Skip to content
Browse files

initial commit

  • Loading branch information...
taviso committed Jun 7, 2019
1 parent 5ce5cbd commit 93d1c8877cc7b88f51f2f0c3c058d1f2925e795b
Showing with 9,985 additions and 2 deletions.
  1. +23 −0 .gitignore
  2. +6 −0 .gitmodules
  3. +28 −0 .zipignore
  4. +85 −0 GNUmakefile
  5. +159 −2
  6. +1,489 −0 command.c
  7. +126 −0 command.h
  8. +390 −0 commanddoc.h
  9. +152 −0 ctfinternal.h
  10. +332 −0 ctftool.c
  11. +25 −0 ctftool.h
  12. +273 −0 marshal.c
  13. +25 −0 marshal.h
  14. +59 −0 messages.c
  15. +10 −0 messages.h
  16. +229 −0 module.c
  17. +184 −0 ntalpc.h
  18. +108 −0 ntalpctyp.h
  19. +4,579 −0 ntdll.h
  20. +40 −0 payload.c
  21. +1 −0 pe-parse
  22. +60 −0
  23. +53 −0 scripts/ctf-consent-system.ctf
  24. +502 −0 scripts/ctf-exploit-common-1809.ctf
  25. +522 −0 scripts/ctf-exploit-common-1903.ctf
  26. +1 −0 scripts/ctf-exploit-common-vista.ctf
  27. +1 −0 scripts/ctf-exploit-common-win7.ctf
  28. +4 −0 scripts/ctf-exploit-common-win8.ctf
  29. +28 −0 scripts/ctf-logonui-system.ctf
  30. +120 −0 scripts/ctfmonexploit.ctf
  31. +10 −0 tools/consent.c
  32. +16 −0 tools/cursorpos.c
  33. +39 −0 tools/
  34. +38 −0 util.c
  35. +17 −0 util.h
  36. +25 −0 version.rc
  37. +1 −0 wineditline
  38. +68 −0 winmsg.c
  39. +137 −0 winutil.c
  40. +20 −0 winutil.h
@@ -0,0 +1,23 @@
@@ -0,0 +1,6 @@
[submodule "pe-parse"]
path = pe-parse
url =
[submodule "wineditline"]
path = wineditline
url =
@@ -0,0 +1,28 @@
@@ -0,0 +1,85 @@
CFLAGS=/nologo /Zi /Od /MD /FS
LFLAGS=/nologo /machine:x86
MFLAGS=/p:Configuration=Release /nologo /m /v:q
CXXFLAGS=/nologo /Zi /Od /EHsc /MD /FS
LDLIBS=user32 ole32 edit advapi32 peparse shlwapi imm32 shell32
VSDEVCMD=cmd.exe /c vsdevcmd.bat

# Commands for arch specific compiler.
CC64=$(VSDEVCMD) $(VFLAGS) -arch=amd64 "&" cl
CC32=$(VSDEVCMD) $(VFLAGS) -arch=x86 "&" cl

.PHONY: clean distclean

all: ctftool.exe payload32.dll payload64.dll


%.res: %.rc
$(RC) $(RFLAGS) $<

$(CC) $(CXXFLAGS) /c /Fo:$@ $<

%.obj: %.c
$(CC) $(CFLAGS) /c /Fo:$@ $<

%.exe: %.obj
$(CC) $(CFLAGS) $(LDFLAGS) /Fe:$@ $^ /link $(LINKFLAGS) $(LDLIBS:=.lib)

%.exp %.lib: %.def
$(LIB) $(LFLAGS) /DEF:$<

%.dll: %.obj
$(CC) $(CFLAGS) $(LDFLAGS) /LD /Fe:$@ $^ /link $(LINKFLAGS)

%64.obj: %.c
$(CC) $(CFLAGS) /c /Fd:$(@:.obj=.pdb) /Fo:$@ $<

%32.obj: %.c
$(CC) $(CFLAGS) /c /Fd:$(@:.obj=.pdb) /Fo:$@ $<

%64.dll: CC=$(CC64)
%64.dll: %64.obj
$(CC) $(CFLAGS) $(LDFLAGS) /LD /Fd:$(@:.dll=.pdb) /Fe:$@ $^ /link $(LINKFLAGS)

%32.dll: CC=$(CC32)
%32.dll: %32.obj
$(CC) $(CFLAGS) $(LDFLAGS) /LD /Fd:$(@:.dll=.pdb) /Fe:$@ $^ /link $(LINKFLAGS)

$(CMAKE) -S pe-parse -B build-$@
$(MSBUILD) $(MFLAGS) build-$@/pe-parse.sln
cp build-$@/pe-parser-library/Release/pe-parser-library.lib $@

$(CMAKE) -S wineditline -B build-$@
$(MSBUILD) $(MFLAGS) build-$@/WinEditLine.sln
cp build-$@/src/Release/edit_a.lib $@

ctftool.exe: command.obj ctftool.obj winmsg.obj marshal.obj \
util.obj module.obj version.res peproc.obj \
messages.obj winutil.obj \
| edit.lib peparse.lib

rm -rf *.exp *.exe *.obj *.pdb *.ilk *.xml build-*.* *.res *.ipdb *.iobj *.dll

# These are slow to rebuild and I dont change them.
distclean: clean
rm -f edit.lib peparse.lib ctftool.exe payload32.dll payload64.dll scripts
(cd .. && zip -r ctftool/$@ $(patsubst %,ctftool/%,$^))
(cd .. && zip -x@ctftool/.zipignore -r ctftool/$@ ctftool)
@@ -1,2 +1,159 @@
# ctftool
Interactive CTF Exploration Tool

> Just want to test the exploit? [click here](#Exploit).
## An Interactive CTF Exploration Tool

This is `ctftool`, an interactive command line tool to experiment with CTF, a
little-known protocol used on Windows to implement Text Services. This might
be useful for reverse engineering Windows internals, debugging complex issues
with Text Input Processors/Input Method Editors and analyzing Windows

It is possible to write simple scripts with `ctftool` for automating interaction
with CTF clients or servers, or perform simple fuzzing.

