[LOWNOISE] SHATTER MASTER v1.0
==========================================================
by Efrain 'ET' Torres et@cyberspace.org      Colombia 2003


NOTE:  SHATTER MASTER v1.0 is a modification of the  
       excellent program "Process Master v1.2" made by
       Minisystems Ltd. (www.rhaminisys.com). I just
       modified the program so it can be a nice tool
       to develop and exploit common shatter attacks.


SHATTER MASTER
--------------
Shatter Master is a win32 program made in VB6 to develop and exploit 
shatter attacks in winNT/win2k/winXP systems in an Easy way.


SHATTER ATTACKS
---------------
If you dont know what shatter attacks is please read this:

+Exploiting design flaws in the Win32 API for privilege escalation.
 Or... Shatter Attacks - How to break Windows.
 By Foon - ivegotta@tombom.co.uk
 http://security.tombom.co.uk/shatter.html

+Shattering SEH
 by brett.moore@security-assessment.com
 http://www.security-assessment.com

+Win32 Message Vulnerabilities Redux
 by Oliver Lavery oliver.lavery@sympatico.ca
 http://www.idefense.com/idpapers/Shatter_Redux.pdf 


HOW TO USE IT?
--------------

5 steps:

1- get a control (Commonly an Edit Control) handler of a process owned by the user you want to :)
   Press the "Get handler" botton and use the CROSS to get the handler
2- modify the control you selected so it can hold the shellcode (EM_SETREADONLY,EM_SETLIMITTEXT)
3- Send the shellcode
    + WM_PASTE (it sends the current content of the clipboard. Used when you have your
                shellcode on it)
    + EM_GETLINE (Other way)
    + WM_SETTEXT (USE THIS ONE IN MOST OF THE CASES, it sends an already made, win32 generic command
                 prompt (cmd.exe) shellcode)
4- Excecute the shellcode
    +WM_TIMER                              (one way)
    +EM_SETWORDBREAKPROC / WM_LBUTTONBLCLK (the other way) 
    
    Just rememeber to put the shellcode address in the LPARAM, and if you use the one in the
    program (WM_SETTEXT) add it +10. To find the shellcode address with windbg:
                      
                      F6 to attach to process
                      type:
                         s -a 1 10000000 "SLOW" 
5. Ta Da!

      



If you read carefully now you know what  shatter attacks is 
,how to exploit them and how to use this tool.  The only thing you need
to know is:

GET HANDLER: If you cant grab the handler press the refresh button and try again,
             when you have the handler please check that is te handler you need. 
             Sometimes you grab parent handler but not the one you need (ex.
             Edit control)
WM_SETTEXT:  It sends a command prompt (cmd.exe) GENERIC shellcode to the
             especified handler.

EM_SETPASSWORDCHAR: used to get the hidden password (******) from a window.
                    Just get the control handler and press the button

WM_ENABLE:  Enable buttons, editcontrol, combo box, listbox etc.
            Again just get the disabled control handler and press the button.


Play with the program, you can find many nice options (99% comming from 
Process master). The GUI is implemented so it can be easy to understand and use.
If you want to send your own crafted messages just click the little box next
to the send button. if you cant find the MESSAGE TYPE you need , modify
carefully the msgid.txt file.
======================================================================










