Barracuda Networks AG Security Advisory 07/08/2011 Summary ----------------------------- Malformed DHCPv6 packets cause RPC to become unresponsive. Technical Details ----------------------------- There is a vulnerability in the part of RPC processing DHCPv6. The failure results because of incorrect handling of malformed messages. To exploit this vulnerability, an attacker would need to intercept DHCPv6 traffic. Once a DHCPv6 Request has been intercepted, the corresponding Reply would have to be modified to contain the malformed Domain Search List option. On reception of this malformed packet, RPC on the remote machine would fail. Exploiting this vulnerability would cause the RPC service to fail, losing any RPC-based services, as well as the potential loss of some COM functions. Failing RPC calls might interfere with e.g. - network connectivity (no IP address acquired, no IP address release/renew, …) - applications utilizing COM/DCOM interfaces - machine’s sound system The error has been found to occur on reception of DHCPv6 Reply (message type 7) packets, containing the option “Domain Search List” (option type 24) with an empty domain. Affected Systems ----------------------------- Using the sample DHCPv6 it was possible to verify this issue on following operating systems and configurations: * Microsoft Windows 7 Ultimate SP1 32 bit & 64 bit It is very likely that other versions of Windows 7 (and maybe earlier) are affected by this issue. Impact ----------------------------- 1. Reception of a “malformed” DHCPv6 Reply packet, like the one seen in appendix A, causes critical error 0xc0000374 within rpcrt4, leaving the RPC server to become unavailable. a.) ipconfig /release reporting: An error occurred while releasing interface : The RPC server is unavailable. This enables e.g. rouge DHCP servers to prevent other machines from connecting to a network. Remedy ------------ No remedy available from vendor as of July 08, 2011. Reported ------------ This vulnerability was first reported to Microsoft on, 8th July 2011 13:15 (GMT +2). Acknowledgements ----------------------------- This vulnerability has been discovered by Michael Burgbacher and Thomas Unterleitner on behalf of Barracuda Networks AG. Contact Information ----------------------------- Barracuda Networks AG can be reached via: http://www.barracudanetworks.com http://www.barracudalabs.com/wordpress/index.php/2011/08/16/malformed-dhcpv6-packets-cause-rpc-to-become-unresponsive/ Thomas Unterleitner can be reached via: tunterleitner (at) barracuda (dot) com [email concealed] References ----------------------------- [1] Barracuda Networks AG - http://www.barracudanetworks.com Exploit ----------------------------- We can confirm that the vulnerability results in a Denial of Service in the RPC service. Disclaimer ----------------------------- There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Barracuda