Closed hfiref0x closed 5 years ago
There is a buffer overrun in GetUserAndDomainName function.
RpcCommon/Misc.c https://github.com/silverf0x/RpcView/blob/c108da277be48accb3c6aaeb4af752a2028069bf/RpcCommon/Misc.c#L379
Where UserName is array of 260 elements with size of 520 bytes total https://github.com/silverf0x/RpcView/blob/c108da277be48accb3c6aaeb4af752a2028069bf/RpcCommon/Misc.c#L364
and dwSize set to 520 https://github.com/silverf0x/RpcView/blob/c108da277be48accb3c6aaeb4af752a2028069bf/RpcCommon/Misc.c#L378
however LookupAccountSidW take third parameter cchName as a number of TCHAR's. https://docs.microsoft.com/en-us/windows/desktop/api/winbase/nf-winbase-lookupaccountsidw
So writable size is 520 bytes but 1040 bytes might be written.
Perhaps you miss _countof instead of sizeof.
There is a buffer overrun in GetUserAndDomainName function.
RpcCommon/Misc.c https://github.com/silverf0x/RpcView/blob/c108da277be48accb3c6aaeb4af752a2028069bf/RpcCommon/Misc.c#L379
Where UserName is array of 260 elements with size of 520 bytes total https://github.com/silverf0x/RpcView/blob/c108da277be48accb3c6aaeb4af752a2028069bf/RpcCommon/Misc.c#L364
and dwSize set to 520 https://github.com/silverf0x/RpcView/blob/c108da277be48accb3c6aaeb4af752a2028069bf/RpcCommon/Misc.c#L378
however LookupAccountSidW take third parameter cchName as a number of TCHAR's. https://docs.microsoft.com/en-us/windows/desktop/api/winbase/nf-winbase-lookupaccountsidw
So writable size is 520 bytes but 1040 bytes might be written.
Perhaps you miss _countof instead of sizeof.