CR4 Program Information 

     We all know Microsoft released the getadmin hotfix. 
     However after a few hours of work, I was able to create a 
     new exploit which also works with this patch Microsoft just 
     realeased. 

     The problem is now in eax=4346 which is handled somewhere in 
     win32k.sys. 
     There are more (I found 4) vulnerable functions, but not so interesting 
     like this one. By calling the function in a special way, you can 
     get your own code get executed at ring 0 privilege. My program will 
     simply change the byte of NtGlobalFlag to the DEBUG value, so you 
     can run GetAdmin (which after the fix is not working anymore). 
     Since compiling the source is very difficult, the compiled binary 
     is avaible at http://www.gecad.ro/~craiu/cr4.exe 
     This program was tested on 2 Windows NT patched machines, and worked 
     ok. (I got the Admin rights) 
     ... (PROGRAM SOURCE REMOVED) 
     Due to the nature of this bug, is very important the address of 
     the mov eax,4346 instruction must be 004080a4. I am not an 
     expert in the PE structure, but my cr4.exe program will always 
     run at that address on my test machine. An assembler version 
     might be very interesting, but there are other things to do 
     now. (like checking eax=187) If any of you guys has better assembler 
     skills, I would like to see a nice asm version of my program. 
     OBJE: 4080a4 is somewhere in the program space, but it is not 
     used (debug info/data space etc...) You can probably conroll 
     the address of the retf (which btw. it is located at 
     a0020b87h) 
     After doing the "or" instruction, and IRETD is required to 
     continue the execution of the function, otherwise the kernel will 
     crash. 
     And as a final note, you should compile this with Borland C 5.0 
     Do not use Visual C or other C compiler. If you want, you can 
     adapt the program to work in Visual C, but don't ask me to. 
     It's too complicated. If you don't have a Borland C license, 
     you can download the compiled binary from my homepage. 
     Microsoft was informed about this bug on July 10, 1997. 

     Costin RAIU <craiu@gecad.ro> 