [ebp-$1C], ecx 894DE8 mov [ebp-$18], ecx 8D4DDC lea ecx, [ebp-$24] ; Our new GUID 51 push ecx 8D4DEC lea ecx, [ebp-$14] ; pclsid 51 push ecx FFD0 call eax 8BF0 mov esi, eax 81FE05000780 cmp esi, $80070005 7528 jnz $nn6 6A04 push 4 59 pop ecx 56 push esi 57 push edi 8D7DDC lea edi, [ebp-$24] ; Our new GUID BE5844E37C mov esi, $7CE34458 ; offset GUID_NULL 33C0 xor eax, eax F3A7 repe cmpsd 740E jz $rr3 8D75DC lea esi, [ebp-$24] ; Our new GUID 8D7DEC lea edi, [ebp-$14] ; pclsid A5 movsd A5 movsd A5 movsd A5 movsd 5F pop edi 5E pop esi EB07 jmp $nn6 $rr3: 5F pop edi 5E pop esi E963E5F5FF jmp $7CE60CC6 $nn6: E9F9E4F5FF jmp $7CE60C61
  3. WildBill
    I can't say for certain, but I would expect the code to be very similar, though the locations might vary. I've found from looking at blackwingcat's patches that the code in question was identical between ENU and JPN, though the addresses did differ.
  4. WildBill
    Good catch. I had applied a patch in 2183461 (MS10-053) in the wrong place. I just released V2 versions of MS10-053 and MS10-071 and updated the links above. If you have 071 installed then you only need to apply the V2 patch for that one: I had to release both because the same file was patched in both (mshtml.dll). I also updated my notes for MS10-053 to reflect the correct code.
  5. WildBill
    I've uploaded the first version of my PE Tool and updated the top post. This tool is for people who understand PE files to a degree (read: it's easy to screw up an executable if you don't know what you're doing). Hopefully, though, it will make it easier for other people to create patches.
  6. WildBill
    I don't see why not. They work like any other MS hotfix. As for mshtmled.dll, for some reason the newest version must not have been on my PC. I guess I'll have to reapply the patch to the newest one, though I might wait for the next IE patch first. I'm currently working on the RPC patch (the remote execution one) and it's a real bear. I might release my PE tool tonight even though it's not completely bug-free because the backlog is such that I really need help. Keeping up with these patches has taken me away from all other projects and I just can't let them languish for much longer.
  7. WildBill
    Hey, all: I tend to base the updates on the files currently installed on my system. I guess for some reason the newest patch to mshtmled wasn't installed on my PC for some odd reason. I'll see about reapplying the patch to the newer one, but I might wait for the next IE release first. I'm so backlogged with patches it isn't funny, to the point that I'm probably going to release my PE tool shortly and ask for help.
  8. WildBill
    Posted a patch for MS10-076. I'm not really sure how to test it so if anyone knows that would be helpful, but I have it installed with no problems so far. ;========================================================================== ; MS10-076 patches ported to Windows 2000 SP4 ;========================================================================== ; ------------------------------------------------------------------------- ; _ULongLongToULong@12 ; ; Direct copy ; ------------------------------------------------------------------------- $66FD21C0: 8BFF mov edi, edi 55 push ebp 8BEC mov ebp, esp 8B4D10 mov ecx, [ebp+0x10] 8309FF or [ecx], 0xFFFFFFFF 837D0C00 cmp [ebp+0x0C], 0x00000000 B816020780 mov eax, 0x80070216 770E ja $66FD21E4 8B5508 mov edx, [ebp+0x08] 7205 jc $66FD21E0 83FAFF cmp edx, -0x00000001 7704 ja $66FD21E4 $66FD21E0: 8911 mov [ecx], edx 33C0 xor eax, eax $66FD21E4: 5D pop ebp C20C00 ret 0x0000000C ; ------------------------------------------------------------------------- ; _ULongAdd@12 ; ; Direct copy ; ------------------------------------------------------------------------- $66FD21EC: 8BFF mov edi, edi 55 push ebp 8BEC mov ebp, esp 8B4D0C mov ecx, [ebp+0x0C] 8B5510 mov edx, [ebp+0x10] 830AFF or [edx], 0xFFFFFFFF 56 push esi 8B7508 mov esi, [ebp+0x08] 03CE add ecx, esi 3BCE cmp ecx, esi B816020780 mov eax, 0x80070216 5E pop esi 7204 jc $66FD220E 890A mov [edx], ecx 33C0 xor eax, eax $66FD220E: 5D pop ebp C20C00 ret 0x0000000C ; ------------------------------------------------------------------------- ; _ULongSub@12 ; ; Direct copy ; ------------------------------------------------------------------------- $66FD2214: 8BFF mov edi, edi 55 push ebp 8BEC mov ebp, esp 8B5510 mov edx, [ebp+0x10] 8B4D08 mov ecx, [ebp+0x08] 830AFF or [edx], 0xFFFFFFFF 3B4D0C cmp ecx, [ebp+0x0C] B816020780 mov eax, 0x80070216 7207 jc $66FD2233 2B4D0C sub ecx, [ebp+0x0C] 33C0 xor eax, eax 890A mov [edx], ecx $66FD2233: 5D pop ebp C20C00 ret 0x0000000C ; ------------------------------------------------------------------------- ; (2k) sub_66FCC5D9 (SP3) sub_73CF51E8 (patch) sub_73CF52CD ; ------------------------------------------------------------------------- $66FCC6A4: E9935B0000 jmp $66FD223C ; ------------------------------------------------------------------------- $66FCC905: ; Have to switch the order of these two instructions ; So we can skip the PUSH instruction 68F90C0000 push $0CF9 8B7D08 mov edi, [ebp+8] ; arg_0 ; ------------------------------------------------------------------------- $66FD223C: 56 push esi FF7704 push dword ptr [edi+4] 0FB7F0 movzx esi, ax 8975F0 mov [ebp-$10], esi ; var_10 E84D8FFFFF call $66FCB198 837D0C00 cmp [ebp+$C], 0 ; arg_4 89C1 mov ecx, eax 668B4702 mov ax, [edi+2] 660FB6D4 movzx dx, ah 88C6 mov dh, al 89D0 mov eax, edx 7541 jnz $66FD22A0 8D5602 lea edx, [esi+2] 39D1 cmp ecx, edx 722F jb $66FD2295 6685C0 test ax, ax 7C2A jl $66FD2295 85C9 test ecx, ecx 7C26 jl $66FD2295 0FBFC0 movsx eax, ax 8D55DC lea edx, [ebp-$24] ; var_24 52 push edx F7E1 mul ecx 52 push edx 50 push eax E841FFFFFF call $66FD21C0 ; _ULongLongToULong@12 85C0 test eax, eax 7C12 jl $66FD2295 8D45DC lea eax, [ebp-$24] ; var_24 50 push eax 6A08 push 8 FF75DC push [ebp-$24] ; var_24 E85BFFFFFF call $66FD21EC ; _ULongAdd@12 85C0 test eax, eax 7D0B jge $66FD22A0 $66FD2295: 5E pop esi 68200D0000 push $0D20 E96AA6FFFF jmp $66FCC90A ; @L23A $66FD22A0: 5E pop esi 8B45F0 mov eax, [ebp-$10] ; var_10 03C0 add eax, eax E9FEA3FFFF jmp $66FCC6A9 ; ------------------------------------------------------------------------- $66FCC74E: FF7524 push [ebp+$24] ; arg_1C (edi on XP) FF75DC push [ebp-$24] ; var_24 (push 1 on XP) 8B7520 mov esi, [ebp+$20] 56 push esi ; arg_18 (push 2 on XP) 8B5D1C mov ebx, [ebp+$1C] 53 push ebx ; arg_14 (ebx on XP) FF7508 push [ebp+8] ; arg_0 (esi on XP) E873F2FFFF call $66FCB9D7 EB19 jmp $66FCC77F nop (25) $66FCC77F: ; Original code resumes here ; ------------------------------------------------------------------------- ; (2k) sub_66FD0867 (SP3) sub_73CF8AED (patch) sub_73CF8C26 ; ; Possible overflow prevention patch ; ------------------------------------------------------------------------- $66FD0A0C: 72E7 jb $66FD09F5 ; Switch to unsigned $66FD09EF: 761D jbe $66FD0A0E ; Switch to unsigned $66FD08A6: 0FB7F8 movzx edi, ax ; Switch to unsigned $66FD08EA: 7324 jae $66FD0910 ; Switch to unsigned $66FD0902: 0FB775EC movzx esi, word ptr [ebp-$14] ; Switch to unsigned var_14 ; ------------------------------------------------------------------------- ; (2k) sub_66FCBF10 (SP3) sub_73CF4C91 (patch) sub_73CF4C95 ; ; Variable mappings ; ; alias xp (old) xp (new) 2k ; -------------------------------------------- ; var_C var_C var_C var_1C ; var_14 var_14 var_14 var_10 ; var_24 ------ var_24 var_50 ; var_AA var_10 var_18 var_8 ; var_BB var_18 var_20 var_18 ; var_CC var_20 var_2C var_2C ; var_DD var_24 var_30 var_24 ; var_EE var_30 var_34 var_30/3C ; var_FF var_2C var_38 var_3C ; var_GG var_44 var_48 var_38 ; var_HH var_34 var_3C var_40 ; var_II var_1C var_28 var_20 ; var_JJ var_38 var_10 var_14 ; var_KK var_28 var_44 var_28 ; var_LL var_40 var_1C var_4C ; var_MM var_3C var_40 var_44 ; ------------------------------------------------------------------------- $66FCBF13: 83EC50 sub esp, 50h $66FCBF49: E862630000 jmp $66FD22B0 $66FD22B0: E8C2BFFFFF call $66FCE277 ; _memcpyHuge@12 897DE4 mov [ebp-$1C], edi ; var_1C (C) 8365B000 and [ebp-$50], 0 ; var_50 (24) E98D9CFFFF jmp $66FCBF4E ; ------------------------------------------------------------------------- $66FCBF94: E82B630000 jmp $66FD22C4 $66FD22C4: 8945B4 mov [ebp-$4C], eax ; var_4C (LL) 6685C0 test ax, ax 0F85C99CFFFF jnz $66FCBF99 6A02 push 2 8D7E06 lea edi, [esi+6] 57 push edi FF7508 push [ebp+8] ; arg_0 E86C9AFFFF call $66FCBD4A 33C0 xor eax, eax E928A1FFFF jmp $66FCC40D ; exit ; ------------------------------------------------------------------------- $66FCBFC4: 837D0C00 cmp [ebp+$C], 0 ; arg_4 90 nop $66FCBFCF: E914630000 jmp $66FD22E8 90 nop $66FD22E8: 757C jnz $66FD2366 0FB77DB4 movzx edi, word ptr [ebp-$4C] ; var_4C (LL) 8D45DC lea eax, [ebp-$24] ; var_24 (DD) 50 push eax 6A01 push 1 57 push edi E81AFFFFFF call $66FD2214 ; _ULongSub@12 85C0 test eax, eax 7C59 jl $66FD2357 8B45DC mov eax, [ebp-$24] ; var_24 (DD) 6A04 push 4 59 pop ecx F7E1 mul ecx 8D4DDC lea ecx, [ebp-$24] ; var_24 (DD) 51 push ecx 52 push edx 50 push eax E8AFFEFFFF call $66FD21C0 ; _ULongLongToULong@12 85C0 test eax, eax 7C42 jl $66FD2357 8D45C8 lea eax, [ebp-$38] ; var_38 (GG) 50 push eax 6A00 push 0 89F8 mov eax, edi 99 cdq 6A02 push 2 52 push edx 50 push eax E8B9ECFEFF call $66FC0FE0 ; __allmul 52 push edx 50 push eax E892FEFFFF call $66FD21C0 ; _ULongLongToULong@12 85C0 test eax, eax 7C25 jl $66FD2357 8D45B0 lea eax, [ebp-$50] ; var_50 (24) 50 push eax FF75C8 push [ebp-$38] ; var_38 (GG) FF75DC push [ebp-$24] ; var_24 (DD) E8ABFEFFFF call $66FD21EC ; _ULongAdd@12 85C0 test eax, eax 7C12 jl $66FD2357 8D45B0 lea eax, [ebp-$50] ; var_50 (24) 50 push eax 6A0A push $A FF75B0 push [ebp-$50] ; var_50 (24) E899FEFFFF call $66FD21EC ; _ULongAdd@12 85C0 test eax, eax 7D0C jge $66FD2363 $66FD2357: 8B4508 mov eax, [ebp+8] ; arg_0 8B4034 mov eax, [eax+$34] 50 push eax E8178AFFFF call $66FCAD7A $66FD2363: 8B4DF0 mov ecx, [ebp-$10] ; var_10 (14) $66FD2366: 8365BC00 and [ebp-$44], 0 ; var_44 (MM) 66817DB40000 cmp word ptr [ebp-$4C], 0 ; var_4C (LL) 0F8670A0FFFF jbe $66FCC3E6 E95F9CFFFF jmp $66FCBFDA ; ------------------------------------------------------------------------- $66FCC0AB: 90 nop 90 nop 90 nop $66FCC0B3: D1E9 shr ecx, 1 ; ------------------------------------------------------------------------- $66FCC118: E963620000 jmp $66FD2380 90 nop 90 nop 90 nop 90 nop $66FD2380: E89FC9FFFF call $66FCED24 3B7DB0 cmp edi, [ebp-$50] ; var_50 (24) 897DC8 mov [ebp-$38], edi ; var_38 (GG) 8945D0 mov [ebp-$30], eax ; var_30 (EE) 72C7 jb $66FD2357 ; see above 8D4DE4 lea ecx, [ebp-$1C] ; var_1C (C) 51 push ecx 6A00 push 0 8945C0 mov [ebp-$40], eax ; var_40 (HH) 99 cdq 6A06 push 6 52 push edx 50 push eax E83DECFEFF call $66FC0FE0 ; __allmul 52 push edx 50 push eax E816FEFFFF call $66FD21C0 ; _ULongLongToULong@12 85C0 test eax, eax 7CA9 jl $66FD2357 ; see above 8D45E4 lea eax, [ebp-$1C] ; var_1C (C) 50 push eax 6A04 push 4 FF75E4 push [ebp-$1C] ; var_1C (C) E830FEFFFF call $66FD21EC ; _ULongAdd@12 85C0 test eax, eax 7C97 jl $66FD2357 ; see above 8D45E4 lea eax, [ebp-$1C] ; var_1C (C) 50 push eax 57 push edi FF75E4 push [ebp-$1C] ; var_1C (C) E81FFEFFFF call $66FD21EC ; _ULongAdd@12 85C0 test eax, eax 7C86 jl $66FD2357 ; see above FF7520 push [ebp+$20] ; arg_18 FF75E4 push [ebp-$1C] ; var_1C (C) FF751C push [ebp+$1C] ; arg_14 FF7518 push [ebp+$18] ; arg_10 FF7508 push [ebp+8] ; arg_0 E8F295FFFF call $66FCB9D7 8B4DC8 mov ecx, [ebp-$38] ; var_38 (GG) 8B75EC mov esi, [ebp-$14] ; var_14 (JJ) 8B4518 mov eax, [ebp+$18] ; arg_10 8B00 mov eax, [eax] 03451C add eax, [ebp+$1C] ; arg_14 8945D8 mov [ebp-$28], eax ; var_28 (KK) 8D3401 lea esi, [ecx+eax] 8B45D0 mov eax, [ebp-$30] ; var_30 (EE) 50 push eax E91F9DFFFF jmp $66FCC121 $66FCC15A: 8B45E0 mov eax, [ebp-$20] ; var_20 (II) 8B75C0 mov esi, [ebp-$40] ; var_40 (HH) EB34 jmp $66FCC196 ; ------------------------------------------------------------------------- $66FCC208: 90 nop ; NOP out the push because we're switching 90 nop ; to an unsigned divide using a shr $66FCC265: C1E803 shr eax, 3 ; Unsigned divide by 8 90 nop $66FCC3A7: C1E803 shr eax, 3 ; Unsigned divide by 8 90 nop 90 nop 90 nop $66FCC3BA: 90 nop ; NOP out the push because we're switching 90 nop ; to an unsigned divide using a shr $66FCC3BF: C1E803 shr eax, 3 ; Unsigned divide by 8 90 nop ; ------------------------------------------------------------------------- $66FCC3CB: nop (10)
  9. WildBill
    That definitely helps. I'm seeing three routines that differ in the two newest versions. They're hard to find since none of them have names when IDA analyzes the files, but I've located the first one so far and patched the corresponding one in the 2k version. It takes a while since the 2k one is quite a bit different at the assembly level (though not so much logically). Now I'm trying to hunt down the second routine in the three files. Edit: ID'ed the remaining two routines and patched the second (on 2k it's actually split into several routines). It looks like the patch to the second routine involved changing several comparisons and word-size memory loads from signed to unsigned, which I'm guessing is to prevent overflows. The patch to the third routine is much more extensive, which I'll start analyzing tomorrow. On another note, there's an article on Slashdot about a nasty IE attack in the wild. If and when MS patches it I'll see what I can do. On the one hand I don't much like waiting for them to patch it, but on the other hand I'm glad that there isn't anything new this month which will give me a chance to catch up.
  10. WildBill
    No, a reboot isn't necessary. Can you post a screenshot?
  11. WildBill
    Patch for MS10-078 is up. I spent a lot of time looking at MS10-083, but it doesn't look easy. I can get the XP Wordpad to run on 2k, but that's only half the battle. ole32.dll also has to be patched as well, which I haven't figured out yet. To me it looks like MS implemented a real hack for the fix, so I decided to take a break from it and see if I could patch something else instead. MS10-078 wasn't too hard to do. The one I really want to patch is MS10-076, but the differences between the patched version and the one in XP SP3 are massive. I need to see if there's an intermediate version that's closer to the patched one. Here are my notes for the patch: ;========================================================================== ; MS10-078 patches ported to Windows 2000 SP4 ;========================================================================== ;========================================================================== ; atmfd.dll ; ; Combined .text and .rdata sections so I could add a .patch section ;========================================================================== ; ------------------------------------------------------------------------- ; sub_A07B3596 ; ------------------------------------------------------------------------- $A07B3710: E94BFB0200 jmp $A07E3260 $A07E3260: F645B001 test byte ptr [ebp-$50], 1 0F85F504FDFF jnz $A07B375F 0FB745B0 movzx eax, word ptr [ebp+var_50] 40 inc eax E9A104FDFF jmp $A07B3715 ; ------------------------------------------------------------------------- ; New routine from the patch ; ------------------------------------------------------------------------- $A07E3278: mov edi, edi push ebp mov ebp, esp mov ecx, [ebp+arg_4] mov edx, [ebp+arg_8] or dword ptr [edx], 0FFFFFFFFh push esi mov esi, [ebp+arg_0] add ecx, esi cmp ecx, esi mov eax, 80070216h pop esi jb $A07E329A mov [edx], ecx xor eax, eax $A07E329A: pop ebp retn 0Ch ; ------------------------------------------------------------------------- ; sub_A07AB0D2 ; ------------------------------------------------------------------------- $A07AB0F1: 83EC60 sub esp, 60h $A07AB1B4: E9EB800300 jmp $A07E32A4 $A07E32A4: 09CB or ebx, ecx 895DE0 mov [ebp-$20], ebx 8D4524 lea eax, [ebp-$24] 50 push eax 53 push ebx 56 push esi E8C4FFFFFF call $A07E3278 85C0 test eax, eax 0F8C5A82FCFF jl $A07AB516 E9F87EFCFF jmp $A07AB1B9 ; Apply the same patch to the following locations: $A07AB1E3: $A07AB208: $A07AB243: $A07AB25F: $A07AB2A2: $A07AB375: $A07AB3C4: $A07AB3DF: $A07AB404: $A07AB429: $A07AB453: $A07AB4AB: call $A07E32C4 9090909090 nop (5) $A07E32C4: 89DA mov edx, ebx E81F19FDFF call $A07B4BEA 8945A0 mov [ebp-$60], eax 3945E0 cmp [ebp-$20], eax C3 ret ; ------------------------------------------------------------------------- ; Version update patch (bumped it up by 1) ; ------------------------------------------------------------------------- $A07A17B0: B80500E400 mov eax, 00E40005h $A07A1F56: C7070500E400 mov dword ptr [edi], 00E40005h $A07A20DD: 813F0500E400 cmp dword ptr [edi], 00E40005h
  12. WildBill
    There isn't any special installation procedure, just unzip everything to a folder and run SmoothText.exe.
