A reboot is helpful unless the NT box is not password protected or has an agent to automatically enter the password upon startup. Until an admin shows up the box is basically useless. Secondly, the ExitWindowsEx function in user32.dll can: 1) log off a user; 2) shutdown (and power down on ACPI motherboards); 3) reboot. This function is utilized by shutdown.exe which can be called via WinExec or in the following mannor: "cmd /C shutdown." WinExec is accessable via the native api / INT 2E gate in the event the call is being debugged/hooked. Actually try NtDll.NtShutdownSystem if you decide to write code to use the native api (I can go into more depth on how to do this if you want). hope this helps-- Robert ----- Original Message ----- From: "Lincoln Yeoh" <lyeohat_private> To: "Robert Freeman" <freem100at_private>; <foobat_private>; <supergateat_private> Cc: <vuln-devat_private> Sent: Sunday, November 04, 2001 6:42 PM Subject: Shutting down windows NT remotely (without winnt toolkit)? > A reboot isn't helpful coz the machines come back up and start scanning the > whole internet again. And the clueless admins probably won't even notice. > > A proper no data loss shutdown without having to upload a program is > preferable. I tried shutting down NT 4.0 using cmd.exe, rundll32.exe and > user32.dll stuff and no luck so far :(. > > With a shutdown the admins should notice and eventually fix things. If they > don't then the server probably wasn't doing anything useful (just scanning > the internet :) ) so it might as well be shut down :). > > Any ideas welcome. > > Cheerio, > Link. > > At 03:57 AM 04-11-2000 -0800, Robert Freeman wrote: > >>From my experience, without an active monitoring agent, any process may > >request a legal system reboot. A more efficient method would be to use > >malicious code to reboot, blue screen, or black screen (yes, black screen!). > >I haven't continued virii-esque development past NT4 SP6, but I imagine the > >techniques would still work as well as pass right through any monitoring > >agent. I have a lot of free time these days so I might see what I can cook > >up for 2000/XP. > > > >regards. > > > >----- Original Message ----- > >From: "Lincoln Yeoh" <lyeohat_private> > >To: <foobat_private>; <supergateat_private> > >Cc: <vuln-devat_private> > >Sent: Friday, November 02, 2001 6:35 PM > >Subject: Re: (pointless?) overflow in tftp.exe (Was: Re: twlc advisory: > >possible overflow in ms ftp client) > > > > > > > >> Is it possible to use it shutdown those Code Red/Nimda NT servers > >remotely? > >> Does IIS by default have enough permissions to shutdown the whole computer > >> or must it do some set privilege thing? > >> > >> Cheerio, > >> Link. > > > ---------------------------------------------------- Sign Up for NetZero Platinum Today Only $9.95 per month! http://my.netzero.net/s/signup?r=platinum&refcd=PT97
This archive was generated by hypermail 2b30 : Mon Nov 05 2001 - 09:44:36 PST