Vulnerability Development mailing list archives
Re: Shutting down windows NT remotely (without winnt toolkit)?
From: Lincoln Yeoh <lyeoh () pop jaring my>
Date: Tue, 06 Nov 2001 10:06:07 +0800
At 12:06 AM 05-11-2000 -0800, Robert Freeman wrote:
A reboot is helpful unless the NT box is not password protected or has an agent to automatically enter the password upon startup. Until an admin shows up the box is basically useless.
AFAIK the services still start after a reboot. So the trojaned box still scans the whole internet.
Secondly, the ExitWindowsEx function in user32.dll can: 1) log off a user; 2) shutdown (and power down on ACPI motherboards); 3) reboot. This function is utilized by shutdown.exe which can be called via WinExec or in the following mannor: "cmd /C shutdown."
WinExec is accessable via the native api / INT 2E gate in the event the call is being debugged/hooked. Actually try NtDll.NtShutdownSystem if you decide to write code to use the native api (I can go into more depth on how to do this if you want).
I did try that. The log off works, but the shutdown doesn't. Unless I really have to I don't want to have to upload code (to call that priv routine and then call the shutdown) to the target and get it to run it. So is it impossible to remotely shutdown (properly) a default install NT machine (no reskit stuff, just infected with codered/nimda)? I guess I'll try the cmd /c echo tab backspace thingy when I have time. Not a proper shutdown tho. But at this moment it looks like default NT installations don't make remote shutdowns easy (just remote crash/root doh! ;) ). Cheerio, Link.
Current thread:
- twlc advisory: possible overflow in ms ftp client supergate (Nov 01)
- Re: twlc advisory: possible overflow in ms ftp client Syzop (Nov 01)
- Re: twlc advisory: possible overflow in ms ftp client supergate (Nov 01)
- <Possible follow-ups>
- Re: twlc advisory: possible overflow in ms ftp client supergate (Nov 01)
- (pointless?) overflow in tftp.exe (Was: Re: twlc advisory: possible overflow in ms ftp client) foob (Nov 02)
- Re: (pointless?) overflow in tftp.exe (Was: Re: twlc advisory: possible overflow in ms ftp client) supergate (Nov 02)
- Re: (pointless?) overflow in tftp.exe (Was: Re: twlc advisory: possible overflow in ms ftp client) Lincoln Yeoh (Nov 03)
- Re: (pointless?) overflow in tftp.exe (Was: Re: twlc advisory: possible overflow in ms ftp client) Robert Freeman (Nov 04)
- Shutting down windows NT remotely (without winnt toolkit)? Lincoln Yeoh (Nov 04)
- Re: Shutting down windows NT remotely (without winnt toolkit)? Robert Freeman (Nov 05)
- Re: Shutting down windows NT remotely (without winnt toolkit)? Lincoln Yeoh (Nov 08)
- Re: Shutting down windows NT remotely (without winnt toolkit)? Robert Freeman (Nov 08)
- Re: Shutting down windows NT remotely (without winnt toolkit)? Marshal (Nov 09)
- (pointless?) overflow in tftp.exe (Was: Re: twlc advisory: possible overflow in ms ftp client) foob (Nov 02)
- Re: twlc advisory: possible overflow in ms ftp client Syzop (Nov 01)