Another getadmin attack - 
- Lets any user become admin user instantly!!
---------------------------------------------

Attached are the README file, executable and the DLL which demonstrate 
the NT Security hole. 

Steps to follow: You need to have a machine running 
Windows NT 4.0 or 5.0beta, either workstation or server will do.

1. Login as any non-admin user on the machine (even guest account will do).

   (You may verify that the logged in user does not possess admin privilege
   at this time by trying to run the "windisk" program from the shell.
   This should fail since the user does not have admin privilege).

2. Copy the attached files: SECHOLE.EXE and ADMINDLL.DLL onto your hard disk 
   in any directory, while logged in as the above non-admin user.

3. Run SECHOLE.EXE. After this your system might become unstable or even 
   hang. The damage is already done by this time. Simply reboot the machine. 
   You will see that the non-admin user now belongs to the administrator 
   group. This means that the user has complete admin control over that 
   machine. Now you will be able to run programs like "windisk". Another
   way to verify newly acquired admin privileges is to run the
   "User Manager" from the "Adminstrative Tools".

In my opinion this bug is very very difficult to fix. I plan to write 
about it in our upcoming book "Undocumented Windows NT" which is yet to be
published and talks about a host of undocumented calls that Microsoft 
uses. Something every serious programmer must have.

Note:                                                    
"Prasad Dabak, Sandeep Phadke and Milind Borate were writing a book on 
"Undocumented Windows NT" for O'Reilly & Associates. They have the complete 
manuscript of the book. O'Reilly has decided not to continue with the book 
due for reasons unrelated to the content of the book. They are looking for 
a publisher for this book. Interested parties should contact them at 
psdabak@hotmail.com, sandeepsandeep@hotmail.com, milind@cyberspace.org. 
In absence of a publisher, we intend to make the book available
online for a cost"

=====================================================================
This code downloaded from The NT Shop, http://www.ntshop.net or
http://www.ntsecurity.net
=====================================================================
