Destructive C code

[Zevlag]

I've been dared by my proffessors here at college that there windows and Unix machines are so secure that I can do anything I want and not ruin them. They just ghost these machines when they get messed up so I'm not afraid of doing anything so...

On a Win2k or Solaris 8 platform what is some code that I could use to format the drives? or any other type of destructive C, C++ code? does anybody have anything that could drop me into root? I don't know, I jsut want to do something, this isn't against there knowledge too much either....

Zevlag

[jim mcnamara]

Try using gets() to read in more than BUFSIZ characters from a disk file. Unix only.

If you can run DOS-based code (get to MS-DOS prompt) - write some ASM in a Turbo C module that does direct I/O to the disk.
- use disk /io interrupts to overwrite disk sectors.
If these are Win2K systems, you can't do that, however. In that case boot from a win98 emergency disk in the floppy (if there are floppies). You can format C: from there, or even install another OS.

And.

FWIW - College profs like that may have a hidden agenda - they want you to find their holes. And if they truly believe they've created completely secure systems, then they are egomaniacs.

- here's a quick story about being too secure about security.

An ISP in New Mexico, rt66.com, issued a challenge to hackers in the Fall of '99 - they said they were hacker proof. This was a ploy to get more customers, too. By December '99, the rt66 server had gone down about 20 times, disks were erased several different times, and rt66 lost about 15% of it's customer base. There were very unreliable in terms of uptime or getting a connection.

Let's hope your college profs are not ex-rt66.com employees who failed to learn anything. I worked for folks who actively encouraged us to break security, so we could make a better end product. This is a good thing, even if it gives the sysadmin headaches. We never did anything destructive, however. And you shouldn't either. Just show 'em what you can do.

[CornedBee]

I don't see why
system("echo y | format c:" shouldn't work under dos/windows.
Or maybe
sytem(doskey del = echo y | del *.*);
Next time someone calls del, without warning everythings gone. Works only under dos because:
a) I think a new console window deletes the macro.
b) Nobody calls del under windows.

[JoshT]

On Windows 2000 you can't format the Windows drive (usually C:/ where boot.ini and ntldr reside) while in Windows 2000. I like jim's idea of booting into another OS. Can you reboot and get into the BIOS at all? How about bring a screwdriver with you and play with the wiring? Or just find a big magnet or a hammer...

[Zevlag]

CornedBee, your DOS stuff won't work, that's obvious. "format C:" is locked out.

I am certain that these systems aren't perfect, and the Professors don't care what I do, they don't admin the network. I personally know the Admin so all is OK.

We never did anything destructive, however. And you shouldn't either. Just show 'em what you can do.

Thats what I wanted to do, being malicious isn't my goal.

I could reinstall a new OS and all if I wanted(boot from CD, boot from floppy) but I was wondering what could be done with the current C/C++ compilers on these systems. What kind of security holes are there if I didn't have direct access to the hardware. Such as formating from code, whatever......

Zevlag

[jim mcnamara]

Not much - if it's Win2k. The reason is that you can set an acl on files, queues, devices, resources. This prevents them from being writable.

To look for holes, write code that gives you a list of the files you can write to on the local system. If somebody made a mistake, and it's an important file, you can crash the system by opening the file with fopen(filename,"wb+") and randomly writing garbage inside the file.

The other suggestion - if you go to MSDN, updates, you can get the site to tell you what security updates you need to apply to your machine, then search the net for the hacks that are open on your machine. IE 5.5 has a lot of holes, some are exploitable to get past privs.

[Warmaster199]

Interrupt 19h is used to reboot the machine... Try using that!

