Exploiting design flaws in the Win32 API for privilege escalation - Shatter Attacks - How to break Windows
OK, that's enough playing. Clear the VirusScan edit box again, and fire up your hex editor. Load up sploit.bin, included in the Shatter zipfile. This is the shellcode taken from Jill (Hey, Dark Spyrit!) which fires a remote command shell back to you. It's hard-coded to send a command shell to the loopback adress on port 123, so now's probably a good time to fire up a Netcat listener before you forget. Fire up a cmd, hit "nc -lp 123" and forget it. Back to our hex edit. Copy the shellcode to the clipboard, making sure you get all of it (including the FOON at the beginning - we'll need that in a sec). Back to Shatter, and hit the WM_PASTE button again. You should now see a whole load of nasty-looking characters in the VirusScan edit box; that's our shellcode, nicely pasted in.

Stage 4: Executing the code

This is the only part of the process that requires any skill. Fire up your debugger, and attach it to the avconsol.exe process (Using WinDbg, that's F6 to attach, and just choose the process). Next, do a search through memory for the FOON string. The WinDbg command is s -a 00000001 10000000 "FOON" but you might use a different debugger. Note down the memory location that the string appears at; it'll probably appear a couple of times, don't ask me why. Any of them will do. On my system, the shellcode appears at 0x00148c28, it shouldn't be far off if you're using the same version. Now, kill the debugger, log on as a guest user, and prepare to receive localsystem privs. Follow stages 1 through 3 again, noting that everything still works as a guest user. Don't forget the Netcat listener to receive the shell.

At this point, you might be thinking that attaching a debugger is a privileged operation. It is. However, much the same as when writing a buffer overflow exploit, you can do that part on any system; all you need is the load address which should then work on any system running the same version of the software. In actual fact, you needn't actually do this at all. Most applications have their own exception handlers (VirusScan certainly does), so if they generate an access violation, they just deal with it and move on rather than crashing. So, there's nothing to stop you pasting in a few hundred kilobytes of NOPs and then just iterating through memory until you finally hit the right address and your shellode executes. Not particularly elegant, but it'll work.

The final message that we're going to make use of is WM_TIMER. This is a slightly odd and very dangerous message, since it can contain (as the second parameter) the address of a timer callback function. If this second parameter is non-zero, execution will jump to the location it specifies. Yes, you read that right; you can send any window a WM_TIMER message with a non-zero second parameter (the first is a timer ID) and execution jumps to that address. As far as I know, the message doesn't even go into the message queue, so the application doesn't even have the chance to ignore it. Silly, silly, silly...

So, within Shatter, the handle should be set to the VirusScan edit control containing our shellcode. The first parameter can be anything you like, and the second parameter should be 512 bytes or so above the address we picked out of the debugger earlier (we have 1K of NOP's in front of the shellcode, so we should land slap bang in the middle of them); on my system that's 0x148c28 + 0x200 = 0x148e28. Hit WM_TIMER, and your netcat listener should come alive with a command prompt. A quick WHOAMI will reveal that you have indeed gone from guest to local system. Enjoy.

Alternative techniques


What IT skills are in demand?

IT security tops the list of skills that teams need most, and one out of five reported having difficulty finding skilled talent for cloud initiatives. Companies are also looking for pros who have skills in network engineering, systems engineering, IT architecture and network operations.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Fri, Apr 17th