-
Notifications
You must be signed in to change notification settings - Fork 271
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
40 changed files
with
9,985 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
*.exe | ||
*.obj | ||
*.pdb | ||
*.lib | ||
*.ilk | ||
*.xml | ||
*.idb | ||
*.til | ||
*.nam | ||
*.id0 | ||
*.id1 | ||
*.id2 | ||
*.dll | ||
*.res | ||
*.zip | ||
.*.sw? | ||
.swp | ||
*.ipdb | ||
*.iobj | ||
*.log | ||
archive | ||
.vscode | ||
.ctfhistory |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,6 @@ | ||
[submodule "pe-parse"] | ||
path = pe-parse | ||
url = https://github.com/trailofbits/pe-parse.git | ||
[submodule "wineditline"] | ||
path = wineditline | ||
url = https://github.com/winlibs/wineditline.git |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,28 @@ | ||
*/.git/* | ||
*/*/.git/* | ||
*/.vscode/* | ||
*/*.obj | ||
*/*.pdb | ||
*/*.lib | ||
*/*.ilk | ||
*/*.xml | ||
*/*.idb | ||
*/*.til | ||
*/*.nam | ||
*/*.id0 | ||
*/*.id1 | ||
*/*.id2 | ||
*/*.res | ||
*/*.zip | ||
*/.*.sw? | ||
*/.swp | ||
*/*.ipdb | ||
*/*.iobj | ||
*/*.log | ||
*/archive | ||
*/.vscode | ||
*/.ctfhistory | ||
*/build-*.lib/* | ||
*/*.zip | ||
*/*.exe | ||
*/*.dll |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,85 @@ | ||
CC=cl.exe | ||
RC=rc.exe | ||
LIB=lib.exe | ||
MSBUILD=msbuild.exe | ||
CMAKE=cmake.exe | ||
RFLAGS=/nologo | ||
CFLAGS=/nologo /Zi /Od /MD /FS | ||
LFLAGS=/nologo /machine:x86 | ||
VFLAGS=-no_logo | ||
MFLAGS=/p:Configuration=Release /nologo /m /v:q | ||
CXXFLAGS=/nologo /Zi /Od /EHsc /MD /FS | ||
LDLIBS=user32 ole32 edit advapi32 peparse shlwapi imm32 shell32 | ||
LDFLAGS=/MD | ||
LINKFLAGS=/ignore:4099 | ||
VSDEVCMD=cmd.exe /c vsdevcmd.bat | ||
|
||
# Commands for arch specific compiler. | ||
CC64=$(VSDEVCMD) $(VFLAGS) -arch=amd64 "&" cl | ||
CC32=$(VSDEVCMD) $(VFLAGS) -arch=x86 "&" cl | ||
|
||
.PHONY: clean distclean | ||
|
||
all: ctftool.exe payload32.dll payload64.dll | ||
|
||
release: ctftool.zip ctftool-src.zip | ||
|
||
%.res: %.rc | ||
$(RC) $(RFLAGS) $< | ||
|
||
%.obj: %.cc | ||
$(CC) $(CXXFLAGS) /c /Fo:$@ $< | ||
|
||
%.obj: %.c | ||
$(CC) $(CFLAGS) /c /Fo:$@ $< | ||
|
||
%.exe: %.obj | ||
$(CC) $(CFLAGS) $(LDFLAGS) /Fe:$@ $^ /link $(LINKFLAGS) $(LDLIBS:=.lib) | ||
|
||
%.exp %.lib: %.def | ||
$(LIB) $(LFLAGS) /DEF:$< | ||
|
||
%.dll: %.obj | ||
$(CC) $(CFLAGS) $(LDFLAGS) /LD /Fe:$@ $^ /link $(LINKFLAGS) | ||
|
||
%64.obj: %.c | ||
$(CC) $(CFLAGS) /c /Fd:$(@:.obj=.pdb) /Fo:$@ $< | ||
|
||
%32.obj: %.c | ||
$(CC) $(CFLAGS) /c /Fd:$(@:.obj=.pdb) /Fo:$@ $< | ||
|
||
%64.dll: CC=$(CC64) | ||
%64.dll: %64.obj | ||
$(CC) $(CFLAGS) $(LDFLAGS) /LD /Fd:$(@:.dll=.pdb) /Fe:$@ $^ /link $(LINKFLAGS) | ||
|
||
%32.dll: CC=$(CC32) | ||
%32.dll: %32.obj | ||
$(CC) $(CFLAGS) $(LDFLAGS) /LD /Fd:$(@:.dll=.pdb) /Fe:$@ $^ /link $(LINKFLAGS) | ||
|
||
peparse.lib: | ||
$(CMAKE) -S pe-parse -B build-$@ | ||
$(MSBUILD) $(MFLAGS) build-$@/pe-parse.sln | ||
cp build-$@/pe-parser-library/Release/pe-parser-library.lib $@ | ||
|
||
edit.lib: | ||
$(CMAKE) -S wineditline -B build-$@ | ||
$(MSBUILD) $(MFLAGS) build-$@/WinEditLine.sln | ||
cp build-$@/src/Release/edit_a.lib $@ | ||
|
||
ctftool.exe: command.obj ctftool.obj winmsg.obj marshal.obj \ | ||
util.obj module.obj version.res peproc.obj \ | ||
messages.obj winutil.obj \ | ||
| edit.lib peparse.lib | ||
|
||
clean: | ||
rm -rf *.exp *.exe *.obj *.pdb *.ilk *.xml build-*.* *.res *.ipdb *.iobj *.dll | ||
|
||