Networks AG) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Appendix A - Sample DHCPv6 packet provoking the error ---------------------------------------------------------------- Malformed option somewhere in the option stack – error provoked. ---------------------------------------------------------------- No. Time Source Destination Protocol Info 1 0.000000 fec0:0:beef:f00d::feed fe80::754f:6144:be9e:2ae7 DHCPv6 Reply Frame 1 (183 bytes on wire, 183 bytes captured) Ethernet II, Src: 50:48:49:4f:4e:53 (50:48:49:4f:4e:53), Dst: 50:48:49:4f:4e:43 (50:48:49:4f:4e:43) Internet Protocol Version 6 User Datagram Protocol, Src Port: 547 (547), Dst Port: 546 (546) DHCPv6 Message type: Reply (7) Transaction-ID: 0x007f1ea5 Server Identifier option type: 2 option length: 10 DUID type: link-layer address (3) Hardware type: Ethernet (1) Link-layer address: 50:48:49:4f:4e:53 Client Identifier option type: 1 option length: 14 DUID type: link-layer address plus time (1) Hardware type: Ethernet (1) Time: 304692361 Link-layer address: 00:0c:29:2a:17:54 Identity Association for Non-temporary Address option type: 3 option length: 40 IAID: 407914569 T1: 5400 T2: 8640 IA Address option type: 5 option length: 24 IPv6 address: fec0:0:beef:f00d::bad:f00d Preferred lifetime: 10800 Valid lifetime: 21600 Domain Search List <<<-------------------------------------- option type: 24 option length: 1 DNS Domain Search List Malformed option DNS recursive name server option type: 23 option length: 32 DNS servers address: fec0:0:beef:f00d::feed DNS servers address: fe80::2d42:5a6d:9472:a9fb ----------------------------------------------------------------- Malformed option at the end of the option stack – error provoked. ----------------------------------------------------------------- No. Time Source Destination Protocol Info 1 0.000000 fec0:0:beef:f00d::feed fe80::754f:6144:be9e:2ae7 DHCPv6 Reply Frame 1 (183 bytes on wire, 183 bytes captured) Ethernet II, Src: 50:48:49:4f:4e:53 (50:48:49:4f:4e:53), Dst: 50:48:49:4f:4e:43 (50:48:49:4f:4e:43) Internet Protocol Version 6 User Datagram Protocol, Src Port: 547 (547), Dst Port: 546 (546) DHCPv6 Message type: Reply (7) Transaction-ID: 0x0054c814 Server Identifier option type: 2 option length: 10 DUID type: link-layer address (3) Hardware type: Ethernet (1) Link-layer address: 50:48:49:4f:4e:53 Client Identifier option type: 1 option length: 14 DUID type: link-layer address plus time (1) Hardware type: Ethernet (1) Time: 304692361 Link-layer address: 00:0c:29:2a:17:54 Identity Association for Non-temporary Address option type: 3 option length: 40 IAID: 407914569 T1: 5400 T2: 8640 IA Address option type: 5 option length: 24 IPv6 address: fec0:0:beef:f00d::bad:f00d Preferred lifetime: 10800 Valid lifetime: 21600 DNS recursive name server option type: 23 option length: 32 DNS servers address: fec0:0:beef:f00d::feed DNS servers address: fe80::2d42:5a6d:9472:a9fb Domain Search List <<<-------------------------------------------- option type: 24 option length: 1 DNS Domain Search List Malformed option Appendix B – Stack trace of the error STACK_TEXT: 00000000`7701d1cd ntdll! ?? ::FNODOBFM::`string'+0x123b4 000007fe`fd171512 KERNELBASE!LocalFree+0x2e 000007fe`fe1fedb7 RPCRT4!Ndr64ConformantArrayFree+0x1e7 000007fe`fe20085a RPCRT4!Ndr64ComplexStructFree+0x121 000007fe`fe2bad24 RPCRT4!Ndr64pFreeParams+0xf8 000007fe`fe2bb749 RPCRT4!Ndr64StubWorker+0x83d 000007fe`fe204070 RPCRT4!NdrServerCallAll+0x40 000007fe`fe209c24 RPCRT4!DispatchToStubInCNoAvrf+0x14 000007fe`fe209d86 RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x146 000007fe`fe20a479 RPCRT4!LRPC_SCALL::DispatchRequest+0x149 000007fe`fe20a11d RPCRT4!LRPC_SCALL::HandleRequest+0x20d 000007fe`fe217ddf RPCRT4!LRPC_ADDRESS::ProcessIO+0x3bf 000007fe`fe217995 RPCRT4!LrpcIoComplete+0xa5 00000000`76fcb43b ntdll!TppAlpcpExecuteCallback+0x26b 00000000`76fc923f ntdll!TppWorkerThread+0x3f8 00000000`76daf56d kernel32!BaseThreadInitThunk+0xd 00000000`76fe3281 ntdll!RtlUserThreadStart+0x1d Appendix C - Research results Critical error detected c0000374 FAULTING_IP: ntdll!RtlReportCriticalFailure+2f 0033:00000000`77076c9f cc int 3 EXCEPTION_RECORD: ffffffffffffffff -- (.exr 0xffffffffffffffff) ExceptionAddress: 0000000077076c9f (ntdll!RtlReportCriticalFailure+0x000000000000002f) ExceptionCode: 80000003 (Break instruction exception) ExceptionFlags: 00000000 NumberParameters: 1 Parameter[0]: 0000000000000000 DEFAULT_BUCKET_ID: STATUS_BREAKPOINT ERROR_CODE: (NTSTATUS) 0x80000003 - {EXCEPTION} Breakpoint A breakpoint has been reached. EXCEPTION_CODE: (HRESULT) 0x80000003 (2147483651) - One or more arguments are invalid EXCEPTION_PARAMETER1: 0000000000000000 NTGLOBALFLAG: 0 LAST_CONTROL_TRANSFER: from 0000000000000000 to 000000007701d1cd FAULTING_THREAD: ffffffffffffffff PRIMARY_PROBLEM_CLASS: STATUS_BREAKPOINT BUGCHECK_STR: APPLICATION_FAULT_STATUS_BREAKPOINT STACK_TEXT: 00000000`7701d1cd ntdll! ?? ::FNODOBFM::`string'+0x123b4 000007fe`fd171512 KERNELBASE!LocalFree+0x2e 000007fe`fe1fedb7 RPCRT4!Ndr64ConformantArrayFree+0x1e7 000007fe`fe20085a RPCRT4!Ndr64ComplexStructFree+0x121 000007fe`fe2bad24 RPCRT4!Ndr64pFreeParams+0xf8 000007fe`fe2bb749 RPCRT4!Ndr64StubWorker+0x83d 000007fe`fe204070 RPCRT4!NdrServerCallAll+0x40 000007fe`fe209c24 RPCRT4!DispatchToStubInCNoAvrf+0x14 000007fe`fe209d86 RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x146 000007fe`fe20a479 RPCRT4!LRPC_SCALL::DispatchRequest+0x149 000007fe`fe20a11d RPCRT4!LRPC_SCALL::HandleRequest+0x20d 000007fe`fe217ddf RPCRT4!LRPC_ADDRESS::ProcessIO+0x3bf 000007fe`fe217995 RPCRT4!LrpcIoComplete+0xa5 00000000`76fcb43b ntdll!TppAlpcpExecuteCallback+0x26b 00000000`76fc923f ntdll!TppWorkerThread+0x3f8 00000000`76daf56d kernel32!BaseThreadInitThunk+0xd 00000000`76fe3281 ntdll!RtlUserThreadStart+0x1d FOLLOWUP_IP: RPCRT4!Ndr64pFreeParams+f8 0033:000007fe`fe2bad24 4c8d0dd552f2ff lea r9,[RPCRT4!COMMON_ResubmitListen (RPCRT4+0x0) (000007fe`fe1e0000)] SYMBOL_STACK_INDEX: 4 SYMBOL_NAME: RPCRT4!Ndr64pFreeParams+f8 FOLLOWUP_NAME: MachineOwner MODULE_NAME: RPCRT4 IMAGE_NAME: RPCRT4.dll DEBUG_FLR_IMAGE_TIMESTAMP: 4a5be035 STACK_COMMAND: dds 770ec458 ; kb FAILURE_BUCKET_ID: STATUS_BREAKPOINT_80000003_RPCRT4.dll!Ndr64pFreeParams BUCKET_ID: X64_APPLICATION_FAULT_STATUS_BREAKPOINT_RPCRT4!Ndr64pFreeParams+f8 Followup: MachineOwner --------- lmvm RPCRT4 start end module name 000007fe`fe1e0000 000007fe`fe30e000 RPCRT4 (pdb symbols) d:\localsymbols\rpcrt4.pdb\484A214596114DE7AA63AF63A748044D2\rpcrt4.pdb Loaded symbol image file: RPCRT4.dll Image path: C:\Windows\system32\RPCRT4.dll Image name: RPCRT4.dll Timestamp: Tue Jul 14 03:32:37 2009 (4A5BE035) CheckSum: 001302FA ImageSize: 0012E000 File version: 6.1.7600.16385 Product version: 6.1.7600.16385 File flags: 0 (Mask 3F) File OS: 40004 NT Win32 File type: 2.0 Dll File date: 00000000.00000000 Translations: 0409.04b0 CompanyName: Microsoft Corporation ProductName: Microsoft® Windows® Operating System InternalName: rpcrt4.dll OriginalFilename: rpcrt4.dll ProductVersion: 6.1.7600.16385 FileVersion: 6.1.7600.16385 (win7_rtm.090713-1255) FileDescription: Remote Procedure Call Runtime LegalCopyright: © Microsoft Corporation. All rights reserved. kv Child-SP RetAddr : Args to Child : Call Site 00000000`00d5ec20 00000000`77077396 : 00000000`00000002 00000000`00000023 00000000`00000000 00000000`00000003 : ntdll!RtlReportCriticalFailure+0x2f 00000000`00d5ecf0 00000000`770786c2 : 00000000`00000000 00000000`00000058 0000022b`00740001 00000000`002b7c70 : ntdll!RtlpReportHeapFailure+0x26 00000000`00d5ed20 00000000`7707a0c4 : 00000000`002b0000 00000000`00000000 00000000`00000000 00000000`04000004 : ntdll!RtlpHeapHandleError+0x12 00000000`00d5ed50 00000000`7701d1cd : 00000000`025183b0 00000000`002b0000 00000000`025183c0 00000000`00000000 : ntdll!RtlpLogHeapFailure+0xa4 00000000`00d5ed80 000007fe`fd171512 : 00000000`01b91590 00000000`025183c0 000007fe`fa5c7a50 000007fe`fa5a83a2 : ntdll! ?? ::FNODOBFM::`string'+0x123b4 00000000`00d5ee00 000007fe`fe1fedb7 : 00000000`025183c0 00000000`00d5f030 000007fe`fa5c8309 00000000`00338f20 : KERNELBASE!LocalFree+0x2e 00000000`00d5ee40 000007fe`fe20085a : 000007fe`fa5c8608 000007fe`fa5c7a00 00000000`00338f00 000007fe`fa5c8300 : RPCRT4!Ndr64ConformantArrayFree+0x1e7 00000000`00d5eec0 000007fe`fe2bad24 : 00000000`01b91590 00000000`00000000 00000000`00390d20 000007fe`fe1e0000 : RPCRT4!Ndr64ComplexStructFree+0x121 00000000`00d5ef20 000007fe`fe2bb749 : 00000000`00000000 00000000`01cca430 000007fe`fa5c8301 000007fe`fa5c8360 : RPCRT4!Ndr64pFreeParams+0xf8 00000000`00d5ef70 000007fe`fe204070 : 00000000`00338e90 00000000`00000010 00000000`00000008 000007fe`fe22bf87 : RPCRT4!Ndr64StubWorker+0x83d 00000000`00d5f530 000007fe`fe209c24 : 00000000`00000002 00000000`00000000 00000000`00000000 00000000`00000000 : RPCRT4!NdrServerCallAll+0x40 00000000`00d5f580 000007fe`fe209d86 : 00000000`00d5f630 000007fe`fe21ce76 00000000`00d5f730 00000000`00000000 : RPCRT4!DispatchToStubInCNoAvrf+0x14 00000000`00d5f5b0 000007fe`fe20a479 : 00000000`00000000 000007fe`fe20445d 00000000`01bf7900 00000000`01cca2e0 : RPCRT4!RPC_INTERFACE::DispatchToStubWorker+0x146 00000000`00d5f6d0 000007fe`fe20a11d : 00000000`0256b060 00000000`0235f650 000007fe`fe1e0000 00000000`01bf7a80 : RPCRT4!LRPC_SCALL::DispatchRequest+0x149 00000000`00d5f7b0 000007fe`fe217ddf : 00000000`00010000 00000000`0256b070 00000000`00000000 00000000`00000001 : RPCRT4!LRPC_SCALL::HandleRequest+0x20d 00000000`00d5f8e0 000007fe`fe217995 : 00000000`00000000 00000000`00000000 00000000`01b8c2a0 00000000`00000000 : RPCRT4!LRPC_ADDRESS::ProcessIO+0x3bf 00000000`00d5fa20 00000000`76fcb43b : 00000000`00d5fc48 00000000`00000000 00000000`002e83f8 00000000`0000ffff : RPCRT4!LrpcIoComplete+0xa5 00000000`00d5fab0 00000000`76fc923f : 00000000`00000000 00000000`00000000 00000000`0000ffff 00000000`00000000 : ntdll!TppAlpcpExecuteCallback+0x26b 00000000`00d5fb40 00000000`76daf56d : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!TppWorkerThread+0x3f8 00000000`00d5fe40 00000000`76fe3281 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : kernel32!BaseThreadInitThunk+0xd .frame 4 04 00000000`00d5ed80 000007fe`fd171512 ntdll! ?? ::FNODOBFM::`string'+0x123b4 ----------------------------------------------------------------------------- Disassembly: 0033:00000000`7701d121 314108 xor dword ptr [rcx+8],eax 0033:00000000`7701d124 e97e56feff jmp ntdll!RtlpFreeHeap+0x1e13 (00000000`770027a7) 0033:00000000`7701d129 488bcf mov rcx,rdi 0033:00000000`7701d12c e8dfdc0400 call ntdll!RtlpNotOwnerCriticalSection (00000000`7706ae10) 0033:00000000`7701d131 90 nop 0033:00000000`7701d132 e9c457feff jmp ntdll!RtlpFreeHeap+0x1ea2 (00000000`770028fb) 0033:00000000`7701d137 65488b042530000000 mov rax,qword ptr gs:[30h] 0033:00000000`7701d140 488b4860 mov rcx,qword ptr [rax+60h] 0033:00000000`7701d144 f6817803000001 test byte ptr [rcx+378h],1 0033:00000000`7701d14b 0f846f56feff je ntdll!RtlpFreeHeap+0x1e28 (00000000`770027c0) 0033:00000000`7701d151 807c245000 cmp byte ptr [rsp+50h],0 0033:00000000`7701d156 0f856456feff jne ntdll!RtlpFreeHeap+0x1e28 (00000000`770027c0) 0033:00000000`7701d15c 448b842498000000 mov r8d,dword ptr [rsp+98h] 0033:00000000`7701d164 498bd5 mov rdx,r13 0033:00000000`7701d167 488bcb mov rcx,rbx 0033:00000000`7701d16a e8c1ad0300 call ntdll!RtlpLogHeapFreeEvent (00000000`77057f30) 0033:00000000`7701d16f 90 nop 0033:00000000`7701d170 e94b56feff jmp ntdll!RtlpFreeHeap+0x1e28 (00000000`770027c0) 0033:00000000`7701d175 488b942490000000 mov rdx,qword ptr [rsp+90h] 0033:00000000`7701d17d 4885d2 test rdx,rdx 0033:00000000`7701d180 0f844856feff je ntdll!RtlpFreeHeap+0x1e36 (00000000`770027ce) 0033:00000000`7701d186 4c8b442458 mov r8,qword ptr [rsp+58h] 0033:00000000`7701d18b 488bcb mov rcx,rbx 0033:00000000`7701d18e e87dae0300 call ntdll!RtlpHeapLogRangeRelease (00000000`77058010) 0033:00000000`7701d193 90 nop 0033:00000000`7701d194 e93556feff jmp ntdll!RtlpFreeHeap+0x1e36 (00000000`770027ce) 0033:00000000`7701d199 0fb6430e movzx eax,byte ptr [rbx+0Eh] 0033:00000000`7701d19d 48c1e004 shl rax,4 0033:00000000`7701d1a1 482bd8 sub rbx,rax 0033:00000000`7701d1a4 e97f4bfeff jmp ntdll!RtlFreeHeap+0x58 (00000000`77001d28) 0033:00000000`7701d1a9 4533c9 xor r9d,r9d 0033:00000000`7701d1ac 488bd1 mov rdx,rcx 0033:00000000`7701d1af 4c8bc3 mov r8,rbx 0033:00000000`7701d1b2 418d4908 lea ecx,[r9+8] 0033:00000000`7701d1b6 48c744242800000000 mov qword ptr [rsp+28h],0 0033:00000000`7701d1bf 48c744242000000000 mov qword ptr [rsp+20h],0 0033:00000000`7701d1c8 e853ce0500 call ntdll!RtlpLogHeapFailure (00000000`7707a020) .frame 5 05 00000000`00d5ee00 000007fe`fe1fedb7 KERNELBASE!LocalFree+0x2e ---------------------------------------------------------------- Disassembly: KERNELBASE!LocalFree: 0033:000007fe`fd1714e0 48895c2410 mov qword ptr [rsp+10h],rbx 0033:000007fe`fd1714e5 4889742418 mov qword ptr [rsp+18h],rsi 0033:000007fe`fd1714ea 48894c2408 mov qword ptr [rsp+8],rcx 0033:000007fe`fd1714ef 57 push rdi 0033:000007fe`fd1714f0 4883ec30 sub rsp,30h 0033:000007fe`fd1714f4 488bd9 mov rbx,rcx 0033:000007fe`fd1714f7 f6c108 test cl,8 0033:000007fe`fd1714fa 0f8573950100 jne KERNELBASE!LocalFree+0x46 (000007fe`fd18aa73) 0033:000007fe`fd171500 4c8bc1 mov r8,rcx 0033:000007fe`fd171503 33d2 xor edx,edx 0033:000007fe`fd171505 488b0d9cf10500 mov rcx,qword ptr [KERNELBASE!BaseHeap (000007fe`fd1d06a8)] 0033:000007fe`fd17150c ff15468b0400 call qword ptr [KERNELBASE!_imp_RtlFreeHeap (000007fe`fd1ba058)] .frame 6 06 00000000`00d5ee40 000007fe`fe20085a RPCRT4!Ndr64ConformantArrayFree+0x1e7 ---------------------------------------------------------------------------- Disassembly: 0033:000007fe`fe1fed1b 8b46f7 mov eax,dword ptr [rsi-9] 0033:000007fe`fe1fed1e 4c8b2c28 mov r13,qword ptr [rax+rbp] 0033:000007fe`fe1fed22 4d85ed test r13,r13 0033:000007fe`fe1fed25 0f848c000000 je RPCRT4!Ndr64ConformantArrayFree+0x1e7 (000007fe`fe1fedb7) 0033:000007fe`fe1fed2b 0fb646ff movzx eax,byte ptr [rsi-1] 0033:000007fe`fe1fed2f 3c24 cmp al,24h 0033:000007fe`fe1fed31 0f84e55d0300 je RPCRT4!Ndr64ConformantArrayFree+0x259 (000007fe`fe234b1c) 0033:000007fe`fe1fed37 498bcd mov rcx,r13 0033:000007fe`fe1fed3a 3c23 cmp al,23h 0033:000007fe`fe1fed3c 0f84baad0300 je RPCRT4!Invoke+0xd441 (000007fe`fe239afc) 0033:000007fe`fe1fed42 0fb606 movzx eax,byte ptr [rsi] 0033:000007fe`fe1fed45 84c0 test al,al 0033:000007fe`fe1fed47 0f85e15d0300 jne RPCRT4!Ndr64ConformantArrayFree+0x26b (000007fe`fe234b2e) 0033:000007fe`fe1fed4d 0fb64361 movzx eax,byte ptr [rbx+61h] 0033:000007fe`fe1fed51 4c8b4607 mov