‘WLSI – Windows Local Shellcode Injection’
When writing a local Windows exploit you can face many problems:
– Different return addresses:
– Because different Windows versions.
– Because different Windows service pack level.
– Because different Windows languages.
– Limited space for shellcode.
– Null byte restrictions.
– Character set restrictions.
– Buffer overflows/exploits protections.
To bypass those restrictions an exploit has to use many different return addresses and/or techniques. After you finish reading this paper you won’t have to worry any more about that because it will be very easy to write a 100% reliable exploit that will work on any Windows version, service pack level, language, etc. and could bypass buffer overflows/exploits protections since the code won’t be executed from the stack nor the heap and it won’t use a fixed return address.
This technique relies in the use of Windows LPC (Local/Lightweight Procedure Call), this is an inter-process communication mechanism, RPC (Remote Procedure Call) uses LPC as a transport for local communications. LPC allow processes to communicate by ‘messages’ using LPC ports.
LPC is not well documented and here won’t be detailed but you can learn more at the links listed on references section. LPC ports are Windows objects, servers (processes) can create named LPC ports to which clients (processes) can connect by referencing their names. You can see processes LPC ports using Process Explorer from http://www.sysinternals.com/, by selecting a process in the upper panel and then looking at the lower panel at the Type column, they are identified by the word Port, you can see the port name, handle and by double clicking you can see additional information like permissions, etc.
LPC is heavily used by Windows internals, also by OLE/COM, etc. this means that almost every Windows process has a LPC port. LPC ports can be protected by ACLs so sometimes a connection can not be established if the client process doesn’t have proper permissions.
To use this technique we will need to use a couple of APIs that will be detailed below.
To read more : http://www.argeniss.com/research/WLSI.zip‘