flat assembler
Message board for the users of flat assembler.

Index > Windows > Blue Screen of Death

Goto page Previous  1, 2
Author
Thread Post new topic Reply to topic
Kermil



Joined: 26 Oct 2005
Posts: 35
Location: Russia
Kermil
To call BSOD you can invoke the following code:

Code:
format PE GUI
entry start

include '..\..\include\win32ax.inc'

section '.text' readable executable code
bugString  db '\??\C:\', 0
start:
    mov     ecx, 10
.try_to_call_bsod:
    push    ecx
    invoke  MessageBox, 0, bugString, bugString, MB_SERVICE_NOTIFICATION
    pop     ecx
    loop    .try_to_call_bsod
   
    invoke  ExitProcess, 0

section '.idata' readable writeable import data

library kernel32,   'KERNEL32.DLL',\
        user32,     'USER32.DLL'

import  kernel32,\
        ExitProcess, 'ExitProcess'

import  user32,\
        MessageBox, 'MessageBoxA'
    
Post 02 Jan 2007, 13:30
View user's profile Send private message ICQ Number Reply with quote
kohlrak



Joined: 21 Jul 2006
Posts: 1421
Location: Uncle Sam's Pad
kohlrak
that's interesting... the output (when you add the MB_OK) is rather intresting... What exactly is the bugstring? Is it trying to print the file located at C:\, only it dosn't exist because no file was referanced?
Post 02 Jan 2007, 22:00
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
I can't believe it, that code works Surprised I got a blank screen though without any message but my FIRST minidump file has been created.

You made me produce my first BSOD since the last installation (more than 1 year ago). Crying or Very sad

For those who wants to fall in the trap maybe you will need to execute that code twice (I have to do that). The first time appears a couple of times a message box with wierd strings and at the second time no message box appear but a system crash appears instead.

Do you know if there is plans to fix this and if this is a known bug at Microsoft?

Chears

PS: Actually my exact sequence was executing the code as posted, changing MB_SERVICE_NOTIFICATION to 0 and the third attempt changing 0 back to MB_SERVICE_NOTIFICATION.
Post 02 Jan 2007, 22:17
View user's profile Send private message Reply with quote
kohlrak



Joined: 21 Jul 2006
Posts: 1421
Location: Uncle Sam's Pad
kohlrak
If they know about it, they're working to fix it. lol
Post 02 Jan 2007, 22:23
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Not exactly, the bug that allows an ordinary executable to get ring-0 level when the user has SE_DEBUG_PRIVILEGE was never fixed because they think that it's not a bug. The same could happen with this.
Post 02 Jan 2007, 22:30
View user's profile Send private message Reply with quote
kohlrak



Joined: 21 Jul 2006
Posts: 1421
Location: Uncle Sam's Pad
kohlrak
Actually, i woudln't see that as a bug either, because you could want your device to only be used by 1 file. This on the other hand, is more like a hack string, i'm not sure how it works, but i'd deffinately try to fix this, but they may not knwo about this.
Post 02 Jan 2007, 22:32
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Here I found something, it's a very new discover of a very OLD bug http://www.securiteam.com/windowsntfocus/6D00R0AHPK.html
Post 02 Jan 2007, 22:41
View user's profile Send private message Reply with quote
DOS386



Joined: 08 Dec 2006
Posts: 1901
DOS386
Hey, what an interesting thread ... Shocked . Shocked . Shocked . Shocked

Kermil wrote:

Quote:
To call BSOD you can invoke the following code:


......

Does the code work ? For me it does not (on non-NT stuff Confused ), and I
could not yet test on an XP machine Crying or Very sad

However, I have a code that bluescreens (some at least) of such
non-NT machines:

Code:
  mov al,$FE  ; Do NOT execute on XP - it gets silently killed there Sad
  out $64,al  ; This bluescreens the (non-NT) thing Very Happy
    


Patch code ^^^ into simplest PE-32 "Hello World" Laughing

_________________
Bug Nr.: 12345

Title: Hello World program compiles to 100 KB !!!

Status: Closed: NOT a Bug


Last edited by DOS386 on 04 Sep 2007, 20:46; edited 2 times in total
Post 02 Jan 2007, 23:21
View user's profile Send private message Reply with quote
kohlrak



Joined: 21 Jul 2006
Posts: 1421
Location: Uncle Sam's Pad
kohlrak
It works on windows xp... I'll test your simple code now..

EDIT: xp dosn't like the line "out $64,al". I used the code below (for future referance)...

