zdi-team/CVE-2022-26937-4.txt Secret

## CVE-2022-26937-4.txt
.text:00000001C00CC1B2 loc_1C00CC1B2:
.text:00000001C00CC1B2                  mov         rdx, [rsp+1B0h+var_160]
.text:00000001C00CC1B7                  lea         rax, [rsp+1B0h+var_158]
.text:00000001C00CC1BC                  mov         rcx, [rsp+1B0h+var_148]
.text:00000001C00CC1C1                  mov         r9d, 7530h
.text:00000001C00CC1C7                  mov         r8, r12
.text:00000001C00CC1CA                  mov         [rsp+1B0h+Timeout], rax
.text:00000001C00CC1CF                  call        cs:__imp_OncRpcSendCallWaitReply ; Server sends GETADDR call
.text:00000001C00CC1D6                  nop         dword ptr [rax+rax+00h]
.text:00000001C00CC1DB                  mov         r14d, eax
[... Truncated for readability ...]
.text:00000001C00CC21B loc_1C00CC21B:
.text:00000001C00CC21B                  mov         rbx, [rbp+0B0h+var_108]
.text:00000001C00CC21F                  xor         r12d, r12d
.text:00000001C00CC222                  test        r14d, r14d ; Verify RPC call succeeded
.text:00000001C00CC225                  js          loc_1C00CC441
.text:00000001C00CC22B                  movzx       edi, [rsp+1B0h+var_170]
.text:00000001C00CC230                  mov         r9, [rsp+1B0h+var_158]
.text:00000001C00CC235                  cmp         di, si ; Check if using AF_INET (IPv4)
.text:00000001C00CC238                  jnz         short loc_1C00CC2A1
[... Truncated for readability ...]
.text:00000001C00CC2A1 loc_1C00CC2A1:
.text:00000001C00CC2A1                  mov         eax, 60h ; '`'
.text:00000001C00CC2A6                  mov         [rbp+0B0h+var_DE], ax
.text:00000001C00CC2AA                  lea         rax, [rbp+0B0h+var_B0]
.text:00000001C00CC2AE                  mov         [rbp+0B0h+var_D8], rax
.text:00000001C00CC2B2                  cmp         [r9+108h], r12d
.text:00000001C00CC2B9                  jl          short loc_1C00CC301
.text:00000001C00CC2BB                  mov         rcx, [r9+48h]
.text:00000001C00CC2BF                  test        rcx, rcx
.text:00000001C00CC2C2                  jz          short loc_1C00CC301
.text:00000001C00CC2C4                  mov         edx, [rcx+40h]
.text:00000001C00CC2C7                  sub         edx, [rcx+38h]
.text:00000001C00CC2CA                  mov         r10d, [rcx+4Ch]
.text:00000001C00CC2CE                  cmp         r10d, edx
.text:00000001C00CC2D1                  jb          short loc_1C00CC2DB
.text:00000001C00CC2D3                  mov         r8d, r10d
.text:00000001C00CC2D6                  sub         r8d, edx
.text:00000001C00CC2D9                  jmp         short loc_1C00CC2DE
.text:00000001C00CC2DB ; ---------------------------------------------------------------------------
.text:00000001C00CC2DB
.text:00000001C00CC2DB loc_1C00CC2DB:
.text:00000001C00CC2DB                  mov         r8d, r15d
.text:00000001C00CC2DE
.text:00000001C00CC2DE loc_1C00CC2DE:
.text:00000001C00CC2DE                  cmp         r10d, edx
.text:00000001C00CC2E1                  mov         eax, r12d
.text:00000001C00CC2E4                  cmovnb      eax, r8d
.text:00000001C00CC2E8                  cmp         eax, 4
.text:00000001C00CC2EB                  jb          short loc_1C00CC301
.text:00000001C00CC2ED                  mov         rax, [rcx+40h]
.text:00000001C00CC2F1                  mov         edx, [rax]
.text:00000001C00CC2F3                  add         rax, 4
.text:00000001C00CC2F7                  bswap       edx
.text:00000001C00CC2F9                  mov         [rcx+40h], rax
.text:00000001C00CC2FD                  mov         eax, edx ; eax has the Universal Address string length
.text:00000001C00CC2FF                  jmp         short loc_1C00CC30C
.text:00000001C00CC301 ; ---------------------------------------------------------------------------
.text:00000001C00CC301
.text:00000001C00CC301 loc_1C00CC301:
.text:00000001C00CC301                  mov         rcx, r9
.text:00000001C00CC304                  call        XdrDecodeIntSlow
.text:00000001C00CC309                  movzx       edx, ax
.text:00000001C00CC30C
.text:00000001C00CC30C loc_1C00CC30C:
.text:00000001C00CC30C                  mov         rdi, [rsp+1B0h+var_158]
.text:00000001C00CC311                  mov         [rbp+0B0h+var_E0], dx
.text:00000001C00CC315                  movzx       esi, ax ; move string length to esi
.text:00000001C00CC318                  cmp         [rdi+108h], r12d
.text:00000001C00CC31F                  jl          loc_1C00CC3AA
.text:00000001C00CC325                  mov         rcx, [rdi+48h]
.text:00000001C00CC329                  test        rcx, rcx
.text:00000001C00CC32C                  jnz         short loc_1C00CC333
.text:00000001C00CC32E                  mov         eax, r12d
.text:00000001C00CC331                  jmp         short loc_1C00CC357
[... Truncated for readability ...]
