Re: Shutting down windows NT remotely (without winnt toolkit)?

["Robert Freeman" <freem100 () chapman edu>]

A reboot is helpful unless the NT box is not password protected or has an
agent to automatically enter the password upon startup. Until an admin shows
up the box is basically useless.

Secondly, the ExitWindowsEx function in user32.dll can: 1) log off a user;
2) shutdown (and power down on ACPI motherboards); 3) reboot. This function
is utilized by shutdown.exe which can be called via WinExec or in the
following mannor: "cmd /C shutdown."

WinExec is accessable via the native api / INT 2E gate in the event the call
is being debugged/hooked. Actually try NtDll.NtShutdownSystem if you decide
to write code to use the native api (I can go into more depth on how to do
this if you want).

hope this helps--
Robert

----- Original Message -----
From: "Lincoln Yeoh" <lyeoh () pop jaring my>
To: "Robert Freeman" <freem100 () chapman edu>; <foob () return0 net>;
<supergate () twlc net>
Cc: <vuln-dev () securityfocus com>
Sent: Sunday, November 04, 2001 6:42 PM
Subject: Shutting down windows NT remotely (without winnt toolkit)?


> A reboot isn't helpful coz the machines come back up and start scanning
the
> whole internet again. And the clueless admins probably won't even notice.
>
> A proper no data loss shutdown without having to upload a program is
> preferable. I tried shutting down NT 4.0 using cmd.exe, rundll32.exe and
> user32.dll stuff and no luck so far :(.
>
> With a shutdown the admins should notice and eventually fix things. If
they
> don't then the server probably wasn't doing anything useful (just scanning
> the internet :) ) so it might as well be shut down :).
>
> Any ideas welcome.
>
> Cheerio,
> Link.
>
> At 03:57 AM 04-11-2000 -0800, Robert Freeman wrote:
> > > From my experience, without an active monitoring agent, any process may
> > request a legal system reboot. A more efficient method would be to use
> > malicious code to reboot, blue screen, or black screen (yes, black
screen!).
> > I haven't continued virii-esque development past NT4 SP6, but I imagine
the
> > techniques would still work as well as pass right through any monitoring
> > agent. I have a lot of free time these days so I might see what I can
cook
> > up for 2000/XP.
> >
> > regards.
> >
> > ----- Original Message -----
> > From: "Lincoln Yeoh" <lyeoh () pop jaring my>
> > To: <foob () return0 net>; <supergate () twlc net>
> > Cc: <vuln-dev () securityfocus com>
> > Sent: Friday, November 02, 2001 6:35 PM
> > Subject: Re: (pointless?) overflow in tftp.exe (Was: Re: twlc advisory:
> > possible overflow in ms ftp client)
> >
> >
> >
> > > Is it possible to use it shutdown those Code Red/Nimda NT servers
> > remotely?
> > > Does IIS by default have enough permissions to shutdown the whole
computer
> > > or must it do some set privilege thing?
> > >
> > > Cheerio,
> > > Link.

----------------------------------------------------
Sign Up for NetZero Platinum Today
Only $9.95 per month!
http://my.netzero.net/s/signup?r=platinum&refcd=PT97