Code:
use32
format PE gui

include '...\include\win32ax.inc'

entry start
section '.code' readable executable
start:
    mov al,$FE
    out $64,al
invoke ExitProcess, 0

section '.import' import readable writeable

library kernel, 'kernel32.dll'

import kernel, ExitProcess, 'ExitProcess'    
Post 02 Jan 2007, 23:25
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger Reply with quote
Kermil



Joined: 26 Oct 2005
Posts: 35
Location: Russia
Kermil
Look the following link, I think it would be intresting for you Wink
http://www.securitylab.ru/poc/extra/283628.php
Post 03 Jan 2007, 02:38
View user's profile Send private message ICQ Number Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
And here a brief explanation http://secunia.com/cve_reference/CVE-2006-6797/ http://secunia.com/advisories/23491/

Again an old bug discovered recently. Funny, in december 2005 was also discovered a very old vulnerability about WMF and to keep the tradition the same happens in december 2006, very old bug that survived lots of updates...

Thanks for the interesting bug Wink
Post 03 Jan 2007, 03:47
View user's profile Send private message Reply with quote
kohlrak



Joined: 21 Jul 2006
Posts: 1421
Location: Uncle Sam's Pad
kohlrak
Perhaps it might not get fixed... Works good for me. lol and that link (by kermil) is interesting. I didn't test the code or even read it too deeply (since it's getting late) but it appears to use another way to call the bluescreen (assuming it calls the blue screen). I may have to try that out later on when i have more time. Perhaps this weekend.
Post 03 Jan 2007, 05:07
View user's profile Send private message Visit poster's website AIM Address Yahoo Messenger MSN Messenger Reply with quote
ACP



Joined: 23 Sep 2006
Posts: 204
ACP
When talking about gaining ring 0 privileges while SeDebugPrivilege is enable take a look at this article:

http://www.securiteam.com/windowsntfocus/5TP0B2KC0K.html

Also Georgi Guninski has found very interesting bug some time ago (wk2 only):

http://www.securiteam.com/windowsntfocus/5ZP0L1F4AG.html
Post 03 Jan 2007, 11:28
View user's profile Send private message Reply with quote
DOS386



Joined: 08 Dec 2006
Posts: 1901
DOS386
Finally tested Kermil's code on XP:

- BAD: No bluescreen Sad
- GOOD: it crashed other way at least, with a reboot on 2nd click Smile

Anyone else tested Kermil's ( NT/XP ) or my ( ME/98 ) code ???

_________________
Bug Nr.: 12345

Title: Hello World program compiles to 100 KB !!!

Status: Closed: NOT a Bug
Post 12 Jan 2007, 02:00
View user's profile Send private message Reply with quote
LocoDelAssembly
Your code has a bug


Joined: 06 May 2005
Posts: 4633
Location: Argentina
LocoDelAssembly
Your code for Me/9x demostrates the design flaw of that platform since applications are allowed to do I/O with IN and OUT instructions because of the IOPL level that the applicacions have in that plataform. NT based Windowses haven't got this flaw because the IOPL level disallows such instructions and any attempt to execute them raises a general protection fault exception.

Another well known flaw is the CLI / JMP $ program that hangs the system completely (i.e. you have to press reset or turn of the computer to escape from the hanging).

c:\>debug
-a
cli
jmp 101

-g


Doing the above on an NT system just hangs the DOS console but the system keeps running flawlessly.
Post 12 Jan 2007, 03:07
View user's profile Send private message Reply with quote
zhak



Joined: 12 Apr 2005
Posts: 490
Location: Belarus
zhak
Quote:

Finally tested Kermil's code on XP:

- BAD: No bluescreen Sad

yup, it reboots my PC, too....
Post 12 Jan 2007, 22:05
View user's profile Send private message Reply with quote
madmatt



Joined: 07 Oct 2003
Posts: 1045
Location: Michigan, USA
madmatt
Interesting, Tried the code on Vista Home Premium, and no crash. Must be fixed.
Post 28 Apr 2009, 09:37
View user's profile Send private message Reply with quote
edfed



Joined: 20 Feb 2006
Posts: 4240
Location: 2018
edfed
idem on win8. no crash.

it remembers me the bug in the TI basic of the TI80

if "

hem, alt-gr seems to don't work now... Laughing
and my xp VM is completelly bugged now Confused
Post 27 Dec 2012, 08:42
View user's profile Send private message Visit poster's website Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  
Goto page Previous  1, 2

< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on YouTube, Twitter.

Website powered by rwasa.