Bug #804
kitrap0d.rb win2k server SP4 with rollup 1 only 1 try per reboot
| Status: | Closed | Start: | 02/01/2010 | |
|---|---|---|---|---|
| Priority: | Normal | Due date: | ||
| Assigned to: | - | % Done: | 0% |
|
| Category: | - | |||
| Target version: | - | |||
| Resolution: | wontfix |
Description
With win2k server SP4 even tho the code fails with "The exploit thread was unable to find the size of the VDM_TIB structure", you can run the exploit multiple times to produce the same error. On win2k server SP4 with rollup 1 running the exploit more than once results in:
[?] CreateProcess("C:\WINNT\twunk_16.exe") => 0
[!] OpenProcess(0) failed, 0x57
[!] SpawnNTVDMAndGetUsefulAccess() returned failure
This is cleared by a reboot. I have not seen this behavior except win2k server SP4 with rollup 1. Though, I haven't looked for it specifically. Don't know if this is helpful or points any clues to memory/stack that isn't cleaned after a run.
History
Updated by HD Moore about 1 month ago
- Resolution set to wontfix
- Status changed from New to Closed
This is easier to work around - kill the background ntvdm process and you can retry. The win2000 bug is handled by another ticket.