[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ntbugtraq
Subject:    Re: Solar Designer's exploit.
From:       Solar Designer <solar () FALSE ! COM>
Date:       1998-02-07 1:58:36
[Download RAW message or body]

Hello,

> I tried to duplicate his work with the following modified exploit (so it
> would compile
> with VC++), and nothing happened.

The bug is in NtCreateProcess, and can sometimes cause a Blue Screen.
Originally, when posting this exploit, I didn't investigate the nature
of this bug, and thought it happens due to an invalid file handle. In
reality, the problem is with it not handling invalid section types --
that is, it's the invalid data read from the file that causes it to crash,
not the file handle itself.

It just happens that there's already a file handle with the required data to
be read from there. This was the reason the exploit worked for me. However,
this handle's number is very different on some systems, so the original
exploit doesn't work, but extending the loop to try handles from 0 to 0x200
makes it crash the system again (this is for compiling with the GCC port,
in case it depends on cygwin.dll's startup code). Anyway, if this doesn't
work for you, it does NOT yet mean the bug is fixed.

It is possible to make a stable exploit that would NtOpenFile() something
with the required data in there, and then call NtCreateProcess() on that
handle. The data can be obtained on a system where the original exploit
works (with the loop extended as described above), by reading from the
handle it was crashing with. I'm not going to waste any more of my time
on it, though.

Signed,
Solar Designer

[prev in list] [next in list] [prev in thread] [next in thread]