.text:00000001C00CC357 loc_1C00CC357:
.text:00000001C00CC357                  cmp         eax, esi
.text:00000001C00CC359                  jb          short loc_1C00CC3AA
.text:00000001C00CC35B                  mov         rdx, r12
.text:00000001C00CC35E                  test        rcx, rcx
.text:00000001C00CC361                  jz          short loc_1C00CC367
.text:00000001C00CC363                  mov         rdx, [rcx+40h] ; Src
.text:00000001C00CC367
.text:00000001C00CC367 loc_1C00CC367:
.text:00000001C00CC367                  mov         r8, rsi ; string length used as size of memmove
.text:00000001C00CC36A                  lea         rcx, [rbp+0B0h+var_B0] ; void *
.text:00000001C00CC36E                  call        memmove ; buffer overflow triggered for string length > 96
.text:00000001C00CC373                  mov         rax, [rdi+48h]
.text:00000001C00CC377                  add         [rax+40h], rsi
.text:00000001C00CC37B                  mov         rcx, [rdi+48h]
.text:00000001C00CC37F                  test        rcx, rcx
.text:00000001C00CC382                  jnz         short loc_1C00CC390
.text:00000001C00CC384                  mov         r8, [rcx+40h]
.text:00000001C00CC388                  mov         rax, r12
.text:00000001C00CC38B                  mov         rdx, r12
.text:00000001C00CC38E                  jmp         short loc_1C00CC39B
.text:00000001C00CC390 ; ---------------------------------------------------------------------------
.text:00000001C00CC390
.text:00000001C00CC390 loc_1C00CC390:
.text:00000001C00CC390                  mov         rdx, [rcx+40h]
.text:00000001C00CC394                  mov         rax, [rcx+38h]
.text:00000001C00CC398                  mov         r8, rdx
.text:00000001C00CC39B
.text:00000001C00CC39B loc_1C00CC39B:
.text:00000001C00CC39B                  sub         rax, rdx
.text:00000001C00CC39E                  and         eax, 3
.text:00000001C00CC3A1                  add         rax, r8
.text:00000001C00CC3A4                  mov         [rcx+40h], rax
.text:00000001C00CC3A8                  jmp         short loc_1C00CC3B8
.text:00000001C00CC3AA ; ---------------------------------------------------------------------------
.text:00000001C00CC3AA
.text:00000001C00CC3AA loc_1C00CC3AA:
.text:00000001C00CC3AA
.text:00000001C00CC3AA                  lea         r8, [rbp+0B0h+var_B0]
.text:00000001C00CC3AE                  mov         edx, esi
.text:00000001C00CC3B0                  mov         rcx, rdi
.text:00000001C00CC3B3                  call        XdrDecodeOpaqueSlow
.text:00000001C00CC3B8
.text:00000001C00CC3B8 loc_1C00CC3B8:
.text:00000001C00CC3B8                  movzx       edi, [rsp+1B0h+var_170]
.text:00000001C00CC3BD                  mov         [rbp+rsi+0B0h+var_B0], r12b ; buffer overflow triggered
                                                                                ; for string length == 96
.text:00000001C00CC3C2                  mov             esi, 2
	.text:00000001C00CC1B2 loc_1C00CC1B2:
	.text:00000001C00CC1B2 mov rdx, [rsp+1B0h+var_160]
	.text:00000001C00CC1B7 lea rax, [rsp+1B0h+var_158]
	.text:00000001C00CC1BC mov rcx, [rsp+1B0h+var_148]
	.text:00000001C00CC1C1 mov r9d, 7530h
	.text:00000001C00CC1C7 mov r8, r12
	.text:00000001C00CC1CA mov [rsp+1B0h+Timeout], rax
	.text:00000001C00CC1CF call cs:__imp_OncRpcSendCallWaitReply ; Server sends GETADDR call
	.text:00000001C00CC1D6 nop dword ptr [rax+rax+00h]
	.text:00000001C00CC1DB mov r14d, eax
	[... Truncated for readability ...]
