Possible Dr Watson Escalation Exploit

[moonlit]

I read that normal users have access to the registry key that tells Dr Watson (Windows debugger/error catching thing if I did my homework) and so if we were to replace the exe location to point to a small app to escalate privs and cause a crash would that not run our app?

Just a thought, don't know how viable it is but thought it was worth a shot... The only parts I was unsure of is if this exploit will still work and if we can bump the privs using it... oh, and how do you cause a crash worthy of debugging, a simple divide by zero won't cut it I don't think...

[Sparda]

You usualy have to casue a buffer over flow, with in the program it's self, that over writes executable code with absalute bollocks.

I say usualy, I actualy mean it's probably the easist way.

[PoyBoy]

just steal some microsoft source and stick it in there

[Mick]

Just compile this in retail mode.

int main(){*((char*)0x0)='n';}

If you dont know it tries to write to memory address 0x000000. (Windows doesn't like that too much.)

So, theres my contribution to the Dr.Watson thing.

[PoyBoy]

Whadaya mean you cant write to nonexistant memory?

[moonlit]

Aww... turned out to be a bunch of balony... oh well, the search continues...