# These are slow to rebuild and I dont change them. | ||
distclean: clean | ||
rm -f edit.lib peparse.lib ctftool.zip ctftool-src.zip | ||
|
||
ctftool.zip: README.md ctftool.exe payload32.dll payload64.dll scripts | ||
(cd .. && zip -r ctftool/$@ $(patsubst %,ctftool/%,$^)) | ||
|
||
ctftool-src.zip: | ||
(cd .. && zip -x@ctftool/.zipignore -r ctftool/$@ ctftool) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,2 +1,159 @@ | ||
# ctftool | ||
Interactive CTF Exploration Tool | ||
# CTFTOOL | ||
------------------------------------------------------------------------------- | ||
|
||
> | ||
> Just want to test the exploit? [click here](#Exploit). | ||
> | ||
## An Interactive CTF Exploration Tool | ||
|
||
This is `ctftool`, an interactive command line tool to experiment with CTF, a | ||
little-known protocol used on Windows to implement Text Services. This might | ||
be useful for reverse engineering Windows internals, debugging complex issues | ||
with Text Input Processors/Input Method Editors and analyzing Windows | ||
security. | ||
|
||
It is possible to write simple scripts with `ctftool` for automating interaction | ||
with CTF clients or servers, or perform simple fuzzing. | ||
|
||
## Background | ||
|
||
There is a blog post that accompanies ths release of this tool available here. | ||
|
||
https://googleprojectzero.blogspot.com/ | ||
|
||
## Usage | ||
|
||
`ctftool` has been tested on Windows 7, Windows 8 and Windows 10. Both 32-bit | ||
and x64 versions are supported, but x64 has been tested more extensively. | ||
|
||
There is online help for most commands, simply type `help` to see a list of | ||
commands, and `help <command>` to see detailed help for a particular command. | ||
|
||
``` | ||
$ ./ctftool.exe | ||
An interactive ctf exploration tool by @taviso. | ||
Type "help" for available commands. | ||
Most commands require a connection, see "help connect". | ||
ctf> help | ||
Type `help <command>` for help with a specific command. | ||
Any line beginning with # is considered a comment. | ||
help - List available commands. | ||
exit - Exit the shell. | ||
connect - Connect to CTF ALPC Port. | ||
info - Query server informaiton. | ||
scan - Enumerate connected clients. | ||
callstub - Ask a client to invoke a function. | ||
createstub - Ask a client to instantiate CLSID. | ||
hijack - Attempt to hijack an ALPC server path. | ||
sendinput - Send keystrokes to thread. | ||
setarg - Marshal a parameter. | ||
getarg - Unmarshal a parameter. | ||
wait - Wait for a process and set it as the default thread. | ||
thread - Set the default thread. | ||
sleep - Sleep for specified milliseconds. | ||
forget - Forget all known stubs. | ||
stack - Print the last leaked stack ptr. | ||
marshal - Send command with marshalled parameters. | ||
proxy - Send command with proxy parameters. | ||
call - Send command without appended data. | ||
window - Create and register a message window. | ||
patch - Patch a marshalled parameter. | ||
module - Print the base address of a module. | ||
module64 - Print the base address of a 64bit module. | ||
editarg - Change the type of a marshalled parameter. | ||
symbol - Lookup a symbol offset from ImageBase. | ||
set - Change or dump various ctftool parameters. | ||
show - Show the value of special variables you can use. | ||
lock - Lock the workstation, switch to Winlogon desktop. | ||
repeat - Repeat a command multiple times. | ||
run - Run a command. | ||
