DebPloit

(thing) by paulproteus (2.6 mon) (print) ? (I like it!) 1 C! Sun Mar 17 2002 at 11:53:44

Exploit for Microsoft Windows 2000 and Windows NT released around March 14, 2002 (1) that grants full Administrator privileges to any user. Basically, it hijacks any currently-running process with higher privileges than you and gives you its privileges. (We'll call that process Target from now on.) It takes advantage of a bug in these OSs' debugging routines. How it works: (2)

Principle: Ask debugging subsystem to create (duplicate) handles to Target for you.

Become dbgss client (DbgUiConnectToDbg).

Connect to DbgSsApiPort LPC port (ZwConnectPort). Everyone has access to this port.

Ask dbgss to handle CreateProcess SsApi with client id (or pid or tid only) of Target (ZwRequestPort).

Wait for dbgss to reply with CREATE_PROCESS_DEBUG_EVENT(WaitForDebugEvent). Message contains duplicated handle(s).

When debugger's thread terminates (e.g. on logoff), Target process or thread is terminated too (like it was regularly debugged).

As of its release around March 14, 2002, Microsoft had released no patch for it. This is still true today (3).

So, it gets access to the public debugging APIs, abuses them, and, in step 4, has hijacked the process. Furthermore, as the exploit does not change existing credentials for the user, minimal logging of the attack is possible. The sample exploit included performs a system() call after hijacking the process; it asks you what program to run.

The current location of the exploit is: http://www.anticracking.sk/EliCZ/bugs/DebPloit.zip. The exploit is written by Radim Picha, who calls himself EliCZ. The author has a discussion board put up at http://disc.server.com/Indices/148775.html.

I have tried the exploit against my Win 2K system, and it works fine. If you need help, /msg me. Please also /msg me with systems you've tested, as I'd like to add a list of vulnerable systems to this node.

Footnotes:

Release date estimated from BugTraq message date.
How it works segment taken from DebPloit distribution file.
If this assertion becomes wrong, I'll change this to: Microsoft releasted a patch on date in Knowledge Base Article Qxxxxxx.

printable version
chaos

The quickest way to crash Windows NT/2000/XP	local root compromise	Microsoft wins award for garbage	Logging in as admin without the password
CMD.exe	undocumented feature	Windows 2000	/msg
Administrator	March 14, 2002	system()	Windows NT
Process before product	Hawking Radiation	Script For A Jester's Tear	exploit
duplicate	Windows NT User Accounts	How to create a Handle (Nickname)	everyone
target	date	process id	h4x0r

Y'know, if you log in, you can write something here, or contact authors directly on the site. Create a New User if you don't already have an account.

Login
Password

remember me
password reminder
register

Everything2 Help

Things you could have written:
Bill Gates
How to escape domestic violence
When your job is keeping order, your life becomes chaos
Male lactation
I pray to God I can find the other sock
Hizbullah
George Clinton
Sailing in the wake of my grandmother
Potter's Field
American Sign Language
Rhubarb
K-mart jeans and Payless shoes
Integrated circuits: a technology fable

Tom Rook
Talk is cheap	(poetry)
shaogo
Adelle Davis	(person)
Aerobe
race car g sfjsgsd	(poetry)
Binah
Dream Log: July 5, 2008	(dream)
StrawberryFrog
Forgotten things in space	(idea)
antigravpussy
velvet revolution fairy tale	(idea)
Heitah
Nerve agent VX	(thing)
Pavlovna
shite	(idea)
wonton
Days and nights come together in a slow falling down	(fiction)
Pavlovna
wee	(idea)
katherine
root log: July 2008	(log)
Madara
There�s nothing like a trail of blood to find your way back home	(fiction)
Heitah
After sneeze	(idea)
froggy7384
Why we smoke	(personal)
SubSane
Loneliness is a Warm Tuna Melt on a Cold Summer Night	(person)

This page courtesy of The Everything Development Company