Vulnerability Development mailing list archives
Re: Shutting down windows NT remotely (without winnt toolkit)?
From: "Robert Freeman" <freem100 () chapman edu>
Date: Sun, 5 Nov 2000 00:06:55 -0800
A reboot is helpful unless the NT box is not password protected or has an agent to automatically enter the password upon startup. Until an admin shows up the box is basically useless. Secondly, the ExitWindowsEx function in user32.dll can: 1) log off a user; 2) shutdown (and power down on ACPI motherboards); 3) reboot. This function is utilized by shutdown.exe which can be called via WinExec or in the following mannor: "cmd /C shutdown." WinExec is accessable via the native api / INT 2E gate in the event the call is being debugged/hooked. Actually try NtDll.NtShutdownSystem if you decide to write code to use the native api (I can go into more depth on how to do this if you want). hope this helps-- Robert ----- Original Message ----- From: "Lincoln Yeoh" <lyeoh () pop jaring my> To: "Robert Freeman" <freem100 () chapman edu>; <foob () return0 net>; <supergate () twlc net> Cc: <vuln-dev () securityfocus com> Sent: Sunday, November 04, 2001 6:42 PM Subject: Shutting down windows NT remotely (without winnt toolkit)?
A reboot isn't helpful coz the machines come back up and start scanning
the
whole internet again. And the clueless admins probably won't even notice. A proper no data loss shutdown without having to upload a program is preferable. I tried shutting down NT 4.0 using cmd.exe, rundll32.exe and user32.dll stuff and no luck so far :(. With a shutdown the admins should notice and eventually fix things. If
they
don't then the server probably wasn't doing anything useful (just scanning the internet :) ) so it might as well be shut down :). Any ideas welcome. Cheerio, Link. At 03:57 AM 04-11-2000 -0800, Robert Freeman wrote:From my experience, without an active monitoring agent, any process mayrequest a legal system reboot. A more efficient method would be to use malicious code to reboot, blue screen, or black screen (yes, black
screen!).
I haven't continued virii-esque development past NT4 SP6, but I imagine
the
techniques would still work as well as pass right through any monitoring agent. I have a lot of free time these days so I might see what I can
cook
up for 2000/XP. regards. ----- Original Message ----- From: "Lincoln Yeoh" <lyeoh () pop jaring my> To: <foob () return0 net>; <supergate () twlc net> Cc: <vuln-dev () securityfocus com> Sent: Friday, November 02, 2001 6:35 PM Subject: Re: (pointless?) overflow in tftp.exe (Was: Re: twlc advisory: possible overflow in ms ftp client)Is it possible to use it shutdown those Code Red/Nimda NT serversremotely?Does IIS by default have enough permissions to shutdown the whole
computer
or must it do some set privilege thing? Cheerio, Link.
---------------------------------------------------- Sign Up for NetZero Platinum Today Only $9.95 per month! http://my.netzero.net/s/signup?r=platinum&refcd=PT97
Current thread:
- twlc advisory: possible overflow in ms ftp client supergate (Nov 01)
- Re: twlc advisory: possible overflow in ms ftp client Syzop (Nov 01)
- Re: twlc advisory: possible overflow in ms ftp client supergate (Nov 01)
- <Possible follow-ups>
- Re: twlc advisory: possible overflow in ms ftp client supergate (Nov 01)
- (pointless?) overflow in tftp.exe (Was: Re: twlc advisory: possible overflow in ms ftp client) foob (Nov 02)
- Re: (pointless?) overflow in tftp.exe (Was: Re: twlc advisory: possible overflow in ms ftp client) supergate (Nov 02)
- Re: (pointless?) overflow in tftp.exe (Was: Re: twlc advisory: possible overflow in ms ftp client) Lincoln Yeoh (Nov 03)
- Re: (pointless?) overflow in tftp.exe (Was: Re: twlc advisory: possible overflow in ms ftp client) Robert Freeman (Nov 04)
- Shutting down windows NT remotely (without winnt toolkit)? Lincoln Yeoh (Nov 04)
- Re: Shutting down windows NT remotely (without winnt toolkit)? Robert Freeman (Nov 05)
- Re: Shutting down windows NT remotely (without winnt toolkit)? Lincoln Yeoh (Nov 08)
- Re: Shutting down windows NT remotely (without winnt toolkit)? Robert Freeman (Nov 08)
- Re: Shutting down windows NT remotely (without winnt toolkit)? Marshal (Nov 09)
- (pointless?) overflow in tftp.exe (Was: Re: twlc advisory: possible overflow in ms ftp client) foob (Nov 02)
- Re: twlc advisory: possible overflow in ms ftp client Syzop (Nov 01)