Skip to content
Permalink
Browse files

minor revisions

  • Loading branch information...
taviso committed Jun 15, 2019
1 parent 79320a5 commit db33e14ebe70c406a34df58945637eb2a10cc1f4
Showing with 51 additions and 13 deletions.
  1. +1 −1 .zipignore
  2. +0 −3 GNUmakefile
  3. +3 −1 README.md
  4. +34 −5 command.c
  5. +2 −0 command.h
  6. +5 −0 commanddoc.h
  7. BIN thumb.png
  8. +4 −1 winmsg.c
  9. +2 −2 winutil.c
@@ -19,7 +19,7 @@
*/*.ipdb
*/*.iobj
*/*.log
*/archive
*/archive/*
*/.vscode
*/.ctfhistory
*/build-*.lib/*
@@ -36,9 +36,6 @@ release: ctftool.zip ctftool-src.zip
%.exe: %.obj
$(CC) $(CFLAGS) $(LDFLAGS) /Fe:$@ $^ /link $(LINKFLAGS) $(LDLIBS:=.lib)

%.exp %.lib: %.def
$(LIB) $(LFLAGS) /DEF:$<

%.dll: %.obj
$(CC) $(CFLAGS) $(LDFLAGS) /LD /Fe:$@ $^ /link $(LINKFLAGS)

@@ -4,6 +4,8 @@
> Just want to test the SYSTEM exploit? [Click here](#Exploit).
>
[![Video of Exploit](thumb.png)](https://www.youtube.com/watch?v=quenNNqoDBs)

## An Interactive CTF Exploration Tool

This is `ctftool`, an interactive command line tool to experiment with CTF, a
@@ -18,7 +20,7 @@ with CTF clients or servers, or perform simple fuzzing.

There is a blog post that accompanies the release of this tool available here.

https://googleprojectzero.blogspot.com/
[https://googleprojectzero.blogspot.com/](https://googleprojectzero.blogspot.com/)

## Usage

@@ -74,7 +74,7 @@ COMMAND_HANDLER CommandHandlers[] = {
{ "marshal", 2, MarshalDoc, "Send command with marshalled parameters.", MarshalHandler },
{ "proxy", 3, CallStubDoc, "Send command with proxy parameters.", CallStubHandler },
{ "call", 2, CallDoc, "Send command without appended data.", CallHandler },
{ "window", 0, NULL, "Create and register a message window.", NULL },
{ "window", 0, WindowDoc, "Create and register a message window.", WindowHandler },
{ "patch", 4, PatchDoc, "Patch a marshalled parameter.", PatchHandler },
{ "module", 1, ModuleDoc, "Print the base address of a module.", ModuleHandler },
{ "module64", 1, ModuleDoc, "Print the base address of a 64bit module.", ModuleHandler64 },
@@ -1016,9 +1016,9 @@ ULONG HijackHandler(PCHAR Command, ULONG ParamCount, PCHAR *Parameters)
PALPC_MESSAGE_ATTRIBUTES ReceiveMessageAttributes = NULL;

// Generate the requested portname.
_snwprintf(PathName, _countof(PathName), L"\\BaseNamedObjects\\msctf.server%hs%hs",
_snwprintf(PathName, _countof(PathName), L"\\BaseNamedObjects\\msctf.server%hs%llu",
Parameters[0],
Parameters[1]);
DecodeIntegerParameter(Parameters[1]));



@@ -1082,8 +1082,8 @@ ULONG HijackHandler(PCHAR Command, ULONG ParamCount, PCHAR *Parameters)

hexdump(&ConnectMessage, BufferLength);

LogMessage(stdout, "A %hhx mesasge received", ConnectMessage.Header.u2.s2.Type);
LogMessage(stdout, "A %#hhx message received", ConnectMessage.Header.u2.s2.Type);

if ((ConnectMessage.Header.u2.s2.Type & 0xFF) == LPC_CONNECTION_REQUEST) {
PCHAR ImageName = QueryImageName(ConnectMessage.ProcessId);
LogMessage(stderr, "\tProcessID: %d, %s", ConnectMessage.ProcessId, ImageName);
@@ -1371,6 +1371,35 @@ ULONG RegHandler(PCHAR Command, ULONG ParamCount, PCHAR *Parameters)
return 1;
}

ULONG WindowHandler(PCHAR Command, ULONG ParamCount, PCHAR *Parameters)
{
CTF_MSGBASE Message;
HWND Window;
HRESULT Result;

ZeroMemory(&Message, sizeof Message);

Message.Message = MSG_SETTHREADHWND;
Message.SrcThreadId = ClientThreadId;
Window = CreateMessageWindow();
Message.Params[0] = (DWORD) Window;

if (Window == NULL) {
LogMessage(stderr, "failed to create window, %#x", GetLastError());
return 1;
}

// Now register the window with monitor.
Result = SendReceivePortMessage(PortHandle, &Message.Header, sizeof Message, NULL);

if (Result != 0) {
LogMessage(stderr, "failed to send message to server, %#x", Result);
DestroyWindow(Window);
}

return 1;
}

ULONG CallHandler(PCHAR Command, ULONG ParamCount, PCHAR *Parameters)
{
CTF_MSGBASE Message;
@@ -118,9 +118,11 @@ ULONG ScriptHandler(PCHAR Command, ULONG ParamCount, PCHAR *Parameters);
ULONG PrintHandler(PCHAR Command, ULONG ParamCount, PCHAR *Parameters);
ULONG ConsentHandler(PCHAR Command, ULONG ParamCount, PCHAR *Parameters);
ULONG RegHandler(PCHAR Command, ULONG ParamCount, PCHAR *Parameters);
ULONG WindowHandler(PCHAR Command, ULONG ParamCount, PCHAR *Parameters);

ULONG DispatchCommand(PCHAR CommandLine);
int CompareFirst(PCHAR a, PCHAR *b);
ULONGLONG DecodeIntegerParameter(PCHAR Value);
HWND CreateMessageWindow();

#endif
@@ -387,4 +387,9 @@ static const char RegDoc[] =
"Lookup a DWORD value in the registry, and store it in the regval variable.\n"
"This is intended for scripting.\n";

static const char WindowDoc[] =
"Usage: window\n"
"Create and register a window with the monitor. This allows you to log\n"
"window messages received from other ctf clients or servers.\n";

#endif
BIN +450 KB thumb.png
Binary file not shown.
@@ -32,6 +32,9 @@ LRESULT CALLBACK WindowProc(HWND hwnd, UINT uMsg, WPARAM wParam, LPARAM lParam)
case WM_IME_NOTIFY:
case WM_GETOBJECT:
case WM_SETFOCUS:
case WM_DESTROY:
case WM_NCDESTROY:
case 0x90: // WM_UAHDESTROYWINDOW
break;
default:
LogMessage(stderr, "WindowProc(%p, %#x, %p, %p);", hwnd, uMsg, (PVOID)wParam, (PVOID) lParam);
@@ -65,4 +68,4 @@ HWND CreateMessageWindow()

LogMessage(stdout, "message window %p", MsgWindow);
return MsgWindow;
}
}
@@ -130,8 +130,8 @@ DWORD GetSessionIdByImageName(PCHAR ImageName)
UINT64 QueryModuleHandle32(PCHAR ModuleName)
{
HMODULE Module = LoadLibrary(ModuleName);

FreeLibrary(Module);

return (UINT64) Module;
}

0 comments on commit db33e14

Please sign in to comment.
You can’t perform that action at this time.