telnet服务进程为tlntsvr.exe,针对每一个客户端连接会相应启动执行一个tlntsess.exe进程,而tlntsess.exe会调用signed int __thiscall CRFCProtocol::ProcessDataReceivedOnSocket(CRFCProtocol *this, unsigned __int32 *a2)。
它事先调用(*(void (__thiscall **)(CRFCProtocol *, unsigned __int8 **, unsigned __int8 **, unsigned __int8))((char *)&off_1011008 + v12))(v2,&v13,&v9,v6)
之后,先对缓冲区中的数据长度进行判断,如果
(unsigned int)(v9 - (unsigned __int8 *)&Src - 1) <= 0x7FE
只有当v13 - &Src <= 2048时才调用,v13 指向可用的缓冲区头部,而
(*(&off_1011008 + 3 * v7))(v3, &v14, &v13, *v6)
但问题上(*(&off_1011008 + 3 * v7))(v3, &v14, &v13, *v6)处调用void __thiscall CRFCProtocol::DoTxBinary(CRFCProtocol *this, unsigned __int8 **a2, unsigned __int8 **a3, unsigned __int8 a4),调用这个之后会改变v13的位置使得v13 - &Src <= 2048条件满足,这样显然导致了缓冲区溢出。
它事先调用(*(void (__thiscall **)(CRFCProtocol *, unsigned __int8 **, unsigned __int8 **, unsigned __int8))((char *)&off_1011008 + v12))(v2,&v13,&v9,v6)
之后,先对缓冲区中的数据长度进行判断,如果
(unsigned int)(v9 - (unsigned __int8 *)&Src - 1) <= 0x7FE
只有当v13 - &Src <= 2048时才调用,v13 指向可用的缓冲区头部,而
(*(&off_1011008 + 3 * v7))(v3, &v14, &v13, *v6)
但问题上(*(&off_1011008 + 3 * v7))(v3, &v14, &v13, *v6)处调用void __thiscall CRFCProtocol::DoTxBinary(CRFCProtocol *this, unsigned __int8 **a2, unsigned __int8 **a3, unsigned __int8 a4),调用这个之后会改变v13的位置使得v13 - &Src <= 2048条件满足,这样显然导致了缓冲区溢出。