script - Source a script file. | ||
print - Print a string. | ||
consent - Invoke the UAC consent dialog. | ||
reg - Lookup a DWORD in the registry. | ||
Most commands require a connection, see "help connect". | ||
ctf> | ||
``` | ||
|
||
The first thing you will want to do is connect to a session, and see which | ||
clients are connected. | ||
|
||
``` | ||
ctf> connect | ||
The ctf server port is located at \BaseNamedObjects\msctf.serverDefault1 | ||
NtAlpcConnectPort("\BaseNamedObjects\msctf.serverDefault1") => 0 | ||
Connected to CTF server@\BaseNamedObjects\msctf.serverDefault1, Handle 00000264 | ||
ctf> scan | ||
Client 0, Tid 3400 (Flags 0x08, Hwnd 00000D48, Pid 8696, explorer.exe) | ||
Client 1, Tid 7692 (Flags 0x08, Hwnd 00001E0C, Pid 8696, explorer.exe) | ||
Client 2, Tid 9424 (Flags 0x0c, Hwnd 000024D0, Pid 9344, SearchUI.exe) | ||
Client 3, Tid 12068 (Flags 0x08, Hwnd 00002F24, Pid 12156, PROCEXP64.exe) | ||
Client 4, Tid 9740 (Flags 0000, Hwnd 0000260C, Pid 3840, ctfmon.exe) | ||
``` | ||
|
||
You can then experiment by sending and receive commands to the server, or any | ||
of the connected clients. | ||
|
||
## Building | ||
|
||
I used GNU make and Visual Studio 2019 to develop `ctftool`. Only 32-bit builds | ||
are supported, as this allows the tool to run on x86 and x64 Windows. | ||
|
||
If all the dependencies are installed, just typing `make` should be enough. | ||
|
||
## Exploit | ||
|
||
> There are only pre-built examples for Windows 10 x64 1903 and 1809. | ||
This tool was used to discover many critical security problem with the CTF | ||
protocol. | ||
|
||
If you just want to test the exploit, follow these steps: | ||
|
||
``` | ||
> ctftool.exe | ||
An interactive ctf exploration tool by @taviso. | ||
Type "help" for available commands. | ||
Most commands require a connection, see "help connect". | ||
ctf> script .\scripts\ctf-consent-system.ctf | ||
``` | ||
|
||
This will wait for the UAC dialog to appear, compromise it | ||
and start a shell. | ||
|
||
In fact, the exploit code is split into two stages that you can use | ||
independently. | ||
|
||
Most CTF clients can be compromised, as the kernel forces most applications | ||
that draw windows to load the vulnerable library. | ||
|
||
Simply connect to a session, select a client to compromise (use the `scan` and | ||
`thread` commands, or just `wait`), then: | ||
|
||
``` | ||
ctf> script .\scripts\ctf-exploit-common-1903.ctf | ||
``` | ||
|
||
### AUTHORS | ||
|
||
Tavis Ormandy <taviso@google.com> | ||
|
||
### LICENSE | ||
|
||
All original code is Apache 2.0, See LICENSE file for details. | ||
|
||
The following components are imported third party projects. | ||
|
||
* [pe-parse](https://github.com/trailofbits/pe-parse), by Andrew Ruef et al. | ||
* pe-parse is used to implement `GetProcAddress()` for 64-bit modules from a | ||
32-bit process. This is used in the `symbol` command. | ||
* [wineditline](http://mingweditline.sourceforge.net/), by Paolo Tosco. | ||
* wineditline is used to implement friendly command-line input and history | ||
editing. | ||
* [dynamorio](https://www.dynamorio.org/), by Derek Bruening et al. | ||
* I borrowed some of the prototypes and type definitions from DR. | ||
* [ntdll.h](http://www.zezula.net/en/prog/lpc.html), by Ladislav Zezula. | ||
* Ladislav collected some structure definitions and prototoypes from | ||
various WDK, DDK, SDK releases into one convenient file. |
Oops, something went wrong.