r8,qword ptr [rsi+7] 0033:000007fe`fe1fed55 806361f8 and byte ptr [rbx+61h],0F8h 0033:000007fe`fe1fed59 88842488000000 mov byte ptr [rsp+88h],al 0033:000007fe`fe1fed60 488d442438 lea rax,[rsp+38h] 0033:000007fe`fe1fed65 483b8318010000 cmp rax,qword ptr [rbx+118h] 0033:000007fe`fe1fed6c 0f82c2ad0300 jb RPCRT4!Invoke+0xd479 (000007fe`fe239b34) 0033:000007fe`fe1fed72 410fb600 movzx eax,byte ptr [r8] 0033:000007fe`fe1fed76 488bd1 mov rdx,rcx 0033:000007fe`fe1fed79 488bcb mov rcx,rbx 0033:000007fe`fe1fed7c 41ff14c6 call qword ptr [r14+rax*8] 0033:000007fe`fe1fed80 448a9c2488000000 mov r11b,byte ptr [rsp+88h] 0033:000007fe`fe1fed88 44885b61 mov byte ptr [rbx+61h],r11b 0033:000007fe`fe1fed8c 4c3b6b10 cmp r13,qword ptr [rbx+10h] 0033:000007fe`fe1fed90 7206 jb RPCRT4!Ndr64ConformantArrayFree+0x1c8 (000007fe`fe1fed98) 0033:000007fe`fe1fed92 4c3b6b18 cmp r13,qword ptr [rbx+18h] 0033:000007fe`fe1fed96 761f jbe RPCRT4!Ndr64ConformantArrayFree+0x1e7 (000007fe`fe1fedb7) 0033:000007fe`fe1fed98 f60604 test byte ptr [rsi],4 0033:000007fe`fe1fed9b 0f85afad0300 jne RPCRT4!Invoke+0xd495 (000007fe`fe239b50) 0033:000007fe`fe1feda1 488b4b48 mov rcx,qword ptr [rbx+48h] 0033:000007fe`fe1feda5 4885c9 test rcx,rcx 0033:000007fe`fe1feda8 0f85b1ad0300 jne RPCRT4!Invoke+0xd4a4 (000007fe`fe239b5f) 0033:000007fe`fe1fedae 498bcd mov rcx,r13 0033:000007fe`fe1fedb1 ff9380000000 call qword ptr [rbx+80h] .frame 7 07 00000000`00d5eec0 000007fe`fe2bad24 RPCRT4!Ndr64ComplexStructFree+0x121 -------------------------------------------------------------------------- Disassembly: 0033:000007fe`fe2007c0 488d4f60 lea rcx,[rdi+60h] 0033:000007fe`fe2007c4 488d542430 lea rdx,[rsp+30h] 0033:000007fe`fe2007c9 895f7c mov dword ptr [rdi+7Ch],ebx 0033:000007fe`fe2007cc e8ef870000 call RPCRT4!RpcpfAttachListToEmptyHead (000007fe`fe208fc0) 0033:000007fe`fe2007d1 488d4f30 lea rcx,[rdi+30h] 0033:000007fe`fe2007d5 ff15152b0c00 call qword ptr [RPCRT4!_imp_RtlLeaveCriticalSection (000007fe`fe2c32f0)] 0033:000007fe`fe2007db 488b5c2430 mov rbx,qword ptr [rsp+30h] 0033:000007fe`fe2007e0 4c8b6c2470 mov r13,qword ptr [rsp+70h] 0033:000007fe`fe2007e5 4c8b642468 mov r12,qword ptr [rsp+68h] 0033:000007fe`fe2007ea 488b742460 mov rsi,qword ptr [rsp+60h] 0033:000007fe`fe2007ef 488d442430 lea rax,[rsp+30h] 0033:000007fe`fe2007f4 483bd8 cmp rbx,rax 0033:000007fe`fe2007f7 0f8598840500 jne RPCRT4!Invoke+0x15495 (000007fe`fe258c95) 0033:000007fe`fe2007fd 4883c440 add rsp,40h 0033:000007fe`fe200801 5f pop rdi 0033:000007fe`fe200802 5d pop rbp 0033:000007fe`fe200803 5b pop rbx 0033:000007fe`fe200804 c3 ret 0033:000007fe`fe200805 410fb606 movzx eax,byte ptr [r14] 0033:000007fe`fe200809 3c24 cmp al,24h 0033:000007fe`fe20080b 0f84dac30000 je RPCRT4!Ndr64ComplexStructFree+0x253 (000007fe`fe20cbeb) 0033:000007fe`fe200811 4c8be6 mov r12,rsi 0033:000007fe`fe200814 3c23 cmp al,23h 0033:000007fe`fe200816 0f84a1820500 je RPCRT4!Invoke+0x14aed (000007fe`fe258abd) 0033:000007fe`fe20081c 410fb64601 movzx eax,byte ptr [r14+1] 0033:000007fe`fe200821 84c0 test al,al 0033:000007fe`fe200823 0f85d26fffff jne RPCRT4!Ndr64ComplexStructFree+0x213 (000007fe`fe1f77fb) 0033:000007fe`fe200829 4d8b4608 mov r8,qword ptr [r14+8] 0033:000007fe`fe20082d 440fb66d61 movzx r13d,byte ptr [rbp+61h] 0033:000007fe`fe200832 806561f8 and byte ptr [rbp+61h],0F8h 0033:000007fe`fe200836 488d442478 lea rax,[rsp+78h] 0033:000007fe`fe20083b 483b8518010000 cmp rax,qword ptr [rbp+118h] 0033:000007fe`fe200842 0f8294820500 jb RPCRT4!Invoke+0x14b10 (000007fe`fe258adc) 0033:000007fe`fe200848 410fb600 movzx eax,byte ptr [r8] 0033:000007fe`fe20084c 498bd4 mov rdx,r12 0033:000007fe`fe20084f 488bcd mov rcx,rbp 0033:000007fe`fe200852 41ff94c140040f00 call qword ptr [r9+rax*8+0F0440h] .frame 8 08 00000000`00d5ef20 000007fe`fe2bb749 RPCRT4!Ndr64pFreeParams+0xf8 ------------------------------------------------------------------- Disassembly: 0033:000007fe`fe2bac9d f6c102 test cl,2 0033:000007fe`fe2baca0 0f8402010000 je RPCRT4!Ndr64pFreeParams+0x147 (000007fe`fe2bada8) 0033:000007fe`fe2baca6 8b7304 mov esi,dword ptr [rbx+4] 0033:000007fe`fe2baca9 4903f4 add rsi,r12 0033:000007fe`fe2bacac 664185cd test r13w,cx 0033:000007fe`fe2bacb0 0f85c52a0000 jne RPCRT4!Ndr64ServerInitializeCommon+0x84c (000007fe`fe2bd77b) 0033:000007fe`fe2bacb6 84c9 test cl,cl 0033:000007fe`fe2bacb8 7803 js RPCRT4!Ndr64pFreeParams+0x91 (000007fe`fe2bacbd) 0033:000007fe`fe2bacba 488b36 mov rsi,qword ptr [rsi] 0033:000007fe`fe2bacbd 0fb7c1 movzx eax,cx 0033:000007fe`fe2bacc0 c1e803 shr eax,3 0033:000007fe`fe2bacc3 c1e006 shl eax,6 0033:000007fe`fe2bacc6 3387c0000000 xor eax,dword ptr [rdi+0C0h] 0033:000007fe`fe2baccc 83e040 and eax,40h 0033:000007fe`fe2baccf 3187c0000000 xor dword ptr [rdi+0C0h],eax 0033:000007fe`fe2bacd5 8b87c0000000 mov eax,dword ptr [rdi+0C0h] 0033:000007fe`fe2bacdb 0fb70b movzx ecx,word ptr [rbx] 0033:000007fe`fe2bacde c1e904 shr ecx,4 0033:000007fe`fe2bace1 c1e107 shl ecx,7 0033:000007fe`fe2bace4 33c8 xor ecx,eax 0033:000007fe`fe2bace6 81e180000000 and ecx,80h 0033:000007fe`fe2bacec 33c8 xor ecx,eax 0033:000007fe`fe2bacee 898fc0000000 mov dword ptr [rdi+0C0h],ecx 0033:000007fe`fe2bacf4 4885f6 test rsi,rsi 0033:000007fe`fe2bacf7 7432 je RPCRT4!Ndr64pFreeParams+0xff (000007fe`fe2bad2b) 0033:000007fe`fe2bacf9 0fb703 movzx eax,word ptr [rbx] 0033:000007fe`fe2bacfc 488bd6 mov rdx,rsi 0033:000007fe`fe2bacff c1e809 shr eax,9 0033:000007fe`fe2bad02 03c0 add eax,eax 0033:000007fe`fe2bad04 33c1 xor eax,ecx 0033:000007fe`fe2bad06 83e002 and eax,2 0033:000007fe`fe2bad09 33c1 xor eax,ecx 0033:000007fe`fe2bad0b 488bcf mov rcx,rdi 0033:000007fe`fe2bad0e 8987c0000000 mov dword ptr [rdi+0C0h],eax 0033:000007fe`fe2bad14 4c8b43f8 mov r8,qword ptr [rbx-8] 0033:000007fe`fe2bad18 410fb600 movzx eax,byte ptr [r8] 0033:000007fe`fe2bad1c 41ff94c140040f00 call qword ptr [r9+rax*8+0F0440h]