  13. WildBill
    I'm taking a look at MS10-083, but I'd like to see if I can take a different tack. The patch involves changes to ole32.dll and wordpad.exe. When I try to run the XP WordPad it says that it can't find a routine in shlwapi that XP has but 2k presumably doesn't. It might be possible to add the necessary routines to the 2k version so the XP WordPad can be used as-is. I don't know if this is possible or worth it, but I'm looking into it.
  14. WildBill
    Whew! I've finally finished porting MS10-071 to Win2k, and I added MS10-081 as well. To say that the first one was a HUGE PITA is an understatement. The changes are definitely extensive. MS10-081 is an extremely minor patch, but it took all day to track down the routine in the 2k version to patch since IDA couldn't find any debugging information. Now that the IE patch is done, hopefully I can crank out a few easier ones this week before next week's update (and let's all hope that the one for November isn't as massive as this one was). Here are my notes, in case anyone cares: ;========================================================================== ; MS10-071 patches ported to Windows 2000 SP4 ;========================================================================== ;========================================================================== ; browseui.dll ;========================================================================== ; ------------------------------------------------------------------------- ; CAutoComplete::_OnKeyDown ; ; Seems to block invalid VK_ keys, most notably VK_LEFT and VK_RIGHT ; ------------------------------------------------------------------------- $71545972: ; E991E60300909090 E991E60300 jmp $71584008 90 nop 90 nop 90 nop $71584008: ; 8B450853575050E81C00000084C058750F83F81B740A83F8087405E98419FCFF83F824E94A19FCFF 8B4508 mov eax, [ebp+8] ; wParam 53 push ebx 57 push edi 50 push eax ; Save the VK_ code so we can restore it 50 push eax E81C000000 call $zz ; IsSecureAutoCompleteNavigationKey 84C0 test al,al ; Is the key valid? (0 = no) 58 pop eax ; Restore the VK_ code 750F jnz $yy ; Letting any keys through that were deemed ok 83F81B cmp eax, $1B ; VK_ESCAPE -- allowing VK_ESCAPE 740A jz $yy 83F808 cmp eax, 8 ; VK_BACK -- allowing VK_BACK 7405 jz $yy E98419FCFF jmp $715459AC ; @Return_One -- disallowing everything else, **including VK_LEFT and VK_RIGHT** $yy: 83F824 cmp eax, $24 ; VK_HOME E94A19FCFF jmp $7154597A ; ------------------------------------------------------------------------- ; IsSecureAutoCompleteNavigationKey ; ; Validates VK_ codes ; ------------------------------------------------------------------------- $zz: ; 8BFF558BEC518B4D0832C083F909741E83F90D741983F920761683F924760F83F926740A83F928740583F92E7502B001595DC20400 8BFF mov edi, edi 55 push ebp 8BEC mov ebp, esp 51 push ecx ; I added the push ecx/pop ecx because the Win2k code isn't expecting ecx to change 8B4D08 mov ecx, [ebp+8] ; arg_0 32C0 xor al, al ; Default result is that the key is not ok 83F909 cmp ecx, 9 ; VK_TAB 741E jz $ww 83F90D cmp ecx, 0Dh ; VK_RETURN 7419 jz $ww 83F920 cmp ecx, 20h ; VK_SPACE -- letting other code validate everything from 0-$20 except tab and return 7616 jbe $tt 83F924 cmp ecx, 24h ; VK_HOME -- allowing VK_PRIOR, VK_NEXT, VK_END, and VK_HOME 760F jbe $ww 83F926 cmp ecx, 26h ; VK_UP -- allowing VK_UP 740A jz $ww 83F928 cmp ecx, 28h ; VK_DOWN -- allowing VK_DOWN 7405 jz $ww 83F92E cmp ecx, 2Eh ; VK_DELETE -- allowing VK_DELETE and letting other code validate everything else 7502 jnz $tt $ww: B001 mov al, 1 ; Key is ok $tt: 59 pop ecx 5D pop ebp C20400 ret 4 ;========================================================================== ; mshtml.dll ;========================================================================== ; ------------------------------------------------------------------------- ; CDoc::ExecHelper ; ; Version bump ; ------------------------------------------------------------------------- $63638409: 6873060000 push $673 ; Version update from 1650 to 1651 ; ------------------------------------------------------------------------- ; CServer::GetMETAFILEPICT ; ; Zeroes out a pointer after an object is freed ; ------------------------------------------------------------------------- $63686615: ; E8BE1515009090 E8BE151500 call $637D7BD8 ; REMOVE reloc at $63686618 90 nop 90 nop $637D7BD8: ; 50FF15741258638B4510897804C3 50 push eax FF1574125863 call ds:$63581274 ; GlobalFree -- ADD reloc at $637D7BDB 8B4510 mov eax, [ebp+$10] ; arg_8 897804 mov [eax+4],edi C3 ret ; ------------------------------------------------------------------------- ; CStyleSheet::OnStyleRuleRemoved ; ; Makes sure to release an object (memory leak fix) ; ------------------------------------------------------------------------- $636C9339: ; 7405 7405 jz $636C9340 ; ------------------------------------------------------------------------- ; CStyleSheetRule::QueryCreateUndo ; ; Null-pointer check ; ------------------------------------------------------------------------- $636CE5D1: E912961000 jmp $637D7BE8 90 nop 90 nop 90 nop $637D7BE8: ; 33C039411474088B49148B01FF605CC20C00 33C0 xor eax, eax 394114 cmp [ecx+$14],eax 7408 jz $637D7BF7 8B4914 mov ecx,[ecx+$14] 8B01 mov eax, [ecx] FF605C jmp dword ptr [eax+$5C] $637D7BF7: C20C00 ret $C ; ------------------------------------------------------------------------- ; ___report_gsfailure ; ; Got tired of having to figure out how to strip calls to this, so decided ; to finally add it. This will make porting other routins a lot easier. ; ------------------------------------------------------------------------- $637D7BFC: mov edi, edi push ebp mov ebp, esp sub esp, $330 push edi mov [ebp+$228], eax mov [ebp+$22C], ecx mov [ebp+$230], edx mov [ebp+$234], ebx mov [ebp+$238], esi mov [ebp+$23C], edi mov [ebp+$210], ss mov [ebp+$21C], cs mov [ebp+$240], ds mov [ebp+$244], es mov [ebp+$248], fs mov [ebp+$24C], gs pushf pop [ebp+$218] mov [ebp+$208], $10001 mov eax, [ebp+4] mov [ebp+$220], eax lea eax, [ebp+4] mov [ebp+$214], eax lea eax, [ebp+4] mov eax, [eax-4] mov [ebp+$224], eax push $14 pop ecx xor eax, eax lea edi, [ebp+$330] rep stosd mov [ebp+$330], $C0000409 mov eax, [ebp+4] mov [ebp+$324], eax lea eax, [ebp+$330] mov [ebp-8], eax lea eax, [ebp+$208] mov [ebp-4], eax mov eax, $637D7D10 ; offset ___security_cookie mov [ebp+$2E0], eax mov eax, $637D7D14 ; offset ___security_cookie_complement mov [ebp+$2DC], eax ; Unlike the XP version, this one isn't automatically ; importing SetUnhandledExceptionFilter. Also, there ; isn't room at the beginning to add an import, so we ; have to get it the hard way with calls to ; GetModuleHandleA and GetProcAddress. push $637D6714 ; offset aKernel32 call ds:$635812C4 ; GetModuleHandleA test eax, eax jz @Abort push $ ; offset aSetUnhandledExceptionFilter push eax call ds:$63581298 ; GetProcAddress test eax, eax jz @Abort push 0 call eax ; SetUnhandledExceptionFilter lea eax, [ebp-8] push eax call ds:$63581208 ; UnhandledExceptionFilter @Abort: push $502 call ds:$63581204 ; GetCurrentProcess push eax call ds:$63581200 ; TerminateProcess leave ret $637D7D10: ___security_cookie dd $0000BB40 $637D7D14: ___security_cookie_complement dd $FFFF44BF $637D7D18: aSetUnhandledExceptionFilter db "SetUnhandledExceptionFilter", 0 ; ------------------------------------------------------------------------- ; __security_check_cookie ; ------------------------------------------------------------------------- $637D7D34: cmp ecx, [$637D7D10] ; ___security_cookie jnz $637D7BFC ; ___report_gsfailure test ecx, $FFFF0000 jnz $637D7BFC ; ___report_gsfailure ret ; ------------------------------------------------------------------------- ; IsCSSContentTypeHeader ; ------------------------------------------------------------------------- $637D7D50: ; Copied routine here, updated addresses, and added relocs ; ------------------------------------------------------------------------- ; CDwnBindData::OnProgress ; ------------------------------------------------------------------------- $6377A4E8: 9090909090 nop (5) ; MUST remove reloc to $6377A4E9 push ebx ; same: no change call $637D7DD0 mov [esi+$108], eax nop (10) $6377A525: 9090909090 nop (5) ; MUST remove reloc to $6377A526 $6377A539: call $637D7DD0 mov [esi+$108], eax nop (6) $637D7DD0: push ebp mov ebp, esp push ebx push ecx mov ebx,[ebp+8] ; lpString1 push ebx call ds:wcslen pop ecx push eax push ebx call $$637D7D50 ; IsCSSContentTypeHeader movzx eax, al pop ecx pop ebx mov esp, ebp pop ebp ret 4 ; ------------------------------------------------------------------------- ; CDwnBindData::ReportProgress ; ------------------------------------------------------------------------- $6377AC75: 9090909090 nop (5) ; MUST remove reloc to $6377AC76 $6377AC7D: call $637D7DD0 mov [esi+$DC], eax nop (10) ; ------------------------------------------------------------------------- ; COleSiteEventSink::Invoke ; ------------------------------------------------------------------------- $637B4FBE: ; E9312E020090 E9312E0200 jmp $637D7DF4 90 nop $637D7DF4: ; F646B0017408897D50E927D3FDFF8D5EA8578BCBE9B7D1FDFF F646B001 test byte ptr [esi-50h], 1 ; In the XP version this is at -54h 7408 jz $637D7E02 897D50 mov [ebp+$50], edi E927D3FDFF jmp $637B5129 $637D7E02: 8D5EA8 lea ebx, [esi-$58] 57 push edi 8BCB mov ecx, ebx E9B7D1FDFF jmp $637B4FC4 ; ------------------------------------------------------------------------- ; CLinkElement::HandleLinkedObjects ; ------------------------------------------------------------------------- $637B7E7C: ; 9090E98DFF0100 90 nop 90 nop E98DFF0100 jmp $637D7E10 $637D7E10: ; 391F0F849E00FEFF8BCEE867F8FDFFE95F00FEFF 391F cmp [edi], ebx 0F849E00FEFF jz $637B7EB6 8BCE mov ecx, esi E867F8FDFF call $637B7686 ; CLinkElement::GetAArel E95F00FEFF jmp $637B7E83 $637B7D4D: ; E9FA000200 E9FA000200 jmp $637D7E4C $637D7E4C: ; 53E8D2FFFFFF6A018D45D4E9F6FEFDFF 53 push ebx E8D2FFFFFF call $637D7E24 ; CStyleSheet::SetIsFromCssSource 6A01 push 1 8D45D4 lea eax, [ebp-$2C] E9F6FEFDFF jmp $637B7D52 ; ------------------------------------------------------------------------- ; CStyleSheet::SetIsFromCssSource ; ; Added outright, no conversion necessary ; ------------------------------------------------------------------------- $637D7E24: mov edi, edi push ebp mov ebp, esp mov edx, [ebp+8] mov eax, [ecx+5Ch] shl edx, 7 xor edx, [eax+34h] and edx, 80h xor [eax+34h], edx mov dword ptr [ecx+64h], 1 pop ebp ret 4 ; ------------------------------------------------------------------------- ; CLinkElement::ReleaseStyleSheet ; ; Only one instruction is different from the XP version ; ------------------------------------------------------------------------- $637D7E5C: mov edi, edi push esi mov esi, ecx mov ecx, [esi+20h] test ecx, ecx jz $637D7E7C push 1 call $636CB809 ; CStyleSheet::StopDownloads mov eax, [esi+20h] mov ecx, [eax] push eax call dword ptr [ecx+74h] ; ecx+84h in the XP version and dword ptr [esi+20h], 0 $637D7E7C: pop esi ret ; ------------------------------------------------------------------------- ; CLinkElement::Passivate ; ; No change in functionality; the patch changes it to re-use the new ; CLinkElement::ReleaseStyleSheet routine ; ------------------------------------------------------------------------- $637B7B17: mov ecx, esi call $637D7E5C ; CLinkElement::ReleaseStyleSheet ; condesed the rest of the routine and put 20 NOP's at the end ; ------------------------------------------------------------------------- ; CLinkElement::RemoveStyleSheet ; ; Copied as-is, only had to fix up CALLs ; ------------------------------------------------------------------------- $637D7E80: mov edi, edi push ebp mov ebp, esp push esi mov esi, ecx mov ecx, [ebp+arg_0] test ecx, ecx jz short $637D7EA6 push 6 call $6362EAA7 ; CMarkup::GetLookasidePtr test eax, eax jz short loc_7DEB6B64 push 0 push dword ptr [esi+20h] mov ecx, eax call $636C2FE3 ; CStyleSheetArray::ReleaseStyleSheet $637D7EA6: pop esi pop ebp ret 4 ; ------------------------------------------------------------------------- ; CLinkElement::Notify ; ; The first part reuses CLinkElement::RemoveStyleSheet rather than having ; separate code here (no functionality change). The second part adds a ; null pointer check. The reduction in code size from the first patch ; conveniently leaves more than enough room for the second patch. ; ------------------------------------------------------------------------- $637B7F66: ; F64324027530508BCEE80CFF0100396E200F84C7000000E82D2DE6FFE9AC000000 F6432402 test byte ptr [ebx+24h], 2 7530 jnz $637B7F9C 50 push eax 8BCE mov ecx, esi E80CFF0100 call $637D7E80 ; CLinkElement::RemoveStyleSheet EB1C jmp $637B7F92 $637B7F76: 396E20 cmp [esi+$20], ebp 0F84C7000000 jz $637B8046 E82D2DE6FF call $6361ACB1 ; CElement::GetAAdisabled E9AC000000 jmp $637B8035 nop (9) $637B8030: E941FFFFFF jmp $637B7F76 ; ------------------------------------------------------------------------- ; CStyleSheet::IsInternetOrRestrictedCrossDomainCSSDownload ; ; Added mostly as-is; only one instruction differs and had to fixup CALLs ; ------------------------------------------------------------------------- $637D7EAC: mov edi, edi push ebp mov ebp, esp sub esp, 0Ch push ebx push esi push edi mov ebx, ecx mov [ebp-4], 1 call $636C91E0 ; CStyleSheet::GetMarkup(void) mov ecx, ebx mov edi, eax call $636C91D1 ; CStyleSheet::GetDocument(void) test edi, edi mov esi, eax jz $637D7F28 test esi, esi jz $637D7F28 push 0 mov ecx, esi call $63659582 ; CDoc::EnsureSecurityManager(int) test eax, eax jl $637D7F28 add esi, 424h ; XP version uses 430h mov eax, [esi] mov eax, [eax] push 0 lea ecx, [ebp-8] push ecx mov ecx, edi mov [ebp-$C], eax call $635FAB04 ; CMarkup::Url(void) push eax push dword ptr [esi] mov eax, [ebp-$C] call dword ptr [eax+14h] ; Same offset for 2k and XP test eax, eax jl $637D7F28 cmp [ebp-8], 3 jz $637D7F1E cmp [ebp-8], 4 jz $637D7F1E and [ebp-4], 0 jmp $637D7F28 $637D7F1E: mov ecx, ebx call $636C9E79 ; CStyleSheet::IsSheetAndMarkupCrossDomain(void) mov [ebp-4], eax $637D7F28: mov eax, [ebp-4] pop edi pop esi pop ebx leave ret ; ------------------------------------------------------------------------- ; CLinkElement::OnDwnChan ; ------------------------------------------------------------------------- $637B77DB: sub esp, $28 ; Need to make room for another variable $637B79B1: nop nop nop jmp $637D7F30 $637D7F30: mov ecx, [esi+24h] ; Same offset in 2k and XP mov [ebp-$28], ebx ; var_28 in 2k, var_10 in XP call $63781CD1 ; CDwnCtx::GetFinalUrl mov edi, eax cmp edi, ebx jz $637D7F6E push 5 push $63597D28 ; "http:" push 5 push edi ; Str call $636A2BB3 ; _7csnipre test eax, eax jnz $637D7F67 push 6 push $63597D34 ; "https:" push 6 push edi ; Str call $636A2BB3 ; _7csnipre test eax, eax jz $637D7F6E $637D7F67: mov [ebp-$28], 1 ; var_28 in 2k, var_10 in XP $637D7F6E: push dword ptr [esi+24h] ; Same offset in 2k and XP mov ecx, [esi+20h] ; Same offset in 2k and XP call $637D7FCC ; CStyleSheet::DetermineIfFromCssSource (old one was at $636C95E2, see below for more info) cmp [ebp-$28], ebx ; var_28 in 2k, var_10 in XP jz $637B79B9 mov ecx, [esi+20h] ; Same offset in 2k and XP call $637D7EAC ; CStyleSheet::IsInternetOrRestrictedCrossDomainCSSDownload test eax, eax jz $637B79B9 mov eax, [esi+20h] ; Same offset in 2k and XP mov eax, [eax+5Ch] ; Same offset in 2k and XP test byte ptr [eax+34h], 80h ; Same offset in 2k and XP jnz $637B79B9 push [ebp-$1C] ; var_1C in 2k, var_C in XP mov ecx, esi call $637D7E80 ; CLinkElement::RemoveStyleSheet lea edi, [esi+34h] ; Same offset in 2k and XP cmp [edi], ebx jz $637D7FBE mov ecx, [ebp-$1C] ; var_1C in 2k, var_C in XP push edi call $6365B9C9 ; CMarkup::UnblockScriptExecution mov [edi], ebx $637D7FBE: mov