Followup: breakpoint the stack buffer overflow from executing maliciouscode like SQL Slammer worm Feb 11 2003 01:57PM
Peter Huang (yinrong rogers com) (1 replies)
Code Red Revisited and Stack-Based Exception Handler Frame Bug Feb 11 2003 09:11PM
Peter Huang (yinrong rogers com) (1 replies)
As I followed the trail described by Mr. Szor and Mr. Chien?s article
(http://www.peterszor.com/blended.pdf), it became clear to me the following
was the transfer point to the abused exception handler like Code Red. For a
normal C/C++ function, it was OK to assume that sub-functions will not
depend on the values of EBX, EDI, and ESI and will not abuse them. However,
that assumption was proved wrong with the Code Red exploitation and should
be corrected. One simple way is to save EBX and xor EBX out before it
transfers the rein. A more panicky way is to save and xor out all the unused
registers like EBX, EDI, and ESI for this function before it calls ECX as

NTDLL Sub_77F9250D called by KiUserExceptionDispatcher

.text:77F9250D mov edx, offset loc_77F8A896
.text:77F92512 loc_77F92512: ; CODE XREF:
.text:77F92512 push ebp
.text:77F92513 mov ebp, esp
.text:77F92515 push [ebp+arg_8]
.text:77F92518 push edx
.text:77F92519 push large dword ptr fs:0
push ebx
push edi
push esi
xor esi, esi
xor edi, edi
xor ebx, ebx
.text:77F92520 mov large fs:0, esp
.text:77F92527 push [ebp+arg_10]
.text:77F9252A push [ebp+arg_C]
.text:77F9252D push [ebp+arg_8]
.text:77F92530 push [ebp+arg_4]
.text:77F92533 mov ecx, [ebp+arg_14]
.text:77F92536 call ecx
.text:77F92538 mov esp, large fs:0
pop esi
pop edi
pop ebx
.text:77F9253F pop large dword ptr fs:0
.text:77F92546 mov esp, ebp
.text:77F92548 pop ebp
.text:77F92549 retn 14h

That is it. Two cracks (one boundary check bug and another normal (sometimes
incomplete) assumption about C/C++ call) made the Code Red exploitation
possible in real life.

Peter Huang
For more articles written by Peter Huang, please visit

[ reply ]
Re: Code Red Revisited and Stack-Based Exception Handler Frame Bug Feb 13 2003 11:08PM
Roland Postle (mail blazde co uk)


Privacy Statement
Copyright 2010, SecurityFocus