CR4 Program Information We all know Microsoft released the getadmin hotfix. However after a few hours of work, I was able to create a new exploit which also works with this patch Microsoft just realeased. The problem is now in eax=4346 which is handled somewhere in win32k.sys. There are more (I found 4) vulnerable functions, but not so interesting like this one. By calling the function in a special way, you can get your own code get executed at ring 0 privilege. My program will simply change the byte of NtGlobalFlag to the DEBUG value, so you can run GetAdmin (which after the fix is not working anymore). Since compiling the source is very difficult, the compiled binary is avaible at http://www.gecad.ro/~craiu/cr4.exe This program was tested on 2 Windows NT patched machines, and worked ok. (I got the Admin rights) ... (PROGRAM SOURCE REMOVED) Due to the nature of this bug, is very important the address of the mov eax,4346 instruction must be 004080a4. I am not an expert in the PE structure, but my cr4.exe program will always run at that address on my test machine. An assembler version might be very interesting, but there are other things to do now. (like checking eax=187) If any of you guys has better assembler skills, I would like to see a nice asm version of my program. OBJE: 4080a4 is somewhere in the program space, but it is not used (debug info/data space etc...) You can probably conroll the address of the retf (which btw. it is located at a0020b87h) After doing the "or" instruction, and IRETD is required to continue the execution of the function, otherwise the kernel will crash. And as a final note, you should compile this with Borland C 5.0 Do not use Visual C or other C compiler. If you want, you can adapt the program to work in Visual C, but don't ask me to. It's too complicated. If you don't have a Borland C license, you can download the compiled binary from my homepage. Microsoft was informed about this bug on July 10, 1997. Costin RAIU