by Chris Allen

One of my users managed to get admin access on my computers and changed the passwords on my Admin accounts. This was when I started my search for the way it was done, to recover I booted from one of my repair disks to use my old SAM accounts which I replaced using MSDOS. After that I went on the web to search for the way it was done. To do this I visited the Hakerz hideout and checked the archives finding the program GetAdmin, it allowed an normal user to grant themselves admin access to a computer running NT 4.0. So long as it did not have service pack 4 installed which contained the fix it would work. This is the line of code that allows it to work. ChangeNtGlobalFlag(GetNtGlobalFlagPtr()); After that you can open any process in the system, because function NtOpenProcess does not checks for a SE_DEBUG_PRIVILEGE when bit in NtGlobalFlag+2 is set. Aftermore, program injects DLL in the winlogon process. Winlogon is running under the SYSTEM account so it can add / remove user in the Administrators group.   

GetAdmin the program that gets normal users admin rights

The bug is in the subfunction of NtAddAtom which does not check an output address . So it's possible to write into kernel memory. Of course it's not necessary to inject DLL into winlogon to get admin rights. You can simply replace some part of ntoskernel or replace process token and etc. 

Patch ntoskernel and replace function NtAddAtom so it checks for valid address. You can block access to the kernal memory but it doesn't really work due to the ChangeNtGlobalFlag(GetNtGlobalFlagPtr()); line of code.

Get the Microsoft hotfix at ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/ hotfixes-postSP3/getadmin-fix

This article was originally published on Nov 17, 2000
Page 1 of 1

Thanks for your registration, follow us on our social networks to keep up-to-date