initial commit

.gitignore

@@ -0,0 +1,23 @@
+*.exe
+*.obj
+*.pdb
+*.lib
+*.ilk
+*.xml
+*.idb
+*.til
+*.nam
+*.id0
+*.id1
+*.id2
+*.dll
+*.res
+*.zip
+.*.sw?
+.swp
+*.ipdb
+*.iobj
+*.log
+archive
+.vscode
+.ctfhistory

.gitmodules

@@ -0,0 +1,6 @@
+[submodule "pe-parse"]
+	path = pe-parse
+	url = https://github.com/trailofbits/pe-parse.git
+[submodule "wineditline"]
+	path = wineditline
+	url = https://github.com/winlibs/wineditline.git

.zipignore

@@ -0,0 +1,28 @@
+*/.git/*
+*/*/.git/*
+*/.vscode/*
+*/*.obj
+*/*.pdb
+*/*.lib
+*/*.ilk
+*/*.xml
+*/*.idb
+*/*.til
+*/*.nam
+*/*.id0
+*/*.id1
+*/*.id2
+*/*.res
+*/*.zip
+*/.*.sw?
+*/.swp
+*/*.ipdb
+*/*.iobj
+*/*.log
+*/archive
+*/.vscode
+*/.ctfhistory
+*/build-*.lib/*
+*/*.zip
+*/*.exe
+*/*.dll

GNUmakefile

@@ -0,0 +1,85 @@
+CC=cl.exe
+RC=rc.exe
+LIB=lib.exe
+MSBUILD=msbuild.exe
+CMAKE=cmake.exe
+RFLAGS=/nologo
+CFLAGS=/nologo /Zi /Od /MD /FS
+LFLAGS=/nologo /machine:x86
+VFLAGS=-no_logo
+MFLAGS=/p:Configuration=Release /nologo /m /v:q
+CXXFLAGS=/nologo /Zi /Od /EHsc /MD /FS
+LDLIBS=user32 ole32 edit advapi32 peparse shlwapi imm32 shell32
+LDFLAGS=/MD
+LINKFLAGS=/ignore:4099
+VSDEVCMD=cmd.exe /c vsdevcmd.bat
+
+# Commands for arch specific compiler.
+CC64=$(VSDEVCMD) $(VFLAGS) -arch=amd64 "&" cl
+CC32=$(VSDEVCMD) $(VFLAGS) -arch=x86 "&" cl
+
+.PHONY: clean distclean
+
+all: ctftool.exe payload32.dll payload64.dll
+
+release: ctftool.zip ctftool-src.zip
+
+%.res: %.rc
+	$(RC) $(RFLAGS) $<
+
+%.obj: %.cc
+	$(CC) $(CXXFLAGS) /c /Fo:$@ $<
+
+%.obj: %.c
+	$(CC) $(CFLAGS) /c /Fo:$@ $<
+
+%.exe: %.obj
+	$(CC) $(CFLAGS) $(LDFLAGS) /Fe:$@ $^ /link $(LINKFLAGS) $(LDLIBS:=.lib)
+
+%.exp %.lib: %.def
+	$(LIB) $(LFLAGS) /DEF:$<
+
+%.dll: %.obj
+	$(CC) $(CFLAGS) $(LDFLAGS) /LD /Fe:$@ $^ /link $(LINKFLAGS)
+
+%64.obj: %.c
+	$(CC) $(CFLAGS) /c /Fd:$(@:.obj=.pdb) /Fo:$@ $<
+
+%32.obj: %.c
+	$(CC) $(CFLAGS) /c /Fd:$(@:.obj=.pdb) /Fo:$@ $<
+
+%64.dll: CC=$(CC64)
+%64.dll: %64.obj
+	$(CC) $(CFLAGS) $(LDFLAGS) /LD /Fd:$(@:.dll=.pdb) /Fe:$@ $^ /link $(LINKFLAGS)
+
+%32.dll: CC=$(CC32)
+%32.dll: %32.obj
+	$(CC) $(CFLAGS) $(LDFLAGS) /LD /Fd:$(@:.dll=.pdb) /Fe:$@ $^ /link $(LINKFLAGS)
+
+peparse.lib:
+	$(CMAKE) -S pe-parse -B build-$@
+	$(MSBUILD) $(MFLAGS) build-$@/pe-parse.sln
+	cp build-$@/pe-parser-library/Release/pe-parser-library.lib $@
+
+edit.lib:
+	$(CMAKE) -S wineditline -B build-$@
+	$(MSBUILD) $(MFLAGS) build-$@/WinEditLine.sln
+	cp build-$@/src/Release/edit_a.lib $@
+
+ctftool.exe: command.obj ctftool.obj winmsg.obj marshal.obj     \
+             util.obj module.obj version.res peproc.obj         \
+             messages.obj winutil.obj                           \
+                | edit.lib peparse.lib
+
+clean:
+	rm -rf *.exp *.exe *.obj *.pdb *.ilk *.xml build-*.* *.res *.ipdb *.iobj *.dll
+
+# These are slow to rebuild and I dont change them.
+distclean: clean
+	rm -f edit.lib peparse.lib ctftool.zip ctftool-src.zip
+
+ctftool.zip: README.md ctftool.exe payload32.dll payload64.dll scripts
+	(cd .. && zip -r ctftool/$@ $(patsubst %,ctftool/%,$^))
+
+ctftool-src.zip:
+	(cd .. && zip -x@ctftool/.zipignore -r ctftool/$@ ctftool)