ecx, esi call $637D7E5C ; CLinkElement::ReleaseStyleSheet jmp $637B7A3E ; ------------------------------------------------------------------------- ; CStyleSheet::DetermineIfFromCssSource ; ; Decided to copy the updated routine outright and change the references ; to point to this one instead of to the original (there are only two ; references and one of them is in our CLinkElement::OnDwnChan patch above) ; ; No changes to the new routine were needed beyond fixing up CALLs. ; ; Filled the original with NOPs so we can use it for some purpose later. ; ------------------------------------------------------------------------- $636CB584: call $637D7FCC ; Change call in CStyleSheet::OnDwnChan to point to our new routine $637D7FCC: mov edi, edi push ebp mov ebp, esp push esi mov esi, ecx mov ecx, [ebp+8] ; arg_0 call $6379030E ; CCssCtx::IsMimeTypeCss test eax, eax jz $637D7FE4 push 1 jmp $637D7FEF $637D7FE4: mov eax, [esi+5Ch] test byte ptr [eax+34h], 80h jz $637D7FF6 push 0 $637D7FEF: mov ecx, esi call $637D7E24 ; CStyleSheet::SetIsFromCssSource(int) $637D7FF6: pop esi pop ebp ret 4 ; ------------------------------------------------------------------------- ; CStyleSheet::OnDwnChan ; ; Ran out of slack in the original code section, but luckily there was room for ; additional section entries. Created a new code section called "patch". I can ; grow this section at will, but set its initial size at 16k bytes. ; ------------------------------------------------------------------------- $636CB3D9: sub esp, $28 ; Need to make room for two more variables $636CB57F: mov [ebp-$24], edi mov [ebp-$28], ebx jmp $637E6000 $636CB58A: cmp edi, ebx jz $636CB5B5 mov edi, [esi+$60] mov ecx, esi mov [esi+$64], ebx ; This and the next instruction save us a byte inc dword ptr [esi+$64] ; This way, the patch is closer to what we have to add from XP. $637E6000: mov ecx, [esi+30h] ; Same offset in 2k and XP call $63781CD1 ; CDwnCtx::GetFinalUrl mov edi, eax cmp edi, ebx jz $637E603B push 5 push $63597D28 ; "http:" push 5 push edi ; Str call $636A2BB3 ; _7csnipre test eax, eax jnz $637E6034 push 6 push $63597D34 ; "https:" push 6 push edi ; Str call $636A2BB3 ; _7csnipre test eax, eax jz $637E603B $637E6034: mov [ebp-$28], 1 ; var_28 in 2k, var_14 in XP $637E603B: push dword ptr [esi+30h] ; Same offset in 2k and XP mov ecx, esi call $637D7FCC ; CStyleSheet::DetermineIfFromCssSource (old one was at $636C95E2, see above for more info) cmp [ebp-$28], ebx ; var_28 in 2k, var_14 in XP jz $637E60C9 mov ecx, esi call $637D7EAC ; CStyleSheet::IsInternetOrRestrictedCrossDomainCSSDownload test eax, eax jz $637E60C9 mov eax, [esi+5Ch] ; Same offset in 2k and XP test byte ptr [eax+34h], 80h ; Same offset in 2k and XP jnz $637E60C9 mov eax, [esi] ; Get pointer to CStyleSheet VMT push esi call dword ptr [eax+4] ; Call to CStyleSheet::PrivateAddRef mov eax, [esi+20h] ; Same offset in 2k and XP cmp eax, ebx mov [ebp-$28], ebx ; var_28 in 2k, var_14 in XP jz $637E6080 mov eax, [eax+24h] ; Same offset in 2k and XP cmp eax, ebx jz $637E6098 push ebx push esi mov ecx, eax call $636C2FE3 ; CStyleSheetArray::ReleaseStyleSheet jmp $637E6098 $637E6080: mov ecx, [esi+1Ch] ; Same offset in 2k and XP cmp ecx, ebx jz $637E6098 cmp byte ptr [ecx+14h], 3Bh jnz $637E6098 push [ebp-$C] ; var_C in 2k, var_8 in XP mov [ebp-$28], ecx ; var_28 in 2k, var_14 in XP call $637D7E80 ; CLinkElement::RemoveStyleSheet $637E6098: lea edi, [esi+38h] ; Same offset in 2k and XP cmp [edi], ebx jz $637E60AA mov ecx, [ebp-$C] ; var_C in 2k, var_8 in XP push edi call $6365B9C9 ; CMarkup::UnblockScriptExecution mov [edi], ebx $637E60AA: mov ecx, [ebp-$28] ; var_28 in 2k, var_14 in XP cmp ecx, ebx jz $637E60B6 call $637D7E5C ; CLinkElement::ReleaseStyleSheet $637E60B6: push ebx mov ecx, esi call $636CB658 ; CStyleSheet::SetCssCtx mov eax, [esi] ; Get pointer to CStyleSheet VMT push esi call dword ptr [eax+8] ; Call to CStyleSheet::PrivateRelease jmp $636CB639 $637E60C9: mov edi, [ebp-$24] jmp $636CB58A ;========================================================================== ; shdocvw.dll ;========================================================================== ; ------------------------------------------------------------------------- ; CIntelliForms__ActiveElementChanged ; ------------------------------------------------------------------------- $71759EEF: 6A38 push $38 ; Allocating room for one more class member variable ; ------------------------------------------------------------------------- ; CIntelliForms::CAutoSuggest::CAutoSuggest ; ------------------------------------------------------------------------- $71759691: 897E34 mov [esi+34h], edi ; Initialize our new member variable to 1 753C jnz $717596D2 893DEC827B71 mov [$717B82EC], edi ; ?s_fRegisteredWndClass@CAutoSuggest@CIntelliForms@@0HA -- needs reloc (REMOVE the one at $7175969D) 33C0 xor eax, eax 8D7DD0 lea edi, [ebp-$30] B90C000000 mov ecx, $0C ; 12 dwords -- clear the entire structure F3AB rep stosd 0404 add al, 4 8945E0 mov [ebp-$20], eax ; var_30.cbWndExtra 042C add al, $2C 8945D0 mov [ebp-$30], eax ; var_30.cbSize A128817B71 mov eax, [$717B8128] ; _g_hinst -- needs reloc (REMOVE the one at $71759694) 8945E4 mov [ebp-$1C], eax ; var_30.hInstance C745D830937571 mov [ebp-$28], $71759330 ; offset ?WndProc@CAutoSuggest@CIntelliForms@@SGJPAUHWND__@@IIJ@Z -- needs reloc (REMOVE the one at $717596B0) C745F8C8C57071 mov [ebp-8], $7170C5C8 ; offset aIntelliformcla -- needs reloc (REMOVE the one at $717596CD) 8D45D0 lea eax, [ebp-$30] 50 push eax FF1550187071 call ds:$71701850 ; RegisterClassExWrapW -- needs reloc (REMOVE the one at $717596DB) $717596D2: 5F pop edi 8BC6 mov eax, esi 5E pop esi C9 leave C20C00 ret $C nop (2) ; ------------------------------------------------------------------------- ; CIntelliForms::CAutoSuggest::DetachFromInput ; ------------------------------------------------------------------------- $717596F0: 57 push edi 33FF xor edi, edi E8E4FFFFFF call $717596DC $717596DC: 8D5E18 lea ebx, [esi+18h] ; Same offset in 2k and XP 8B03 mov eax, [ebx] 47 inc edi 897E34 mov [esi+34h], edi 4F dec edi C3 ret ; ------------------------------------------------------------------------- ; MustValidateEventsFromElement ; ; Copied as-is, only had to fix up addresses and add relocs ; ------------------------------------------------------------------------- $717B60A0: ; ------------------------------------------------------------------------- ; CIntelliForms::CAutoSuggest::AttachToInput ; ------------------------------------------------------------------------- $71759DD1: E9CAC30500 jmp $717B61A0 90 nop $717B61A0: 57 push edi E8FAFEFFFF call $717B60A0 ; MustValidateEventsFromElement 884634 mov [esi+$34], al ; Same offset in 2k and XP 837E0800 cmp dword ptr [esi+8], 0 ; Same offset in 2k and XP 0F85483CFAFF jnz $71759DFB E91F3CFAFF jmp $71759DD7 ; ------------------------------------------------------------------------- ; IsKeyDown ; ; Copied as-is, only had to fix up addresses and add relocs ; ------------------------------------------------------------------------- $717B61B8: 8BFF mov edi, edi 55 push ebp 8BEC mov ebp, esp FF7508 push [ebp+8] ; nVirtKey FF15701A7071 call [$71701A70] ; GetKeyState 33C9 xor ecx, ecx 6685C0 test ax, ax 0F9CC1 setl cl 8BC1 mov eax, ecx 5D pop ebp C20400 ret 4 ; ------------------------------------------------------------------------- ; IsSecureAutoCompleteNavigationKey ; ; Copied as-is ; ------------------------------------------------------------------------- $717B61D4: 8BFF mov edi, edi 55 push ebp 8BEC mov ebp, esp 8B4D08 mov ecx, [ebp+8] ; arg_0 32C0 xor al, al 83F909 cmp ecx, 9 741E jz $717B6201 83F90D cmp ecx, $D 7419 jz $717B6201 83F920 cmp ecx, 20h 7616 jbe $717B6203 83F924 cmp ecx, $24 760F jbe $717B6201 83F926 cmp ecx, $26 740A jz $717B6201 83F928 cmp ecx, $28 7405 jz $717B6201 83F92E cmp ecx, $2E 