Guest User

Untitled

a guest
Dec 31st, 2020
2,602
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. The channel "rdpinpt" is used internally by RDP to pass pointers of various input structures to terminpt.sys. It is possible for a client to connect to the channel externally (before authentication) by specifying channel "rdpinpt" in the GCC Conference Create Request. Once connected, the client can then supply pointers directly to the channel, causing the RDP service to attempt a read of provided address. Normally, this would result in a remote Denial-of-Service condition; however, it is possible to trigger the read from the kernel using an IOCTL. Due to the fact the kernel read uses DeviceIoControl with buffered IO, the call will simply return an error code if the address is not readable. Using this, it is possible to not only remotely confirm if an address exists, but also leak partial data from it by telling terminpt to treat it as a mouse or keyboard input packet.
RAW Paste Data

Adblocker detected! Please consider disabling it...

We've detected AdBlock Plus or some other adblocking software preventing Pastebin.com from fully loading.

We don't have any obnoxious sound, or popup ads, we actively block these annoying types of ads!

Please add Pastebin.com to your ad blocker whitelist or disable your adblocking software.

×