README.md

@@ -1,2 +1,159 @@
-# ctftool
-Interactive CTF Exploration Tool
+# CTFTOOL
+-------------------------------------------------------------------------------
+
+>
+> Just want to test the exploit? [click here](#Exploit).
+>
+
+## An Interactive CTF Exploration Tool
+
+This is `ctftool`, an interactive command line tool to experiment with CTF, a
+little-known protocol used on Windows to implement Text Services. This might
+be useful for reverse engineering Windows internals, debugging complex issues
+with Text Input Processors/Input Method Editors and analyzing Windows
+security.
+
+It is possible to write simple scripts with `ctftool` for automating interaction
+with CTF clients or servers, or perform simple fuzzing.
+
+## Background
+
+There is a blog post that accompanies ths release of this tool available here.
+
+https://googleprojectzero.blogspot.com/
+
+## Usage
+
+`ctftool` has been tested on Windows 7, Windows 8 and Windows 10. Both 32-bit
+and x64 versions are supported, but x64 has been tested more extensively.
+
+There is online help for most commands, simply type `help` to see a list of
+commands, and `help <command>` to see detailed help for a particular command.
+
+```
+$ ./ctftool.exe
+An interactive ctf exploration tool by @taviso.
+Type "help" for available commands.
+Most commands require a connection, see "help connect".
+ctf> help
+Type `help <command>` for help with a specific command.
+Any line beginning with # is considered a comment.
+
+help            - List available commands.
+exit            - Exit the shell.
+connect         - Connect to CTF ALPC Port.
+info            - Query server informaiton.
+scan            - Enumerate connected clients.
+callstub        - Ask a client to invoke a function.
+createstub      - Ask a client to instantiate CLSID.
+hijack          - Attempt to hijack an ALPC server path.
+sendinput       - Send keystrokes to thread.
+setarg          - Marshal a parameter.
+getarg          - Unmarshal a parameter.
+wait            - Wait for a process and set it as the default thread.
+thread          - Set the default thread.
+sleep           - Sleep for specified milliseconds.
+forget          - Forget all known stubs.
+stack           - Print the last leaked stack ptr.
+marshal         - Send command with marshalled parameters.
+proxy           - Send command with proxy parameters.
+call            - Send command without appended data.
+window          - Create and register a message window.
+patch           - Patch a marshalled parameter.
+module          - Print the base address of a module.
+module64        - Print the base address of a 64bit module.
+editarg         - Change the type of a marshalled parameter.
+symbol          - Lookup a symbol offset from ImageBase.
+set             - Change or dump various ctftool parameters.
+show            - Show the value of special variables you can use.
+lock            - Lock the workstation, switch to Winlogon desktop.
+repeat          - Repeat a command multiple times.
+run             - Run a command.
+script          - Source a script file.