	.text:00000001C00CC21B loc_1C00CC21B:
	.text:00000001C00CC21B mov rbx, [rbp+0B0h+var_108]
	.text:00000001C00CC21F xor r12d, r12d
	.text:00000001C00CC222 test r14d, r14d ; Verify RPC call succeeded
	.text:00000001C00CC225 js loc_1C00CC441
	.text:00000001C00CC22B movzx edi, [rsp+1B0h+var_170]
	.text:00000001C00CC230 mov r9, [rsp+1B0h+var_158]
	.text:00000001C00CC235 cmp di, si ; Check if using AF_INET (IPv4)
	.text:00000001C00CC238 jnz short loc_1C00CC2A1
	[... Truncated for readability ...]
	.text:00000001C00CC2A1 loc_1C00CC2A1:
	.text:00000001C00CC2A1 mov eax, 60h ; '`'
	.text:00000001C00CC2A6 mov [rbp+0B0h+var_DE], ax
	.text:00000001C00CC2AA lea rax, [rbp+0B0h+var_B0]
	.text:00000001C00CC2AE mov [rbp+0B0h+var_D8], rax
	.text:00000001C00CC2B2 cmp [r9+108h], r12d
	.text:00000001C00CC2B9 jl short loc_1C00CC301
	.text:00000001C00CC2BB mov rcx, [r9+48h]
	.text:00000001C00CC2BF test rcx, rcx
	.text:00000001C00CC2C2 jz short loc_1C00CC301
	.text:00000001C00CC2C4 mov edx, [rcx+40h]
	.text:00000001C00CC2C7 sub edx, [rcx+38h]
	.text:00000001C00CC2CA mov r10d, [rcx+4Ch]
	.text:00000001C00CC2CE cmp r10d, edx
	.text:00000001C00CC2D1 jb short loc_1C00CC2DB
	.text:00000001C00CC2D3 mov r8d, r10d
	.text:00000001C00CC2D6 sub r8d, edx
	.text:00000001C00CC2D9 jmp short loc_1C00CC2DE
	.text:00000001C00CC2DB ; ---------------------------------------------------------------------------
	.text:00000001C00CC2DB
	.text:00000001C00CC2DB loc_1C00CC2DB:
	.text:00000001C00CC2DB mov r8d, r15d
	.text:00000001C00CC2DE
	.text:00000001C00CC2DE loc_1C00CC2DE:
	.text:00000001C00CC2DE cmp r10d, edx
	.text:00000001C00CC2E1 mov eax, r12d
	.text:00000001C00CC2E4 cmovnb eax, r8d
	.text:00000001C00CC2E8 cmp eax, 4
	.text:00000001C00CC2EB jb short loc_1C00CC301
	.text:00000001C00CC2ED mov rax, [rcx+40h]
	.text:00000001C00CC2F1 mov edx, [rax]
	.text:00000001C00CC2F3 add rax, 4
	.text:00000001C00CC2F7 bswap edx
	.text:00000001C00CC2F9 mov [rcx+40h], rax
	.text:00000001C00CC2FD mov eax, edx ; eax has the Universal Address string length
	.text:00000001C00CC2FF jmp short loc_1C00CC30C
	.text:00000001C00CC301 ; ---------------------------------------------------------------------------
	.text:00000001C00CC301
	.text:00000001C00CC301 loc_1C00CC301:
	.text:00000001C00CC301 mov rcx, r9
	.text:00000001C00CC304 call XdrDecodeIntSlow
	.text:00000001C00CC309 movzx edx, ax
	.text:00000001C00CC30C
	.text:00000001C00CC30C loc_1C00CC30C:
	.text:00000001C00CC30C mov rdi, [rsp+1B0h+var_158]
	.text:00000001C00CC311 mov [rbp+0B0h+var_E0], dx
	.text:00000001C00CC315 movzx esi, ax ; move string length to esi
	.text:00000001C00CC318 cmp [rdi+108h], r12d
	.text:00000001C00CC31F jl loc_1C00CC3AA
	.text:00000001C00CC325 mov rcx, [rdi+48h]
	.text:00000001C00CC329 test rcx, rcx
	.text:00000001C00CC32C jnz short loc_1C00CC333
	.text:00000001C00CC32E mov eax, r12d
	.text:00000001C00CC331 jmp short loc_1C00CC357
	[... Truncated for readability ...]
