GetAdmin
Digg
DZone
Reddit
Slashdot
StumbleUpon
del.icio.us
Facebook
FriendFeed
Furl
by Chris Allen
One of my users managed to get admin access on my computers and
changed the passwords on my Admin accounts. This was when I started
my search for the way it was done, to recover I booted from one of
my repair disks to use my old SAM accounts which I replaced using
MSDOS. After that I went on the web to search for the way it was
done. To do this I visited the Hakerz hideout and checked the
archives finding the program GetAdmin, it allowed an normal user to
grant themselves admin access to a computer running NT 4.0. So long
as it did not have service pack 4 installed which contained the fix
it would work. This is the line of code that allows it to work.
ChangeNtGlobalFlag(GetNtGlobalFlagPtr()); After that you can open
any process in the system, because function NtOpenProcess does not
checks for a SE_DEBUG_PRIVILEGE when bit in NtGlobalFlag+2 is set.
Aftermore, program injects DLL in the winlogon process. Winlogon is
running under the SYSTEM account so it can add / remove user in the
Administrators group. The bug is in the subfunction of NtAddAtom which does not check
an output address . So it's possible to write into kernel memory. Of
course it's not necessary to inject DLL into winlogon to get admin
rights. You can simply replace some part of ntoskernel or replace
process token and etc. Patch ntoskernel and replace function NtAddAtom so it checks for
valid address. You can block access to the kernal memory but it
doesn't really work due to the
ChangeNtGlobalFlag(GetNtGlobalFlagPtr()); line of code. Get the Microsoft hotfix at
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/
hotfixes-postSP3/getadmin-fix