## Background

There is a blog post that accompanies ths release of this tool available here.

## Usage

`ctftool` has been tested on Windows 7, Windows 8 and Windows 10. Both 32-bit
and x64 versions are supported, but x64 has been tested more extensively.

There is online help for most commands, simply type `help` to see a list of
commands, and `help <command>` to see detailed help for a particular command.

$ ./ctftool.exe
An interactive ctf exploration tool by @taviso.
Type "help" for available commands.
Most commands require a connection, see "help connect".
ctf> help
Type `help <command>` for help with a specific command.
Any line beginning with # is considered a comment.
help - List available commands.
exit - Exit the shell.
connect - Connect to CTF ALPC Port.
info - Query server informaiton.
scan - Enumerate connected clients.
callstub - Ask a client to invoke a function.
createstub - Ask a client to instantiate CLSID.
hijack - Attempt to hijack an ALPC server path.
sendinput - Send keystrokes to thread.
setarg - Marshal a parameter.
getarg - Unmarshal a parameter.
wait - Wait for a process and set it as the default thread.
thread - Set the default thread.
sleep - Sleep for specified milliseconds.
forget - Forget all known stubs.
stack - Print the last leaked stack ptr.
marshal - Send command with marshalled parameters.
proxy - Send command with proxy parameters.
call - Send command without appended data.
window - Create and register a message window.
patch - Patch a marshalled parameter.
module - Print the base address of a module.
module64 - Print the base address of a 64bit module.
editarg - Change the type of a marshalled parameter.
symbol - Lookup a symbol offset from ImageBase.
set - Change or dump various ctftool parameters.
show - Show the value of special variables you can use.
lock - Lock the workstation, switch to Winlogon desktop.
repeat - Repeat a command multiple times.
run - Run a command.
script - Source a script file.
print - Print a string.
consent - Invoke the UAC consent dialog.
reg - Lookup a DWORD in the registry.
Most commands require a connection, see "help connect".

The first thing you will want to do is connect to a session, and see which
clients are connected.

ctf> connect
The ctf server port is located at \BaseNamedObjects\msctf.serverDefault1
NtAlpcConnectPort("\BaseNamedObjects\msctf.serverDefault1") => 0
Connected to CTF server@\BaseNamedObjects\msctf.serverDefault1, Handle 00000264
ctf> scan
Client 0, Tid 3400 (Flags 0x08, Hwnd 00000D48, Pid 8696, explorer.exe)
Client 1, Tid 7692 (Flags 0x08, Hwnd 00001E0C, Pid 8696, explorer.exe)
Client 2, Tid 9424 (Flags 0x0c, Hwnd 000024D0, Pid 9344, SearchUI.exe)
Client 3, Tid 12068 (Flags 0x08, Hwnd 00002F24, Pid 12156, PROCEXP64.exe)
Client 4, Tid 9740 (Flags 0000, Hwnd 0000260C, Pid 3840, ctfmon.exe)

You can then experiment by sending and receive commands to the server, or any
of the connected clients.

## Building

I used GNU make and Visual Studio 2019 to develop `ctftool`. Only 32-bit builds
are supported, as this allows the tool to run on x86 and x64 Windows.

If all the dependencies are installed, just typing `make` should be enough.

## Exploit

> There are only pre-built examples for Windows 10 x64 1903 and 1809.
This tool was used to discover many critical security problem with the CTF

If you just want to test the exploit, follow these steps:

> ctftool.exe
An interactive ctf exploration tool by @taviso.
Type "help" for available commands.
Most commands require a connection, see "help connect".
ctf> script .\scripts\ctf-consent-system.ctf

This will wait for the UAC dialog to appear, compromise it
and start a shell.

In fact, the exploit code is split into two stages that you can use

Most CTF clients can be compromised, as the kernel forces most applications
that draw windows to load the vulnerable library.

Simply connect to a session, select a client to compromise (use the `scan` and
`thread` commands, or just `wait`), then:

ctf> script .\scripts\ctf-exploit-common-1903.ctf


Tavis Ormandy <>


All original code is Apache 2.0, See LICENSE file for details.

The following components are imported third party projects.

* [pe-parse](, by Andrew Ruef et al.
* pe-parse is used to implement `GetProcAddress()` for 64-bit modules from a
32-bit process. This is used in the `symbol` command.
* [wineditline](, by Paolo Tosco.
* wineditline is used to implement friendly command-line input and history
* [dynamorio](, by Derek Bruening et al.
* I borrowed some of the prototypes and type definitions from DR.
* [ntdll.h](, by Ladislav Zezula.
* Ladislav collected some structure definitions and prototoypes from
various WDK, DDK, SDK releases into one convenient file.

0 comments on commit 93d1c88

Please sign in to comment.
You can’t perform that action at this time.