7502 jnz $717B6203 $717B6201: B001 mov al, 1 $717B6203: 5D pop ebp C20400 ret 4 ; ------------------------------------------------------------------------- ; CIntelliForms::GetDocumentWindow ; ; Copied as-is, only had to fix up addresses and add relocs ; ------------------------------------------------------------------------- $717B6208: 8BFF mov edi, edi 55 push ebp 8BEC mov ebp, esp 51 push ecx 8365FC00 and [ebp-4], 0 8D45FC lea eax, [ebp-4] 50 push eax FF7140 push dword ptr [ecx+$40] ; Same offset in 2k and XP FF15xxxxxxxx call [$71701830] ; IUnknown_GetWindow 8B45FC mov eax, [ebp-4] C9 leave C3 ret ; ------------------------------------------------------------------------- ; CIntelliForms::CAutoSuggest::_IsHTMLDocumentFocused ; ; Copied as-is, only had to fix up addresses and add relocs ; ------------------------------------------------------------------------- $717B6224: 8B4904 mov ecx, [ecx+4] ; Same offset in 2k and XP 85C9 test ecx, ecx 56 push esi 7409 jz $717B6235 E8D7FFFFFF call $717B6208 ; CIntelliForms::GetDocumentWindow 8BF0 mov esi, eax EB02 jmp $717B6237 $717B6235: 33F6 xor esi, esi $717B6237: 85F6 test esi, esi 740F jz $717B624A FF157C1A7071 call [$71701A7C] ; GetFocus 3BC6 cmp eax, esi 7505 jnz $717B624A 33C0 xor eax, eax 40 inc eax 5E pop esi C3 ret $717B624A: 33C0 xor eax, eax 5E pop esi C3 ret ; ------------------------------------------------------------------------- ; CIntelliForms::CAutoSuggest::_IsKeyEventAllowed ; ; Copied as-is, only had to fix up addresses ; ------------------------------------------------------------------------- $717B6250: 8BFF mov edi, edi 55 push ebp 8BEC mov ebp, esp 53 push ebx 32DB xor bl, bl 385934 cmp [ecx+$34], bl ; Our new member variable 7424 jz $717B6281 E8C2FFFFFF call $717B6224 ; CIntelliForms::CAutoSuggest::_IsHTMLDocumentFocused 84C0 test al, al 741D jz $717B6283 FF7508 push [ebp+8] ; nVirtKey E866FFFFFF call $717B61D4 ; IsSecureAutoCompleteNavigationKey 84C0 test al, al 740F jz $717B6281 FF7508 push [ebp+8] ; nVirtKey E83EFFFFFF call $717B61B8 ; IsKeyDown 85C0 test eax, eax 0F95C3 setnz bl EB02 jmp $717B6283 $717B6281: B301 mov bl, 1 $717B6283: 8AC3 mov al, bl 5B pop ebx 5D pop ebp C20400 ret 4 ; ------------------------------------------------------------------------- ; CIntelliForms::CAutoSuggest::_GenerateSecureKeyMessage ; ; Copied as-is, only had to fix up addresses and add relocs ; ------------------------------------------------------------------------- $717B628C: 8BFF mov edi, edi 55 push ebp 8BEC mov ebp, esp 53 push ebx 56 push esi FF750C push [ebp+$C] ; nVirtKey 8BF1 mov esi, ecx E8B3FFFFFF call $717B6250 ; CIntelliForms::CAutoSuggest::_IsKeyEventAllowed 8AD8 mov bl, al 84DB test bl, bl 7411 jz $717B62B4 6A00 push 0 FF750C push [ebp+$C] ; nVirtKey FF7508 push [ebp+8] ; Msg FF7614 push dword ptr [esi+$14] ; Same offset in 2k and XP FF1524187071 call [$71701824] ; PostMessageWrapW $717B62B4: 5E pop esi 8AC3 mov al, bl 5B pop ebx 5D pop ebp C20800 ret 8 ; ------------------------------------------------------------------------- ; CIntelliForms::CAutoSuggest::HandleEvent ; ; Extensive changes. Rewrote some parts to save space and keep the code ; from becoming too fragmented. The patches seem to deal with the autocomplete ; vulnerabulity. ; ------------------------------------------------------------------------- $717B62BC: FF2524187071 jmp [$71701824] ; PostMessageWrapW (space-saving measure: see below) ; ------------------------------------------------------------------------- $71759C61: 7505 jnz $71759C68 $71759C63: ; These three instructions save us 2 bytes 47 inc edi ; edi is initially 0 897DF0 mov [ebp-$10], edi ; edi is 1 4F dec edi ; set edi back to 0 $71759C68: 397DF4 cmp [ebp-$C], edi 7427 jz $71759C94 51 push ecx 6809800000 push $8009 89D9 mov ecx, ebx E812C60500 call $717B628C ; CIntelliForms::CAutoSuggest::_GenerateSecureKeyMessage 84C0 test al, al 7416 jz $71759C94 837D0C08 cmp [ebp+$C], 8 7510 jnz $71759C94 57 push edi 6A08 push 8 6808800000 push $8008 FF7314 push dword ptr [ebx+$14] E828C60500 call $717B62BC ; PostMessageWrapW_wrapper -- saves us a byte which lets us squeeze everything in ; ------------------------------------------------------------------------- $7175992F: 7E65 jle $71759996 $71759994: EBEA jmp $71759980 ; Saves 3 bytes $71759996: 8B06 mov eax, [esi] 83651000 and [ebp+$10], 0 8D4D10 lea ecx, [ebp+$10] 51 push ecx 56 push esi FF504C call dword ptr [eax+$4C] 83FF03 cmp edi, 3 7406 jz $717599AF F6451001 test byte ptr [ebp+$10], 1 ; psz1 74D1 jz $71759980 ; Saves 4 bytes $717599AF: 8B4310 mov eax, [ebx+$10] 8B08 mov ecx, [eax] 6A00 push 0 8D550C lea edx, [ebp+$C] ; nHeight 52 push edx 50 push eax FF510C call dword ptr [ecx+$C] 85C0 test eax, eax 7CBE jl $71759980 ; Saves 4 bytes F6450C01 test byte ptr [ebp+$C], 1 ; nHeight 75B8 jnz $71759980 ; Saves 4 bytes 807B3400 cmp byte ptr [ebx+$34], 0 740B jz $717599D9 6A01 push 1 E8E3C70500 call $717B61B8 ; IsKeyDown 85C0 test eax, eax 7411 jz $717599EA $717599D9: 6A00 push 0 6A28 push $28 6809800000 push $8009 FF7314 push dword ptr [ebx+$14] E8D2C80500 call $717B62BC ; PostMessageWrapW_wrapper -- saves us a byte and eliminates the need for a reloc $717599EA: 83632CF7 and dword ptr [ebx+$2C], $FFFFFFF7 EB90 jmp $71759980 ; Saves 3 bytes 90 nop 90 nop ; ------------------------------------------------------------------------- $71759BDC: FF750C push [ebp+$C] ; nHeight $71759BE7: jmp $717B62C2 $717B62C2: E8xxxxxxxx call $717B6250 ; CIntelliForms::CAutoSuggest::_IsKeyEventAllowed 84C0 test al, al 740A jz $xx FF7508 push [ebp+8] ; pv 89D9 mov ecx, ebx E8xxxxxxxx call $717592C6 ; CIntelliForms::CAutoSuggest::SetText $xx: E9xxxxxxxx jmp $71759BEC ; ------------------------------------------------------------------------- $71759917: 0F847D010000 jz $71759A9A ; Block moves down by 2 bytes $71759A1D: 7455 jz $71759A74 $71759A63: 750F jnz $71759A74 89D9 mov ecx, ebx $71759A6F: E818C80500 call $717B628C ; CIntelliForms::CAutoSuggest::_GenerateSecureKeyMessage 33C0 xor eax, eax 3945F0 cmp [ebp-$10], eax 740F jz $71759A8A ; Saves 4 bytes 50 push eax 50 push eax 680A800000 push $800A FF7314 push dword ptr [ebx+$14] E832C80500 call $717B62BC ; PostMessageWrapW_wrapper -- saves us a byte $71759A8A: E94C020000 jmp $71759CDB ; Save space by having the near jump only once $71759A8F: E92B010000 jmp $71759BBF ; Save space by having the near jump only once $71759A94: E994010000 jmp $71759C2D ; Save space by having the near jump only once $71759A99: 90 nop 8B06 mov eax, [esi] 8D4D0C lea ecx, [ebp+$C] 51 push ecx 33FF xor edi, edi 56 push esi 897DF0 mov [ebp-$10], edi 47 inc edi ; These three instructions save us 2 bytes 897DF4 mov [ebp-$C], edi 4F dec edi $71759ACD: 74BB jz $71759A8A ; Compact way of getting to $71759CDB 83F90D cmp ecx, $D 74BB jz $71759A8F ; Compact way of getting to $71759BBF 83F909 cmp ecx, 9 74B6 jz $71759A8F ; Compact way of getting to $71759BBF 83F92E cmp ecx, $2E 75B6 jnz $71759A94 ; Compact way of getting to $71759C2D 8B4310 mov eax, [ebx+$10] 8D55F8 lea edx, [ebp-8] ; psz2 52 push edx 57 push edi 897DF8 mov [ebp-8], edi ; psz2 8B08 mov ecx, [eax] 50 push eax FF510C call dword ptr [ecx+$C] 85C0 test eax, eax 7CA1 jl $71759A94 ; Compact way of getting to $71759C2D 397DF8 cmp [ebp-8], edi ; psz2 749C jz $71759A94 ; Compact way of getting to $71759C2D FF750C push [ebp+$C] ; nHeight 89D9 mov ecx, ebx 897DF4 mov [ebp-$C], edi ; Y E84BC70500 call $717B6250 ; CIntelliForms::CAutoSuggest::_IsKeyEventAllowed 84C0 test al, al 0F8495000000 jz $71759BA2 90 nop 90 nop 90 nop $71759B17: 90 nop 90 nop 90 nop $71759B9D: ; Swapping the order of 2 instructions E85DF4FFFF call $71758FFF ; CIntelliForms::DeletePassword $71759BA2: C745F001000000 mov [ebp-$10], 1 ; hMem ;========================================================================== ; mshtmled.dll ;========================================================================== ; ------------------------------------------------------------------------- ; CHtmlDlgHelper::CHtmlDlgHelper ; ; Uninitialized memory vulnerability patch ; ------------------------------------------------------------------------- $70F42B72: E88D1D0500 call $70F94904 ; CHtmlDlgHelper::CHtmlDlgHelper_patch $70F94904: E86F25FAFF call $70F36E78 ; ATL::CComTypeInfoHolder::AddRef 83A69800000000 and dword ptr [esi+$98], 0 C3 ret ; ------------------------------------------------------------------------- ; CSelectTracker::AdjustSelection ; ------------------------------------------------------------------------- $70F7BF78: E897890100 call $70F94914 ; CSelectTracker::AdjustSelection_patch 90 nop 90 nop 90 nop 90 nop 53 push ebx $70F94914: 8B466C mov eax, [esi+6Ch] ; Same offset in 2k and XP 83F809 cmp eax, 9 7408 jz $70F94924 83F806 cmp eax, 6 7403 jz $70F94924 33C0 xor eax, eax C3 ret $70F94924: 33C0 xor eax, eax 40 inc eax C3 ret ; ------------------------------------------------------------------------- ; CSelectionManager::StartSelectionFromShift ; ------------------------------------------------------------------------- $70F5F40F: sub esp, 38h $70F5F60F: nop (3) jmp $70F94928 $70F94928: 8B45FC mov eax, [ebp-4] 8B08 mov ecx, [eax] 8975C8 mov [ebp-$38], esi ; Initialize to 0 8D55C8 lea edx, [ebp-$38] 52 push edx FF75F0 push [ebp-$10] 50 push eax FF513C call dword ptr [ecx+3Ch] 89C3 mov ebx, eax 39F3 cmp ebx, esi 0F8CF1ACFCFF jl $70F5F636 3975C8 cmp [ebp-$38], esi 8B45FC mov eax, [ebp-4] 6A01 push 1 7503 jnz $70F94952 8B45F0 mov eax, [ebp-$10] $70F94952: 8B08 mov ecx, [eax] 50 push eax FF511C call dword ptr [ecx+1Ch] 8D4DCC lea ecx, [ebp-$34] E888A4FCFF call $70F5EDE8 ; CSelectionChangeCounter::BeginSelectionChange E9B2ACFCFF jmp $70F5F617 ; ------------------------------------------------------------------------- ; CDeleteCommand::DeleteCharacter ; ; The patch involves grafting in a single code block. Pretty much an as-is ; copy, only fixed up addresses. ; ------------------------------------------------------------------------- $70F5D2BB: jmp $70F94968 90 nop $70F94968: ; The new code block goes here ;========================================================================== ; MS10-081 patches ported to Windows 2000 SP4 ;========================================================================== ;========================================================================== ; comctl32.dll ;========================================================================== ; ------------------------------------------------------------------------- ; SBGetText ; ; Seems to limit the text length so we don't overflow a buffer ; ------------------------------------------------------------------------- $7175149B: jmp $7176F440 90 nop $7176F440: 8065090F and byte ptr [ebp+9], 0Fh B8FEFF0000 mov eax, 0FFFEh 3BF0 cmp esi, eax 7202 jb $yy 8BF0 mov esi, eax $yy: E97020FEFF jmp $717514C4
  15. WildBill
    I'm currently testing my MS10-071 update...if all goes well, I should be uploading it tomorrow. Then I can move on to another patch.
  16. WildBill
    One at a time I've partially implemented MS10-071, but it's a lot more extensive than MS10-053. There are a ton of CSS-related patches, and I haven't fully analyzed all of the changed files yet.
  17. WildBill
    See the sticky post on the PE Tool, then scroll down.
  18. WildBill
    I'm still improving my tool, and I'm just not happy enough with it yet to release it. Hopefully I can fix some of the glaring bugs in it this weekend. No guarantees, though In the meantime, I've done my best to port MS10-053 and updated the post above. This one was an unbelievable PITA, but I learned a lot in the process. Here are the notes I made for myself, in case they're helpful to anyone: ;========================================================================== ; MS10-053 patches ported to Windows 2000 SP4 ;========================================================================== ; ------------------------------------------------------------------------- ; CTableCell::OnPropertyChange ; ; Seems to be a patch for a race condition vulnerability ; ------------------------------------------------------------------------- $63771C40: ; E9AB5E060090909090 E9AB5E0600 jmp $637D7AF0 ; Jump to our patch, which will invlalidate the table layout cache in addition to what we normally do 90 nop 90 nop 90 nop 90 nop $637D7AF0: ; 8BC8E828AEEFFF6A008BC8E83DC6EFFFE944A1F9FF 8BC8 mov ecx, eax E828AEEFFF call $636D291F ; CTableLayout::MarkTableLayoutCacheInvalid 6A00 push 0 8BC8 mov ecx, eax E83DC6EFFF call $636D413D ; CTableLayout::Fixup E944A1F9FF jmp $63771C49 ; ------------------------------------------------------------------------- ; CCollectionCache::CCollectionCache ; ; Seems to be a patch for an uninitialized memory vulnerability ; Totally rewrote the function to erase the whole structure and still fit in the original space ; ------------------------------------------------------------------------- $6375A8BE: ; 558BEC578BF95751C7C10A00000033C0F3AB595F83C70C8B4508AB8B4510AB8B4518AB8B4514AB8B451CAB8B450CAB8BC15F5DC21800909090 55 push ebp 8BEC mov ebp,esp 57 push edi 8BF9 mov edi,ecx 57 push edi 51 push ecx C7C10A000000 mov ecx,0Ah 33C0 xor eax,eax F3AB rep stosd 59 pop ecx 5F pop edi 83C70C add edi,0Ch 8B4508 mov eax,[ebp+8] AB stosd 8B4510 mov eax,[ebp+10h] AB stosd 8B4518 mov eax,[ebp+18h] AB stosd 8B4514 mov eax,[ebp+14h] AB stosd 8B451C mov eax,[ebp+1Ch] AB stosd 8B450C mov eax,[ebp+0Ch] AB stosd 8BC1 mov eax,ecx 5F pop edi 5D pop ebp C21800 ret 18h 90 nop 90 nop 90 nop ; ------------------------------------------------------------------------- ; CWindow::FollowHyperlinkHelper ; ; Seems to be a patch for a race condition vulnerability ; ------------------------------------------------------------------------- $636457E6: C8100000 enter $10,0 ; Using ENTER as a space-saving measure: we need 8 more bytes on the stack to hold a lock object 90 nop $63645803: ; E800231900 E800231900 call $637D7B08 ; Call first patch (performs the lock) $63645854: ; E9C1221900 E9C1221900 jmp $637D7B1A ; Jump to second patch (performs the unlock) $637D7B08: ; 5156518D4DF0E82026E4FF59E8AE50FDFFC3 51 push ecx ; Save ecx since we'll need it for the call to CFrameSite::GetAAsrc 56 push esi 51 push ecx 8D4DF0 lea ecx,[ebp-$10] ; 8 bytes will hold the lock object E82026E4FF call $6361A133 ; CElement::CLock::CLock 59 pop ecx E8AE50FDFF call $637ACBC7 ; CFrameSite::GetAAsrc (this is what used to be where we put the CALL to this code) C3 ret $637D7B1A: ; 8D4DF0E84E26E4FFE9BBDDE6FF 8D4DF0 lea ecx,[ebp-$10] ; 8 bytes are holding the lock object E84E26E4FF call $6361A170 ; CElement::CLock::~CLock E9BBDDE6FF jmp $636458E2 ; ------------------------------------------------------------------------- ; CDoc::ExecHelper ; ; Seems to be a patch for a race condition vulnerability as well as the cross-domain vulnerability ; This goes hand-in-hand with patches for CEditRouter::ExecEditCommand, CAutoTxtSiteRange::Exec, and CAutoRange::Exec ; It looks like the race condition patch is done by moving validation code to CEditRouter::ExecEditCommand, which might ; be a common execution point. The extra parameter to CEditRouter::ExecEditCommand seems to be for dealing with the ; cross-domain vulnerability. ; ------------------------------------------------------------------------- $63638409: 6872060000 push $672 ; Version update from 1649 to 1650 $63639E7F: 752F jnz $63639EB0 $63639E92: 7512 jnz $63639EA6 $63639E9C: 7408 jz $63639EA6 $63639EA6: 85FF test edi,edi 7C5C jl $63639F06 ; TestStatus 837D4400 cmp [ebp+60h+var_1C], 0 7456 jz $63639F06 ; TestStatus $63639EB0: ; 8B4D448D456850E8E98BFFFF8BF085F67C5B8B4D6853FF7544 8B4D44 mov ecx, [ebp+60h+var_1C] 8D4568 lea eax, [ebp+60h+rgIndices] 50 push eax E8E98BFFFF call $63632AA5 ; CMarkup::EnsureEditRouter 