Stage 4: Executing the code
This is the only part of the process that requires any skill. Fire up your debugger, and attach it to the avconsol.exe process (Using WinDbg, that's F6 to attach, and just choose the process). Next, do a search through memory for the FOON string. The WinDbg command is s -a 00000001 10000000 "FOON" but you might use a different debugger. Note down the memory location that the string appears at; it'll probably appear a couple of times, don't ask me why. Any of them will do. On my system, the shellcode appears at 0x00148c28, it shouldn't be far off if you're using the same version. Now, kill the debugger, log on as a guest user, and prepare to receive localsystem privs. Follow stages 1 through 3 again, noting that everything still works as a guest user. Don't forget the Netcat listener to receive the shell.
At this point, you might be thinking that attaching a debugger is a privileged operation. It is. However, much the same as when writing a buffer overflow exploit, you can do that part on any system; all you need is the load address which should then work on any system running the same version of the software. In actual fact, you needn't actually do this at all. Most applications have their own exception handlers (VirusScan certainly does), so if they generate an access violation, they just deal with it and move on rather than crashing. So, there's nothing to stop you pasting in a few hundred kilobytes of NOPs and then just iterating through memory until you finally hit the right address and your shellode executes. Not particularly elegant, but it'll work.
The final message that we're going to make use of is WM_TIMER. This is a slightly odd and very dangerous message, since it can contain (as the second parameter) the address of a timer callback function. If this second parameter is non-zero, execution will jump to the location it specifies. Yes, you read that right; you can send any window a WM_TIMER message with a non-zero second parameter (the first is a timer ID) and execution jumps to that address. As far as I know, the message doesn't even go into the message queue, so the application doesn't even have the chance to ignore it. Silly, silly, silly...
So, within Shatter, the handle should be set to the VirusScan edit control containing our shellcode. The first parameter can be anything you like, and the second parameter should be 512 bytes or so above the address we picked out of the debugger earlier (we have 1K of NOP's in front of the shellcode, so we should land slap bang in the middle of them); on my system that's 0x148c28 + 0x200 = 0x148e28. Hit WM_TIMER, and your netcat listener should come alive with a command prompt. A quick WHOAMI will reveal that you have indeed gone from guest to local system. Enjoy.
Reading our newsletter every Monday will keep you up-to-date with security news.
Receive a daily digest of the latest security news.