	.text:00000001C00CC357 loc_1C00CC357:
	.text:00000001C00CC357 cmp eax, esi
	.text:00000001C00CC359 jb short loc_1C00CC3AA
	.text:00000001C00CC35B mov rdx, r12
	.text:00000001C00CC35E test rcx, rcx
	.text:00000001C00CC361 jz short loc_1C00CC367
	.text:00000001C00CC363 mov rdx, [rcx+40h] ; Src
	.text:00000001C00CC367
	.text:00000001C00CC367 loc_1C00CC367:
	.text:00000001C00CC367 mov r8, rsi ; string length used as size of memmove
	.text:00000001C00CC36A lea rcx, [rbp+0B0h+var_B0] ; void *
	.text:00000001C00CC36E call memmove ; buffer overflow triggered for string length > 96
	.text:00000001C00CC373 mov rax, [rdi+48h]
	.text:00000001C00CC377 add [rax+40h], rsi
	.text:00000001C00CC37B mov rcx, [rdi+48h]
	.text:00000001C00CC37F test rcx, rcx
	.text:00000001C00CC382 jnz short loc_1C00CC390
	.text:00000001C00CC384 mov r8, [rcx+40h]
	.text:00000001C00CC388 mov rax, r12
	.text:00000001C00CC38B mov rdx, r12
	.text:00000001C00CC38E jmp short loc_1C00CC39B
	.text:00000001C00CC390 ; ---------------------------------------------------------------------------
	.text:00000001C00CC390
	.text:00000001C00CC390 loc_1C00CC390:
	.text:00000001C00CC390 mov rdx, [rcx+40h]
	.text:00000001C00CC394 mov rax, [rcx+38h]
	.text:00000001C00CC398 mov r8, rdx
	.text:00000001C00CC39B
	.text:00000001C00CC39B loc_1C00CC39B:
	.text:00000001C00CC39B sub rax, rdx
	.text:00000001C00CC39E and eax, 3
	.text:00000001C00CC3A1 add rax, r8
	.text:00000001C00CC3A4 mov [rcx+40h], rax
	.text:00000001C00CC3A8 jmp short loc_1C00CC3B8
	.text:00000001C00CC3AA ; ---------------------------------------------------------------------------
	.text:00000001C00CC3AA
	.text:00000001C00CC3AA loc_1C00CC3AA:
	.text:00000001C00CC3AA
	.text:00000001C00CC3AA lea r8, [rbp+0B0h+var_B0]
	.text:00000001C00CC3AE mov edx, esi
	.text:00000001C00CC3B0 mov rcx, rdi
	.text:00000001C00CC3B3 call XdrDecodeOpaqueSlow
	.text:00000001C00CC3B8
	.text:00000001C00CC3B8 loc_1C00CC3B8:
	.text:00000001C00CC3B8 movzx edi, [rsp+1B0h+var_170]
	.text:00000001C00CC3BD mov [rbp+rsi+0B0h+var_B0], r12b ; buffer overflow triggered
	; for string length == 96
	.text:00000001C00CC3C2 mov esi, 2