8BF0 mov esi, eax 85F6 test esi, esi 7C5B jl $63639F1D 8B4D68 mov ecx, [ebp+60h+rgIndices] 53 push ebx FF7544 push [ebp+60h+var_1C] 90x36 db 36 dup $90 ; 36 NOPs ; ------------------------------------------------------------------------- ; CEditRouter::ExecEditCommand ; ; Accepts an extra argument now for access checking ; ------------------------------------------------------------------------- $63669BA0: 837D2400 cmp [ebp+arg_1C], 0 0F84B5000000 jz $63669C5F E979DF1600 jmp $637D7B28 90 nop $63669BBB: FF7524 push [ebp+$24] ; arg_1C $63669BDA: 894520 mov [ebp+$20], eax ; arg_18 $63669BE8: 837D2000 cmp [ebp+$20], 0 ; arg_18 $63669C01: FF7520 push [ebp+$20] ; arg_18 $63669C0F: 837D2000 cmp [ebp+$20], 0 ; arg_18 $63669C24: FF7524 push [ebp+$24] ; arg_1C $63669C37: 8B4D24 mov ecx, [ebp+$24] ; arg_1C $63669C53: FF7520 push [ebp+$20] ; arg_18 $63669C79: C22000 ret $20 $637D7B28: ; 8B0757FF50048B4D248B897001000085C90F847120E9FFE87CA2E4FF3945200F846320E9FFFF752089C1E8A81DE8FF85C00F855120E9FF43E9FF20E9FF 8B07 mov eax, [edi] 57 push edi FF5004 call dword ptr [eax+4] 8B4D24 mov ecx, [ebp+$24] ; arg_1C 8B8970010000 mov ecx, [ecx+$170] 85C9 test ecx, ecx 0F847120E9FF jz $63669BB0 E87CA2E4FF call $63621DC0 ; CElement::GetMarkupPtr 394520 cmp [ebp+$20], eax ; arg_18 0F846320E9FF jz $63669BB0 FF7520 push [ebp+$20] ; arg_18 89C1 mov ecx, eax E8A81DE8FF call $636598FF ; CMarkup::AccessAllowed 85C0 test eax, eax 0F855120E9FF jnz $63669BB0 43 inc ebx E9FF20E9FF jmp $63669C64 ; @L3 ; ------------------------------------------------------------------------- ; CAutoTxtSiteRange::Exec ; ; Pushes an extra argument to CEditRouter::ExecEditCommand ; ------------------------------------------------------------------------- $6372043D: E926770B00 jmp $637D7B68 90 nop $637D7B68: ; 8B4E2C85C90F84EA88F4FFFF75F4E899A9E4FF508D4610E9BF88F4FF 8B4E2C mov ecx, [esi+2Ch] 85C9 test ecx, ecx 0F84EA88F4FF jz $6372045D FF75F4 push [ebp-$C] ; var_C E899A9E4FF call $63622514 ; CElement::GetWindowedMarkupContext(void) 50 push eax ; Pushing the result as an extra argument for a later call to CEditRouter::ExecEditCommand 8D4610 lea eax, [esi+$10] E9BF88F4FF jmp $63720443 ; ------------------------------------------------------------------------- ; CAutoRange::Exec ; ; Pushes an extra argument to CEditRouter::ExecEditCommand ; ------------------------------------------------------------------------- $63732A6E: E911510A00 jmp $637D7B84 90 nop $637D7B84: ; 8B4328FF701C8B482085C9750289C151E9DBAEF5FF 8B4328 mov eax, [ebx+$28] FF701C push dword ptr [eax+$1C] 8B4820 mov ecx, [eax+$20] ; Similar to calling CMarkup::GetNearestMarkupForScriptCollection at $6362EDA6, but different registers involved 85C9 test ecx, ecx 7502 jnz $637D7B93 89C1 mov ecx, eax $637D7B93: 51 push ecx ; Pushing an extra argument for a later call to CEditRouter::ExecEditCommand E9DBAEF5FF jmp $63732A74 ; ------------------------------------------------------------------------- ; COmWindowProxy::SwitchMarkup ; ; Seems to be a patch for a race condition vulnerability ; ------------------------------------------------------------------------- $63607409: 83EC34 sub esp,$34 ; Make room for a lock object (really only have to subtract by $28, but this lets us align our lock object wtih XP) $63607731: 0F8565041D00 jnz $637D7B9C 90x23 db 23 dup $90 ; 23 NOPs -- basically moving the contents down to the patch below and bracketing it with lock/unlock calls $637D7B9C: ; 6A00508D4DCCE88C25E4FF8BCFE88F5FE1FF8B4D0C50E81760E4FF85C08945088D4DCC750AE8AA25E4FFE983FBE2FFE8A025E4FFE9BEF8E2FF 6A00 push 0 50 push eax 8D4DCC lea ecx, [ebp-$34] ; 8 bytes will hold our lock object E88C25E4FF call $6361A133 ; CElement::CLock::CLock 8BCF mov ecx, edi E88F5FE1FF call $635EDB3D ; CMarkup::Root 8B4D10 mov ecx, [ebp+$10] ; arg_8 50 push eax E81760E4FF call $6361DBCE ; CElement::SetViewSlave 85C0 test eax, eax 8945F8 mov [ebp-8], eax ; var_8 8D4DCC lea ecx, [ebp-$34] ; 8 bytes holding our lock object 750A jnz $637D7BCB E8AA25E4FF call $6361A170 ; CElement::CLock::~CLock E983FBE2FF jmp $6360774E ; @L14 $637D7BCB: E8A025E4FF call $6361A170 ; CElement::CLock::~CLock E9BEF8E2FF jmp $63607493 ; @L36
  19. WildBill
    Have you tried SmoothText? See the sticky post above.
  20. WildBill
    MS10-067 fix is now up. After analyzing it I found that the version for XP is identical save for the actual patch and can be used as-is. I only had to rebuild the hotfix installer.
  21. WildBill
    Patch for MS10-055 is now up: from what I've read, it blocks a heap overflow by processing no more than 3 strips in the file header: ======= Patch 1 ======= $6EA265FD: ; E8FECE000090 E8FECE0000 call $6EA33500 90 nop ======= Patch 2 ======= $6EA33500: ; 0BC2894C242C83F80376036A0358C3 0BC2 or eax, edx 894C242C mov [esp+$34-8+4],ecx 83F803 cmp eax,3 7603 jbe @L1 6A03 push 3 58 pop eax @L1: C3 ret For this patch and the previous one, I used my PE Tool to use up some slack in the code segment. That's a necessary step in making these patches. I had to re-release this one, hence the V2. About 5 minutes after I released it I realized that I was off by 4 bytes in the mov instruction above.
  22. WildBill
    Thanks The patch for MS10-047 is up. Luckily it was a really benign patch, just zeroing a structure at the beginning of a routine. There was just barely enough room to squeeze it in without having to move anything. The version will tick up to 5.00.2195.7377 when it's installed. For anyone who is interested, here are the notes I made when I was building the patch: ======== patch 1 ======== SLACK ; ntoskrnl: $35, ntkrnlpa: $15, ntkrnlmp: $35, ntkrpamp: $15 $yy: ; ntoskrnl: $00432419, ntkrnlpa: $00432455, ntkrnlmp: $00434797, ntkrpamp: $004348E1 call $xx ntoskrnl: E8 ED 80 03 00 call $0046A50B ntkrnlpa: E8 51 B3 03 00 call $0046D7AB ntkrnlmp: E8 2F 94 03 00 call $0046DBCB ntkrpamp: E8 85 C2 03 00 call $00470B6B calculating offsets for the CALL instruction above 46A50B-432419-5=380ED --> ED800300 46D7AB-432455-5=3B351 --> 51B30300 46DBCB-434797-5=3942F --> 2F940300 470B6B-4348E1-5=3C285 --> 85C20300 ======== patch 2 ======== insert in slack area $xx: ; ntoskrnl: $0046A50B, ntkrnlpa: $0046D7AB, ntkrnlmp: $0046DBCB, ntkrpamp: $00470B6B ; 33C08B7B18B99C0200002BF9F3AABA01000100C3 33C0 xor eax,eax 8B7B18 mov edi,[ebx+$18] B99C020000 mov ecx,$29C 2BF9 sub edi,ecx F3AA rep stosb BA01000100 mov edx,$10001 C3 ret Size: 20 ($14) .text (physical) ntoskrnl: $540 -- $6A50B -- $6A540 ntkrnlpa: $540 -- $6D7AB -- $6D7C0 ntkrnlmp: $540 -- $6DBCB -- $6DC00 ntkrpamp: $540 -- $70B6B -- $70B80 ======== patch 3 ======== Update the version build number ntoskrnl: $00547F53 66810D865F4700D11C or word ptr CmNtCSDVersion+2,$1CD1 ; original: 66810D865F4700D01C ntkrnlpa: $0054C6D3 66810DE6944700D11C or word ptr CmNtCSDVersion+2,$1CD1 ; original: 66810DE6944700D01C ntkrnlmp: $0054CE49 66810D66A54700D11C or word ptr CmNtCSDVersion+2,$1CD1 ; original: 66810D66A54700D01C ntkrpamp: $005510C9 66810DE6D74700D11C or word ptr CmNtCSDVersion+2,$1CD1 ; original: 66810DE6D74700D01C ======== patch 3 ======== Update the version build number 352E30302E323139352E3733373700 db "5.00.2195.7377", 0 ; original: 352E30302E323139352E3733373600 ntoskrnl: $00547CA0 ntkrnlpa: $0054C420 ntkrnlmp: $0054CB78 ntkrpamp: $00550DF8
  23. WildBill
    Added a patch for MS10-061. I'm now investigating MS10-047...
  24. WildBill
    I'm still fixing issues with the tool, but I also managed to make a patch for MS10-063 (see above). It was an easy patch that validates against some maximum allowable values.
  25. WildBill
    I'll see if I can fix the remaining issues tomorrow, or at least try to. The remaining problems revolve around the rich-edit control I'm using for the disassembly view. Large files take way too long to disassemble, and when you make changes to code the disassembly goes out of sync.
×
×
  • Create New...