+print           - Print a string.
+consent         - Invoke the UAC consent dialog.
+reg             - Lookup a DWORD in the registry.
+Most commands require a connection, see "help connect".
+ctf>
+```
+
+The first thing you will want to do is connect to a session, and see which
+clients are connected.
+
+```
+ctf> connect
+The ctf server port is located at \BaseNamedObjects\msctf.serverDefault1
+NtAlpcConnectPort("\BaseNamedObjects\msctf.serverDefault1") => 0
+Connected to CTF server@\BaseNamedObjects\msctf.serverDefault1, Handle 00000264
+ctf> scan
+Client 0, Tid 3400 (Flags 0x08, Hwnd 00000D48, Pid 8696, explorer.exe)
+Client 1, Tid 7692 (Flags 0x08, Hwnd 00001E0C, Pid 8696, explorer.exe)
+Client 2, Tid 9424 (Flags 0x0c, Hwnd 000024D0, Pid 9344, SearchUI.exe)
+Client 3, Tid 12068 (Flags 0x08, Hwnd 00002F24, Pid 12156, PROCEXP64.exe)
+Client 4, Tid 9740 (Flags 0000, Hwnd 0000260C, Pid 3840, ctfmon.exe)
+```
+
+You can then experiment by sending and receive commands to the server, or any
+of the connected clients.
+
+## Building
+
+I used GNU make and Visual Studio 2019 to develop `ctftool`. Only 32-bit builds
+are supported, as this allows the tool to run on x86 and x64 Windows.
+
+If all the dependencies are installed, just typing `make` should be enough.
+
+## Exploit
+
+> There are only pre-built examples for Windows 10 x64 1903 and 1809.
+
+This tool was used to discover many critical security problem with the CTF
+protocol.
+
+If you just want to test the exploit, follow these steps:
+
+```
+> ctftool.exe
+An interactive ctf exploration tool by @taviso.
+Type "help" for available commands.
+Most commands require a connection, see "help connect".
+ctf> script .\scripts\ctf-consent-system.ctf
+```
+
+This will wait for the UAC dialog to appear, compromise it
+and start a shell.
+
+In fact, the exploit code is split into two stages that you can use
+independently.
+
+Most CTF clients can be compromised, as the kernel forces most applications
+that draw windows to load the vulnerable library.
+
+Simply connect to a session, select a client to compromise (use the `scan` and
+`thread` commands, or just `wait`), then:
+
+```
+ctf> script .\scripts\ctf-exploit-common-1903.ctf
+```
+
+### AUTHORS
+
+Tavis Ormandy <taviso@google.com>
+
+### LICENSE
+
+All original code is Apache 2.0, See LICENSE file for details.
+
+The following components are imported third party projects.
+
+* [pe-parse](https://github.com/trailofbits/pe-parse), by Andrew Ruef et al.
+  * pe-parse is used to implement `GetProcAddress()` for 64-bit modules from a
+32-bit process. This is used in the `symbol` command.
+* [wineditline](http://mingweditline.sourceforge.net/), by Paolo Tosco.
+  * wineditline is used to implement friendly command-line input and history
+editing.
+* [dynamorio](https://www.dynamorio.org/), by Derek Bruening et al.
+  * I borrowed some of the prototypes and type definitions from DR.
+* [ntdll.h](http://www.zezula.net/en/prog/lpc.html), by Ladislav Zezula.
+  * Ladislav collected some structure definitions and prototoypes from
+various WDK, DDK, SDK releases into one convenient file.