question on exploit writing.

Networking/Security Forums -> Exploits // System Weaknesses

Author: jake2891 PostPosted: Sat Mar 20, 2010 7:11 pm    Post subject: question on exploit writing.
    ----
I just want to know if there is an input box in a windows application or any application that has buffer overflow vulnrability but the function that needs to be called to exploit this is not accessible by passing commands to it via a command line like so "echo aaa |buffer.exe" how would someone get this function to execute with there input in a script like python would i have to open the application and then call that specific function? if so how cpuld that be done if the function was called foofunction any programming language example would be great or a link to a tutorial if anyone knows of one.

thanks

Author: Fire AntLocation: London PostPosted: Sat Mar 20, 2010 9:31 pm    Post subject:
    ----
Assuming a Windows GUI application that has the following:

1 - Text box for input data
2 - "Execute" function which handles text box data in a non-secure manner e.g. Buffer Overflow

You could used the Windows APIs to send the appropriate string to the text box. To do this you need to know several things:

1 - The Windows Handle of the text box object
2 - Use the SendMessage/PostMessage API to write the text in the box
3 - Execute the function e.g. Send mouse click to "Execute" button

voila!

Now, you will need a suitable data set to test with so I suggest using a Fuzzer. Have a look at www.peachfuzzer.com , you can Fuzz Windows apps with this, you should be able to script lots of stuff.

This is of course all relying on a truly exploitable app. I suggest writing your own to test it.

Matt_s

Author: jake2891 PostPosted: Tue Mar 23, 2010 10:54 pm    Post subject:
    ----
been trying to implement the steps you suggested this is what i have got so far. But using SetDlgItemTextA to set the text but having difficulty using python to set the text. loaded up the executable in ida pro not to sure on how to use the windows handle of the textbox. here is my code so far. the code opens up the process and tries to write to the inputbox. any input guys? thanks

python example.py PID

Code:

import os,sys,subprocess,time
from subprocess import *
from os import *
from ctypes import *
from ctypes.wintypes import *

PROCESS_ALL_ACCESS =     ( 0x000F0000 | 0x00100000 | 0xFFF )
kernel32 = windll.kernel32
pid      = sys.argv[1]

h_process = kernel32.OpenProcess( PROCESS_ALL_ACCESS, False, int(pid) )

if not h_process:
    print "[*] Couldn't acquire a handle to PID: %s" % pid
    sys.exit(0)

user32 = windll.user32

windll.user32.SetDlgItemTextA("hwnd handle of textbox not sure how to get this??",1,"test") this is the line im stuck on


Author: jake2891 PostPosted: Wed Mar 24, 2010 8:44 am    Post subject:
    ----
ok ive manged to get the windows handler but for some reason its still not setting my text into the input box. ive asked on python forums but no one seems to have an answer. code below.

Code:


import os,sys,subprocess,time
from subprocess import *
from os import *
from ctypes import *
from ctypes.wintypes import *

PROCESS_ALL_ACCESS =     ( 0x000F0000 | 0x00100000 | 0xFFF )
kernel32 = windll.kernel32
pid      = sys.argv[1]

h_process = kernel32.OpenProcess( PROCESS_ALL_ACCESS, False, int(pid) )

if not h_process:
    print "[*] Couldn't acquire a handle to PID: %s" % pid
    sys.exit(0)

user32 = windll.user32
# parent window
window_handle = windll.user32.FindWindowA("WindowsApp", None)


if not window_handle:
    print "[*] cant find window"

# 1 is the control id of the child window
windll.user32.SetDlgItemTextA(window_handle, 1, "bla")




Networking/Security Forums -> Exploits // System Weaknesses


output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group