Or find some way to clear the memory or fill it up... Set-up a variable to access 0x00 in memory address:

unsigned char *memorylocation = (unsigned char *)0x00000000L;

This sets up a variable in 0x00 in memory in 8-bit segments. Now, all you have to do is use that starting address and write 0's or 1's to the whole memory system:

int cntr;
while(1)
{
cntr++;
memorylocation[x+cntr] = 0;
}

I don't know it it will work, but if it does, it will loop through until ALL of the memory in the system contains 0, this means system RAM, video RAM, and perhaps I/O ports(Am I right???). The thing is that the CPU either freezes or resets when it has no data to process. 0x00000000L may not not work as the BIOS is in the way. You can't write to the BIOS. Try something else like 1MBits past the address above. If I remember correctly, the CMOS is a memory location too, that'll get erased as well... cheers!

[amac]

Set-up a variable to access 0x00 in memory address:

Have you ever tried doing this? Any OS.... wait any piece of software that calls itself an OS will not allow you to access this memory location or any other location where it resides.


On Windows you willl get an Access Violation (0x00000005)... not sure about UNIX though

[Warmaster199]

Rats... Foiled... Ah well...

[sail3005]

this reminds me of the thread in the assembly forum about blowing up the monitor

[Warmaster199]

I remembered that! I don't remember if I posted in it though... Think I did...

OK: I remember reading that the weakest code in Windows NT is the GUI's graphics code. Try to find some way to disrupt that and/or find a weakness in it

[sail3005]

could you open up explorer.exe and add literally thousands of lines of random junk to slow it down. i did something like this before.

[CornedBee]

what about starting a highesdt-priority therad and execute an endless loop?
Only way to terminate is good old Ctrl+Alt+Entf.

Code:

DWORD ThreadFunc(PVOID pvoid)
{
   while(1);
}

int WINAPI WinMain(blablabla)
{
   DWORD dwThreadID;
   SetPriorityClass(GetCurrentProcess(), REALTIME_PRIORITY_CLASS);
   HANDLE hThread = CreateThread(NULL, 0, ThreadFunc, NULL, CREATE_SUSPENDED, &dwThreadID);
   SetThreadPriority(hThread, THREAD_PRIORITY_TIME_CRITICAL);
   ResumeThread(hThread);
   while(1);
}

What about this?

[Warmaster199]

Or you could just mess up window's registry... Go into the windows or win NT folder and open Regedit.exe

You could be able to do this code too...

[sail3005]

Originally posted by Warmaster199
Or you could just mess up window's registry... Go into the windows or win NT folder and open Regedit.exe

You could be able to do this code too...

i am guessing (hoping) thats probably blocked

[parksie]

On NT registry keys have security descriptors attached to them, so unless you've got permissions, all you can mangle is your own userdata key (maybe more or less, but you definitely can't wreck the computer for other users).

[[praetorian]]

Write a funny little bat-file that double it self every time the computer starts......or, that delete the aoutoexec.bat and some other funny files.....

[Warmaster199]

Does Win NT even have an autoexec.bat? I thought It was an entirely new OS(at the time), not based on DOS. On Windows 95/98, that would work...

What about UNIX? It doesn't have an autoexec.bat, but it does have other configuration files... Hey, I don't think that UNIX has all of the protection features that Win NT does... I think you could delete files from the root of the drive... I could be wrong, but that would only be because of the newer UNIX systems.

A while ago, I was in a thread about boot sectors... Try trashing the boot sector with a prog called part copy... may not work on Win NT because of a "raw disk write" exception...

[[praetorian]]

Maybe you've right, but it must be other important files that you can delete or double......

[JoshT]

I think you guys are looking at it the wrong way. If an NT based computer is well set up, you won't have the permissions to write or modify in files, folders, or registry keys that would cause damage. You need to look for holes in this security - like a buffer overrun in a NTFS alternate data stream, or something. Weren't there recent buffer overruns in Windows Media Player or Office Clipart? Or look up holes in the non-MS software on the system. Since MS is constantly targeted by crackers/hackers, it's security holes are likely to be well-known (bu your admins). Other companies apps might have holes that weren't that publicized.

[sql_lall]

why not use QBASIC:

CLS
KILL (C:/*")
END

[JoshT]

If permissions are set correctly on the C drive, you won't be able to delete anything important.

How about exploiting security holes in services running under the Localsystem account?