Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security FullDisclosure
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Full-disclosure] Universal printer provider exploit for Windows

from [Andres Tarasco] Network Security [Permanent Link]
Subject: [Full-disclosure] Universal printer provider exploit for Windows
Date: Mon, 29 Jan 2007 11:42:35 +0100 
We have developed a new exploit that should allow code execution as SYSTEM
with the following software:

- DiskAccess NFS Client (dapcnfsd.dll v0.6.4.0) - REPORTED & NOTFIXED
-0day!!!
- Citrix Metaframe - cpprov.dll - FIXED
- Novell (nwspool.dll - CVE-2006-5854 - untested. pls give feedback)
More information at :
http://www.514.es/2007/01/universal_exploit_for_vulnerab.html (spanish)
exploit code:
http://www.514.es/2007/01/29/Universal_printer_provider_exploit.zip

/*
Title: Universal exploit for vulnerable printer providers (spooler service).
Vulnerability: Insecure EnumPrintersW() calls
Author: Andres Tarasco Acuña - atarasco@514.es
Website: http://www.514.es


This code should allow to gain SYSTEM privileges with the following
software:
blink !blink! blink!

- DiskAccess NFS Client (dapcnfsd.dll v0.6.4.0) - REPORTED & NOTFIXED
-0day!!!
- Citrix Metaframe - cpprov.dll  - FIXED
- Novell (nwspool.dll  - CVE-2006-5854 - untested)
- More undisclosed stuff =)

 If this code crashes your spooler service (spoolsv.exe) check your
 "vulnerable" printer providers at:
 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers

 Workaround: Trust only default printer providers "Internet Print Provider"

 and "LanMan Print Services" and delete the other ones.

 And remember, if it doesnt work for you, tweak it yourself. Do not ask


 D:\Programación\EnumPrinters\Exploits>testlpc.exe
[+] Citrix Presentation Server - EnumPrinterW() Universal exploit
[+] Exploit coded by Andres Tarasco - atarasco@514.es


[+] Connecting to spooler LCP port \RPC Control\spoolss
[+] Trying to locate valid address (1 tries)
[+] Mapped memory. Client address: 0x003d0000
[+] Mapped memory. Server address: 0x00a70000
[+] Targeting return address to  : 0x00A700A7
[+] Writting to shared memory...
[+] Written 0x1000 bytes
[+] Exploiting vulnerability....
[+] Exploit complete. Now Connect to 127.0.0.1:51477


D:\Programación\EnumPrinters>nc localhost 51477
Microsoft Windows XP [Versión 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>whoami
NT AUTHORITY\SYSTEM

regards,

Andres Tarasco 
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [Full-disclosure] Universal printer provider exploit for Windows, Andres Tarasco <=
Previous by Date:  [Full-disclosure] Phishing Evolution Report Released, Sûnnet Beskerming
Next by Date:  [Full-disclosure] [DRUPAL-SA-2007-005] Drupal 4.7.6 / 5.1 fixes arbitrary code execution issue, Uwe Hermann
Previous by Thread:  [Full-disclosure] Phishing Evolution Report Released, Sûnnet Beskerming
Next by Thread:  [Full-disclosure] [DRUPAL-SA-2007-005] Drupal 4.7.6 / 5.1 fixes arbitrary code execution issue, Uwe Hermann
Indexes:  [Date] [Thread] [Top] [All Lists]