1. Locate a suitable window within VirusScan (an edit box is perfect), and obtain a window handle to it.
2. Remove any length restrictions that may be present on that edit box, so that I can type in an arbitrary quantity of data.
3. Paste in some binary executable code.
4. Force VirusScan to execute my code (as LocalSystem)
This is actually very easy to do. Windows conveniently provides all of the functionality that we will be needing. I have written a small application called Shatter which implements this functionality. You'll also need a hex editor that is capable of copying binary data to the clipboard (I use UltraEdit), and a debugger (I use WinDbg).
PLEASE NOTE: Some virus scanners are alerting people to the presence of a "Win32/Beavuh" virus within the sploit.bin file in the Shatter zipfile. This is not a virus. The scanner is correct in flagging it - the code in this file is designed to open a command shell and bind it to a network socket. This is a bad thing to do in general, so the scanner is correct in generating an alert. This code is designed to be malicious in terms of its functionality, but the scanner is incorrect when labelling it as a virus.
Windows messages consist of three parts, a message identifier and two parameters. The parameters are used differently depending on what message is sent. This makes our life simpler, since we only have to worry about four things; a window handle to receive the message, the message, and two parameters. Let's find out how easy this is...
Stage 1: Locating a window
We need to locate an edit control of some kind - something that we can type stuff into. Don't worry if it's restricted, we can cure that. Fire up the VirusScan console, and hit the first button - "New Task". Conveniently, at the top of the dialog, there's an edit box. That will do perfectly. Now, we need a handle to that control so that we can interact with it. Windows is more than happy to give us a handle to any window we like - we just have to ask it. Fire up Shatter, and position it so that you can still see the VirusScan edit control underneath it. Click on "Get cursor window" - Shatter should add an item in the list box beneath like "102f2 - Get cursor window". This is because we've asked Windows to give us a handle to the window directly underneath the cursor. Move the cursor over the VirusScan edit control and hit Space to trigger Shatter again. Shatter should clear the list box, and tell you the handle for the target window - in my case it's 30270. So, we can now interact programmatically with a window that is running with higher privileges than we are. Let's paste in some shellcode.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.