Reverse Mode - My last exploit of the year (reloaded)

My last exploit of the year (reloaded)

Written by Rubén
Wednesday, 27 December 2006
Updated The new year is coming... I have been taking a look at the NtRaiseHardError bug and just for fun I've coded an exploit. Watch out, not for the double free vulnerability (indeed I have not analyzed that piece of code yet) but just relying on NtRaiseHardError internals and how is dispatched a MessageBox with MB_SERVICE_NOTIFICATION parameter enabled... And the oscar goes to..."Unprivileged users" by "we can crash the machine or even read the entire csrss.exe process memory". Why? Because csrss.exe is not validating the user's parameters and then we can use a messagebox as a container for its own memory. Congratulations!. Hey! Don't forget to buy, buy, buy, and buy these days. The world will be better. Exploit(For educational purposes only - No modifications allowed) Download Exploit (in C) For those researchers who are interested in the Csrss Double-Free vulnerability, I have coded an arbitrary DWORD overwrite exploit. This flaw is hard to exploit (at least for me) due to the the "fail-and-die" situation. Corrupting the heap in a process like Csrss is dangerous. However, by definition a double-free is exploitable and I was curious about this flaw.So, "suddenly" the memory disclosure flaw I've demonstrated few days ago has become very useful for the exploiting process. In order to exploit this flaw successfully, we need...luck :). Well, among other things. Firstly, we should seed the heap with a "magic value", then corrupting the head with a specially crafted MessageBox we are going to overwrite various controlled addresses. Some of those addresses may be overwritten with an address of a Csrss heap chunk.Thus, using the memory disclosure exploit we can spot that chunk address which brings us the key for locating our shellcode and/or specially crafted data in memory. This exploit is not... <> A privilege escalation exploit. It does not contain any type of shellcode. <> An stable exploit. The heap around Csrss.exe is barely controllable so likely the exploit is not going to work well every time you run it.Patience.The chances for success grow up if you plan to run the exploit on a machine which had been running for several minutes or hours since the system is going to be more stable then (Vmware snapshots fit perfectly). This exploit is... <> A code that overwrites various controlled DWORDs in winsrv.dll data section within Csrss.exe process. If you are planning to exploit this issue for learning, you can code two different programs extracting routines from this exploit: the "corrupter" and the "csrss memory monitor". In this case, manual analysis is better. If you are reading this text and know how to exploit this issue in a better way, please contact me, I would be pleased to talk (and learn) about your method. Anyway,since the situation is quite volatile, the exploit is just intended for demonstrating the theory. Tested on XP SP2. Change winsrv.dll data section address (MAGIC_VALUE) if you want to add support to other versions. Download* Exploit (in C) Download video "Csrss.exe Double-Free - Arbitrary DWORD overwrite" Music: "William Tell Overture (Abridged)" Album: Soundtrack - A ClockWork Orange.
Last Updated ( Monday, 08 January 2007 )

< Prev		Next >

Reversemode